Family offices unprepared for rising cyberattacks
Around 43 per cent of family offices have experienced a cyberattack within the last 12 months compared with just 30 per cent in 2021, a figure that reflects “the rapidly increasing number of cyberattacks worldwide” according to Deloitte’s latest family office cybersecurity report.
But while one third of family offices have suffered loss or damage from an attack, a significant number of them have no strategy for protecting themselves – and don’t plan on getting one.
“Many people do not react to cyber threats until they have been attacked,” the CEO/CIO of one US-based single family office told the Deloitte report. “A lot of family offices have now been hit and it has made them reactive. Typically, cyber criminals go after the low-hanging fruit, so the less you do, the more likely you will be a target.
“The more difficult you make it for hackers, the easier it will be to avoid potential problems. Some people do not want to spend money on cybersecurity because you pay all this money and the best thing that can happen is nothing at all. But, if you do not spend the money and something does happen, you can experience a huge loss. It is like buying insurance, it is a negatively skewed investment, but it is one you should not avoid.”
Phishing and malware are the most common forms of attack, but perhaps more sinister than their nature is their effect. Financial losses can stem from the attack itself, but also from operational downtime or damage to the organisation’s brand or reputation. They can also lead to disruptions due to the loss of confidential data or hits to employee morale, while third parties might also become reluctant to work with them.
“There was a breach; someone got into our system. When it was found, all the measures on earth were thrown at it,” a director of a single family office told the Deloitte report. “We used to operate on a server, and a staff member found a draft email from a hacker in a client’s account. We shut the system down and we are now serverless, so they cannot do that again. Thankfully, the hacker was stopped before any direct damage was caused. But it created a scare, and that resulted in reputational risk to the family office, as our clients were concerned as we needed to lock down their data.
Family offices with more than $1 billion of assets are more likely to have experienced an attack and more likely to report frequent attacks, likely due to the tendency of cybercriminals to target bigger pools of wealth and because offices with more sophisticated infrastructure are more likely to be alert to attacks when they occur.
“However, although larger offices are more likely to report attacks, offices with less mature infrastructures are often more vulnerable to attacks as they tend to have fewer security measures in place,” the Deloitte report says. “Moreover, should the larger offices be successful at thwarting attacks, this could incentivise cybercriminals to refocus their efforts on smaller, less sophisticated offices.
“The frequency of cyberattacks, whether successful or not, may also be higher than the survey results indicate. The family offices which have said they do not know of any attacks may have experienced them but could be unaware that they happened, as individuals are much more likely to be aware of an attack that has successfully resulted in identifiable loss or damage than those that have occurred but remain undetected.