Any family offices that don’t view cybercrime as a serious threat should take notice of a recent theft involving a family office chief financial officer who got lazy with his computer security.
The CFO was waiting at an airport, relaxing in the frequent-flyer lounge, when his laptop was stolen. Unfortunately for him and the family office, the computer was brimming with client data. In fact, 181 of the family office clients quickly became victims of identity theft.
The office lost so many clients that it closed after filing for bankruptcy protection from the families’ lawsuits, says Paul Viollis, CEO of Viollis Group International, a New York-based security consultancy that serves over 100 single family and multifamily offices and which was involved in handling the aftermath of the laptop theft.
Viollis says family offices are not tolerant when hackers compromise advisors’ systems. “They are not forgiving,” he says. “People expect you to protect their data. This risk is foreseeable and it’s going to continue.”
As the list of big banks and financial firms that have been victimized by computer hackers gets long and longer, smaller companies are being urged to be on guard—including family offices, which some say could be the next target in the crosshairs of international hackers.
“If a company like Sony, JPMorgan or Target could be infiltrated, a private family could be targeted,” says Richard Wilson, chief executive officer of Key Biscayne, Fla.-based Wilson Holding Company, which provides outsourced CEO solutions, research and training for the family office industry. “A family’s information technology resources, anti-hacker technologies and firewalls are going to be far inferior, in general, to some of these global corporations that have whole IT departments.”
Wilson says that none of the family offices that his company serves has experienced a major data breach yet, but they are growing more concerned. “Cybersecurity is definitely on the radar,” he says. “Our clients seem to be taking it more seriously than they did just two or three years ago. But until you get to the billion-dollar-plus families, I don’t see it being implemented or taken as seriously as it should be.”
Recent hacking conspiracies have only put more pressure on family offices, private banks and other boutique operations to shore up their defense against hackers.
In mid-November, federal prosecutors charged three men with stealing hundreds of millions of dollars in one of the largest cases of computer crime ever uncovered. The trio is accused of coordinating massive data breaches between 2012 and 2015 at a dozen unnamed financial institutions, financial news publishers and technology companies, according to the indictment. JPMorgan Chase, News Corp’s Dow Jones (publisher of The Wall Street Journal), Scottrade and E*Trade have acknowledged being among the companies hacked.
Retailers, insurance carriers, federal government agencies and trade associations—including Neiman Marcus, Anthem Blue Cross Blue Shield, the Office of Personnel Management and the American Bankers Association—have also been victimized by cyber-attacks.
Researchers reported perhaps the most severe Internet security vulnerability in 2014. The “Heartbleed” bug, which can compromise a popular technology used by websites to secure 80% of online financial transactions, may have allowed criminals to read passwords, bank account numbers, credit card numbers and other sensitive data for years before it was detected.
There have been few publicized cases of family offices falling victim to hackers. Wilson says that the rich don’t want to acknowledge cyber-intrusions publicly, in part because they’re concerned that potential business partners might view their family offices as unsecure.
“Maybe someone’s not going to want to do a deal with them. There’s a stigma with sharing that information,” he says.
Family Follies
Few affluent families are well informed about the non-investment threats they face, according to a survey of single and multifamily offices and external chief investment officers by the Family Wealth Alliance. The Wheaton, Ill.-based research and consulting firm’s 2012 security study found that sustainability issues, data loss due to computer crashes and fraud or other loss related to transferring client funds are the major non-investment risks to wealthy families and the firms that serve them.
The firms in the survey said that:
- 29% of their clients had suffered financial fraud incidents.
- 17% of their clients had experienced identity theft via e-mail or the Internet.
- 71% of their clients were “moderately informed” about the everyday security risks they face, 21% were “insufficiently informed,” 4% were “not informed at all” and just 4% were “well informed.”
Worse yet, families were being actively targeted by foreign thieves and mafia groups, according to the study.
Family offices may not understand the basic security risks they face, but cyber-criminals are likely aware that these offices are potentially lucrative targets, security consultants say.
“If you put your hacker hat on, it makes more sense to go after a couple of wealthy individuals and hit a jackpot than to go after millions of customer records and ferret out which ones you want,” says Wes Stillman, CEO of Overland Park, Kan.-based RightSize Solutions, a cloud-based security and compliance solutions provider to registered investment advisors, private banks and trust companies.
For cyber-crooks, an attack on a family office promises a big payoff with minimal effort and little chance of detection or prosecution. With one breach, hackers can obtain access to families’ bank statements, brokerage accounts, tax returns and personal information, as well as information about employees, business partners and vendors. Cybercrime against family offices has the potential to reward crooks with funds that are substantial, anonymous and easily transferrable.
“The return on their investment in time to hack is really good. Family offices are prime targets,” Stillman says.
To hit the mother lode, criminal hackers may start by launching small, simple attacks on family offices to probe their computer defenses and evade detection.
“I have seen an unprecedented level of wire transfer fraud,” says Dave Dalva, vice president of Security Science at Stroz Friedberg, a New York-based cybersecurity, digital forensics and risk management company. “A year ago, I didn’t see this much. It’s relatively straightforward for an adversary to e-mail an unsuspecting user to get a foothold into an organization, and from there move around an organization’s systems to find out how wire transfers are done in order to initiate a fraudulent wire transfer request.”
In one case, a cyber-thief tricked a billionaire’s family office into sending $25,000 to an account in Mexico, he says, adding that wire amounts below $50,000, depending on the size of the family office, may not set off any alarms.
“Their goal is to get away with as much as they can without raising too much suspicion,” Dalva says.
Most wire fraud starts with a “phishing” e-mail, security experts say. Phishing is an attempt to acquire confidential information, such as user names and passwords, by fooling the recipient of the communication into thinking that the request to provide the information comes from a trusted source.
Hackers can send an e-mail to someone inside a family office using the address of another individual inside or outside the family office. They can also add a carefully crafted and easily overlooked typo to a trusted sender’s e-mail address, which is actually an address that the hacker controls.
“Hackers don’t really have to be very technical to do this. People are falling for these tricks left and right,” says Austin Berglas, head of cyber-investigations and incident response at K2 Intelligence, a New York-based investigative, compliance and cyber-defense services firm.
Both methods of tricking recipients into providing log-in credentials can allow cyber-crooks to gain access to a family office’s network and initiate phony wire transfer requests, but the use of a recognized e-mail address poses a far greater threat. “The compromise of a legitimate e-mail address provides hackers with much better recognizance,” says Berglas, a former FBI agent who led the criminal investigation into the computer network attack against JPMorgan.
Berglas says that hackers who gain access to computer systems through valid e-mail addresses can lie in wait while they observe the wire transfer policies of family offices and learn to imitate the communication style of those authorized to initiate transfers, such as CFOs.
Berglas says he routinely sees wire transfer losses in the hundreds of thousands of dollars. In a case his firm handled in December, a high-net-worth CEO had authorized wire transfer requests coming into his personal e-mail to be sent directly to his secretary, who would then forward the requests to financial institutions to execute the transfers. The secretary received a fraudulent request for $700,000, allegedly to purchase art for the CEO. Assuming the request was legitimate, she forwarded it to the CEO’s bank, which sent the money to an overseas bank, where it disappeared. Six hours later, the cyber-bandits sent a request for $2.1 million that the secretary again forwarded. This time, the bank flagged the communication and declined to execute the transfer.
“Once criminals are successful in getting a wire transfer sent, they’ll try it again immediately,” says Berglas.
To protect themselves, Berglas says family offices first need to be aware that these e-mail scams exist. Second, he advises all family office personnel to scrutinize the source of e-mails and not open those from unidentified individuals or entities. Finally, he recommends setting a dollar amount for wire transfers, above which a second layer of authentication is required, such as a phone call to verify the authenticity of an e-mail request to send money.
In addition to phishing and other remote attacks, criminals have directly stolen computers from the wealthy. “Family office personnel travel with their computers. Less than 5% have an appropriate level of security on their laptops,” says Viollis.
In one recent incident, Viollis recalls talking at a conference with the CEO of a $4 billion single-family office in the Midwest who couldn’t convince the family she worked for that they needed stronger cybersecurity. A month after their conversation, Viollis says he got a panicked call from the CEO seeking his advice—after crooks broke into a storage closet and stole the family office’s network server. The family had their bank and brokerage account information, as well as all their medical records, compromised.
That’s not the only case of server theft Viollis has handled. A few years ago, thieves used sledgehammers to break through a building wall at a single-family office in the Pacific Northwest, making off with that family’s server and confidential information.
Remote Risks
Criminals may also target family offices through intermediaries, such as the banks and financial firms that serve the ultra-wealthy.
Dalva says he’s seen multiple attempts by cyber-thieves to strike at family offices via their private banks, sometimes by posing as family members. Cyber-crooks can obtain information about a family from social media and use it to open unauthorized accounts.
In a case Dalva knows of, a criminal phoned a billionaire’s private bank asking to have a credit card account opened in a foreign country for his “nephew.” The crook provided the victim’s date of birth and other identity-verifying information that was asked for by the bank—all of it information that could have been gleaned from social media. The plot might have been foiled early on had the bank made a verification call to the real billionaire at a pre-defined phone number before opening the account.
“If banks and family offices don’t have appropriate controls in place, then banks—because they’re trying to have great customer service, especially for billionaires—are going to do what they’re asked,” he says.
Private banks are not the only entities being targeted. RIAs are also at risk.
A few months ago, the SEC fined St. Louis-based R.T. Jones Capital Equities Management for failure to implement and update a written cybersecurity policy. Hackers attacked the RIA in 2013, exposing the personal information of about 100,000 individuals, including thousands of the firm’s clients. R.T. Jones paid a $75,000 penalty for failing to conduct periodic risk assessments, set up a firewall, encrypt personal information stored on its server or maintain a response plan for cybersecurity incidents. The firm is the first RIA to be sanctioned by the SEC for a cybersecurity breach.
“The auditors and regulatory agencies are screaming from the mountaintop, but I’m not sure that a lot of advisory firms believe this threat is real. Only about 20% of all cyber-attacks are even identified. Attackers may be collecting information and firms might never know it,” says Stillman.
In February 2015, the SEC assessed data security at 57 registered broker-dealers and 49 RIAs. Most of the broker-dealers (88%) and RIAs (74%) said that they had been subjected to cyber-attacks directly or through one or more of their vendors.
The bulk of the incidents involved malware and fraudulent e-mails. Over half of the broker-dealers (54%) and just under half of the RIAs (43%) said that they received fraudulent e-mails seeking to transfer client funds. One-quarter (25%) of the broker-dealers that experienced losses involving fraudulent e-mails said that employees caused the losses by failing to follow the firms’ identity authentication procedures.
A statement by the Federal Financial Institutions Examination Council issued in November warned financial institutions about the increasing frequency and severity of cyber-attacks involving extortion of payment in return for the release of stolen data. Cyber-criminals use a variety of tactics against financial institutions, including ransomware, denial of service attacks and theft of confidential business and client information (see sidebar) to extort money from victims, according to the statement.
Even lawyers are being targeted.
“A lot of law firms are being hacked that don’t necessarily fall into the family office space directly, but they’re corporate counsel for lots of different organizations,” says Paul Dyer, CEO of Glenburn, Maine-based United Cloud Partners Services, which provides private IT, marketing and compliance tools for the financial services industry.
Cyber-attacks against law firms are on the rise because hackers increasingly view attorneys as backdoors to the potentially lucrative data of their clients. Eighty percent of the country’s top 100 law firms by revenue have been hacked since 2011, according to Alexandria, Va.-based security consulting firm Mandiant. Sophisticated and well-funded hackers are targeting law firms to obtain information about clients’ financial assets, trade secrets, joint ventures, pending mergers and litigation strategies.
Staying Safe
The average cost of a data breach in 2014 was $3.5 million, up 15% from 2013, according to a report last year by Silicon Valley Bank. While a multimillion-dollar loss would likely be troubling to most family offices, exposure of non-financial information could be devastating to individual family members, as well as the entire family.
Private banks and RIAs may have significant financial data on their clients, but they typically don’t possess the kind of detailed personal information that a family office does, such as electronic appointment calendars, medical records, tax returns, makes and models of vehicles and locations of vacation homes.
“Personal safety is one of the risks an ultra-high-net-worth family has to worry about. For example, if somebody hacks into an iCloud account and obtains their physical location, it puts their physical security at risk,” says Dalva.
The exposure of private information and reputational damage could also be costly, especially if knowledge of the breach becomes public. Once lost, the trust of other family offices and business partners is difficult to regain.
To protect families, Dalva recommends that family offices start by having independent cybersecurity assessments performed on both the family office and each family member. The assessments should first focus on identifying likely “threat actors.” That information is then used to understand and rank the vulnerabilities those criminals could exploit to compromise the data of that specific family office.
Cybersecurity experts say family offices face four main types of threats:
- Organized criminals who focus on monetary gain.
- Competitors who seek an economic advantage by obtaining confidential information about a family’s business activities and relationships with customers, partners and suppliers.
- “Hacktivists” who attack to promote a political or ideological agenda, by pressuring a family to support human rights or divest from fossil fuels, for example.
- Employees or other insiders who misuse legitimate access to systems, intentionally or unintentionally.
After conducting an assessment, Dalva says the next step is to develop a “remediation road map” that may include changing people’s behavior, implementing new policies and procedures, altering the technical environment and training family members and family office staff on cybersecurity.
Smart Strategies
When it comes to family office cybersecurity, dumb may be the new smart.
Rather than relentlessly updating software and hardware in legacy systems, most cybersecurity consultants recommend that family offices embrace outsourced, private, cloud-based security and regulatory compliance solutions provided and managed by experts who perform functions similar to in-house IT departments.
In such an environment, users log in to a portal, through which they access all their data and software applications on “dumb” devices that contain no data or software programs. Because the devices used to access the portal to the cloud, such as laptops and cell phones, contain no data or software, there’s little risk to a family office’s private information if the devices are lost or stolen. (Family offices and advisors should note that there are many cloud-based solutions on the market and not all of them are truly secure.)
Dyer likens cloud computing to old-fashioned mainframe computing in the 1970s. “There’s no magic in what a cloud is. It’s a mainframe. It’s just that in the ’70s, when I had a dumb device at my desk, there was a cord that had to connect that dumb device to the mainframe. Now we don’t have cords,” he says.
Cloud-based solutions typically provide strong access controls to networks; device and e-mail encryption; anti-virus, anti-malware and anti-intrusion protection; software, such as Microsoft Office applications; continuous data backup; 24/7 help desk access; training; and written policies and procedures on cybersecurity. These solutions typically cost $200 to $250 per user per month.
Storing software programs and data in the cloud reduces the need to monitor and secure individual devices in the modern BYOD (bring your own device) workplace. Instead of giving employees log-in credentials that allow them to access their employer’s network directly from any device (secure or not), secure-private-cloud-based solutions push everyone through a single, safe portal.
“It is impossible to manage all the devices that employees might use if they have user ID and password access to web-based applications. Once they have that credential, they can go to any device and use it. There is no way that an employer can manage all those devices,” says Stillman.
While family offices should focus most of their resources on secure computing, they need to pay some attention to contingency planning in the event that a breach occurs. A swift response is often crucial to preventing further financial, privacy and reputational damage.
Should disaster strike, general cyber-insurance can help cover losses from incident response, business disruption and damage to IT systems. Insurance carriers that provide kidnap, ransom and extortion policies sometimes offer protection against cyber-extortion. Many also sell policies that cover fund transfer fraud. As with all policies, cyber-insurance excludes some losses. Most policies bar coverage for monetary damages caused by unencrypted data or by the policyholder’s failure to reasonably maintain computer systems and update software.
But Dyer cautions that insurance should never be used as a first line of defense. “The way that most broker-dealers, RIAs and smaller family offices seem to want to deal with the hacking issue is simply to insure for it, rather than adopt a true prevention plan with insurance as the backup. That’s the wrong approach. They’ve got to put their money, time and mental energy into closing the loopholes and not being hackable,” he says.
Just a year or two ago, the top concern for most advisors and their family office clients would probably have been the safety of, and return on, investments. Few would likely have mentioned cybersecurity.
Dyer says he’s now seeing a shift in attitudes. “Once the government got hacked and the Heartbleed bug happened, people started to realize, it isn’t a matter of if we’re going to get hacked. It’s a matter of when is it our turn, if we don’t get totally proactive,” he says.
Tech Talk
Criminals are primarily using three types of cyber-attacks against financial institutions.
Ransomware typically infects computers through deceptive e-mails or malicious websites, which mimic legitimate communications or organizations. The software then encrypts the data on the target computer, making it inaccessible until the victim pays the cyber-criminal to unlock the information. Once payment is received, there’s no guarantee that the criminal will decrypt the files. Even if the files are unlocked, the computer could be infected with additional ransomware. Ransomware attacks grew 113% in 2014.
Denial of service (DoS) attacks prevent legitimate users from accessing computer systems. Criminals typically flood systems with illegitimate requests, temporarily shutting down websites, then demand payment from victims to halt the attack or prevent additional attacks. If hackers block customers or employees from accessing systems, a financial institution’s reputation could be adversely affected and the organization could incur substantial operational and recovery costs. Sixty percent of organizations were affected by a DoS attack in 2013 and 87% were hit more than once.
Theft of sensitive or confidential business and client information may be carried out by cyber-criminals who want to extort money, or by hacktivists who seek to pressure an organization to undertake, or avoid, a particular activity. The release of sensitive or proprietary information could harm a firm’s reputation or competitive advantage. In 2014, cyber-crooks stole epic amounts of private data by direct attacks on institutions such as banks. The number of breaches increased 23% over 2013 and attackers were responsible for most of these infiltrations.
Sources: Federal Financial Institutions Examination Council, Joint Statement: Cyber Attacks Involving Extortion, November 2015; Symantec Corp.’s “Internet Security Threat Report,” April 2015.