FAMILY OFFICE INSIGHTS

Family Office Connections: Evaluate your cyber risk

A part of the surveying the risk and threat landscape to family offices series

Chris Pierson, CEO at BlackCloak, discusses our family office risk survey findings. Listen now as he discusses ways to prevent malware, conducting background checks in a high-trust environment, and balancing your privacy at work and at home.


Audio transcription

Edward: Welcome to Family Office Connections. I'm Edward Marshall, Managing Director at Boston Private. Today we continue our series of discussions focused on the results of the Family Office Survey that we released recently. In that report, we asked over 200 family office executives to give us their thoughts on risk and threat matters they face every single day. The results were very illuminating, on one hand, answering some questions that we all had, but also posed some new ones, provided some unexpected insights into the risk management characteristics and behaviors of family offices. The finding certainly opened some new areas for the committee to evaluate, but also present some opportunities for both family offices and the advisors that serve them to address risk more effectively. My guest today is Chris Pierson of BlackCloak. You know, Chris, before we get started, tell us a little bit about yourself and specifically around your experience of working with family offices.

Chris: Yeah, Edward, great to be here with you, and thanks so much once again and to you and to Boston Private. BlackCloak is a concierge cybersecurity and privacy protection platform. It's a platform that is built from the ground up to protect high-net-worth individuals, single-family offices, multi-family offices, high-profile individuals through and through, and in their personal lives. We protect their privacy. We protect their home. We protect all their devices and going to do so with a mindset of concierge approach, really protecting their peace of mind for not just them, but right for their entire family, gen one, gen two, gen three. All these things are interrelated and connected, and so we really work a lot hand-in-hand with those single-family office members. And the report that Boston Private, you know, has put out, is putting out, really just solidifies a lot of those in a manner that's very, very easy to call and understand.

Edward: Thanks, Chris. Well, let's dive into that report, and let's talk about one of the findings that you and I had discussed, and that's certainly around underestimating of cyber risks. You know, whether a family office is new or, you know, has been in the business for a couple of generations, there's a lot of factors that go into the mindset of this family office when it comes to risks specifically around cyber risk. What's been your experience in this area with the families that you work with?

Chris: Yeah. You know, a lot of this kind of starts out on the, well, you know, I'm not an attractive target. Maybe I'm not the person or the family that they want to go ahead and target or attack. And so, there's a fundamental misunderstanding there about the risks that are there about the targeting, about the selection of high-profile, high-net-worth ultra-high net worth individuals. The fact of the matter is that, in many cases, you know, those are investment firms that are going to supply many generations to come and they're almost like small banks.

So, I mean, I think that one of the facts that really stood out was this lack of understanding, so to speak, of cyber risk. But yet, in terms of the survey data, you know, it seemed like some 52% of those folks, right, were rating cybersecurity and the cybersecurity risks as a major or a catastrophic event, right? Fifty-two percent, 8% rating it as catastrophic, 44% rating it as major. And we see that, you know, a lot. We see that, you know, through our cybersecurity analysts, through our relationships and now through this report, and it seems like there's some divergence there. It seems like, in one aspect, folks are saying, "This is a potential, you know, financial killer, huge financial risk to us, our family, our family office," yet not necessarily mustering the right controls, right? Not mustering the right defensive measures and protective measures to go ahead and combat that risk.

Edward: I think those are certainly some really great points, Chris. I think another one similar to that is really around how prevalent cyber-attacks are on family offices. I know we have all seen different reporting in this area. We found that over a quarter of family offices have admitted to suffering a cyber attack. What are you seeing out in the field with the families that you're working with on this issue?

Chris: Yeah. What's interesting about this statistic is that, you know, we see similar pattern. I can tell you right here and right now that when we onboard our clients, 20%, so 1 out of 5, 2 out of 10, 20% of them, their homes and home networks are wide open to attack, 39%, so 4 out of 10 of these folks, they have active malware on their devices when we are onboarding them or their homes are open to attack. That's 40%. And then when you mix that in, and we know because we're there, we're implementing the protection solution, the BlackCloak solution, so we know because that data comes from our cyber analysts, our forensic analysts. And when we take a look at the results from the report, it said 26%, right? Family offices ever suffered a cyber-attack, 26%, right?

Now, there's going to be a portion that's probably another 5% to 10% in there that they actually don't know that they've suffered an attack, are under attack, and maybe it's in a month, maybe it's in three months that they are going to have some type of an incident, business email compromise, a ransomware, some type of financial risk. So it really aligns nicely with the data that we're seeing on the receiving end of those alerts and of that protection and what people are publicly reporting. But it's a scary statistic. It's a very scary statistic when you actually look at and you say, "Hey, out of the number of single-family offices that are out there, one-quarter of them have been attacked in the past. And guess what? When cybercriminals actually make off with funds, make off with intellectual property, make off with private information, or, you know, have a ransomware extortion attack and get Bitcoin from it, they're going to come back." So we're going to see this continue to evolve year after year. And with everything that happened in 2020 in terms of more of an attack surface at home, the home is the new battleground, Edward. It is definitely the new battleground. I think we're going to see this number jump when you do this report next year.

Edward: And what do you attribute that 10% delta? Is it just not knowing, not having a solution to support them on the cyber side? Or is it something else that's coming around the corner? Especially, you know, folks like yourself and many others that are out there talking about this threat. It still seems like there's a large prevalence of attacks that are still maintaining on this very lucrative cybersecurity target.

Chris: Yeah, I mean, so it's a few things. First of all, it's the fact that folks do not know that they are currently a victim, right? Their intellectual property, private details, private data, financial data is being siphoned but they don't know that they're a victim. And once again, the report actually highlights this. It says 54% of single-family offices consistently used endpoint. Let's just break that down, right? Anti-malware solutions, right? Anti-virus, anti-malware solutions, 54%. That means, right, on the inverse, 46% don't. Our data from our client population, same population but we're there literally holding their hand, we have 59% don't have an endpoint anti-malware, antivirus solution. So, when you literally say in some form or fashion that essentially, you know, some 40% to 50% to 60% of the folks don't actually have the detective measures to be able to understand that they are a victim, that's where you get the delta, that 10%, in addition. They're going to be many, many more people out there that are victims. They will find it out in a year, two years, three years. Cybercriminals are patient, and they will find it out perhaps in another generation. So they might not be the direct impacted target, but that's someone else one generation down is.

So I think that a lot of this is, right? Not knowing. It's kind of like going to the doctor and you're like, "Well, you know, I feel great. Everything is wonderful," but you really have high cholesterol. Like you have high cholesterol but haven't taken a cholesterol test. This is part of the problem here. Many more people are going to be having high cholesterol if they don't get tested or don't know or don't have an understanding of it. It's the same thing in cyber. And people are laying in wait, cybercriminals and nation-states. This is how a lot of the different funding for nation-states is occurring through ransomware, through extortion. Single-family offices don't want a part of this. So I think that 26% number is definitely a bad number. I think it's actually even higher.

Edward: Another number that jumped out in our research was around background checks. About a good portion of families conducted background checks on their employees when they started but never put in sort of a continuous monitoring effort for personnel, especially when you consider, you know, the outsized access that a lot of these individuals have to these families. What are some of the potential risks there, and what have you seen with families who have done this well?

Chris: Yeah, I think, I mean, look, you know, single-family offices, a lot of the folks that are associated with it are in the family, right? They're in the know, but there is always a group that is not related to you, not part of the official team. They might be contractors, consultants working part-time, and they might be people that ebb and flow, but within any family office environment, it needs to be an environment of high trust. That doesn't mean perfection. It just means high trust. When something goes wrong, people feel free to chat about it, to talk about it, to let people know. What you will find, though, is that when you only do that employment or background check at time one, right, at a point in time of employment, you could potentially have blind spots there. You could potentially have blind spots in terms of someone being over-leveraged and being potentially susceptible to identity theft rings, to other cybercriminals, etc.

You could also find yourself in a situation where your investments, your investment strategy, and other financially related information about you and your family and the office are valuable in and of themselves, and that that information is harder. These are high-trust situations, you know, that you're embarking on within a family office, and it's one of those things...the measure of risk, right, really needs to be figured out, analyzed, and assessed. But then the right type of control needs to be put in there. You know, that could include some different types of monitoring of accounts or computers, but once again, you want to have trust of your employees. But you could also have just very simply continuing ongoing ability to do background screening, background checks.

And most certainly, at points in times when folks are going in for raises, advances, career advancement within that family environment, office environment, or when they are taking on new responsibilities. They might have been the meet-and-greet person in the organization, events coordinator person, but now they're transitioning to something where they're going to have access to much more amounts of financial information or personal information. That may once again trigger some different review of them and their background for that specific role. These are just things to, you know, analyze and assess in terms of what's the inherent risk? What type of control can you put in place? And what's the residual risk? And are you comfortable with that? If not, how do you go ahead and tackle it? So always want to be heads up, blinders off as it relates to those issues.

Edward: What about, you know, the issue of privacy? That certainly comes up when you look at all of the risk and threats spectrum that we've talked about. And specifically, you mentioned this before that, you know, single-family offices also have a lot of intertwined relationships between work and personal lives. Is there a way that you've seen families do this well, and what are some potential pitfalls around privacy when you take a look at that area?

Chris: Yeah. This is really something that's multidimensional. In order for the family office to have a comprehensive, a holistic protection plan in place, it must address several facets. One, it has to address the privacy of those individuals, what information is out there, decreasing the attack surface, what information will be shared and with whom and how is it controlled safely and securely? It's not about not allowing it to be shared for tax forms, K1s, investments, all the rest, right? It's not about that. It's about controlling it in such a fashion that it is done securely, but the privacy there goes around 360 degrees. Privacy of the individuals in their office life, privacy of the individuals in their investment life, privacy of the individual individuals in their personal life, and privacy around the "family," gen one, gen two, gen three.

Second, right? That mashes in with cybersecurity of their devices in their home, right? You can't have privacy without cybersecurity and vice versa. And so, it's really important to tackle those two things together. Without tackling it together, you may end up with tons of data that is not well-protected, or you know, lots of data that is flowing around you and you think is protected but maybe the insider becomes an issue or maybe you're over-collecting or oversharing. So, definitely need to figure out what that privacy attack surface is, limiting the information out on the principles that is publicly accessible, removing data broker information, information about you that's publicly accessible on data broker websites, hardening up the principles in terms of encrypted password vaults. All of these things play a role in cybersecurity, they play a role in making sure that you're not as big a target, and they play a role in ensuring that the entire family is protected, right? A little bit of herd immunity here as well.

Edward: Thanks, Chris. I really appreciate you joining me today, and to the folks that are listening, if you'd like to get in touch with Chris or if you have any questions, do send us an email to familyoffice@bostonprivate.com. I'd also recommend that you check out our website. You can find numerous resources. You can download the paper that Chris and I discussed, and you can sign up for our newsletter, get this podcast, and much, much more right there in your inbox. That website is bostonprivate.com/familyoffice. And be sure to subscribe to this podcast on Apple and Spotify or whatever platform you prefer. That's it for today. Check back for a new podcast next week. Bye, everybody.

The views expressed in the article are those of the author and/or person interviewed and do not necessarily reflect the views of SVB Private or other members of Silicon Valley Bank Financial Group. The materials on this website are for informational purposes only, are subject to change and do not take into account your particular investment objective, financial situation or need. Since each client’s situation is unique, you should consult your financial advisor and/or tax planning professional before acting on any information provided herein