Cybersecurity poses real consequences for family offices

Author: Andrew Cohen

The December killing of UnitedHealthCare CEO Brian Thompson has heightened concerns among high-net-worth families about the risks posed by their digital footprints, prompting many family offices to rethink their cybersecurity strategies.

Thompson was shot Dec. 4 outside the Hilton hotel in Midtown Manhattan, where he was scheduled to attend UnitedHealth’s investors meeting — an event publicly detailed in company announcements. While authorities have not directly linked his killing to a cybersecurity breach, the incident has underscored how publicly available information, from corporate filings to social media activity, can expose executives and wealthy individuals to security threats.

In response, family offices are increasingly investing in cybersecurity solutions to safeguard sensitive personal and financial data, reduce online exposure and mitigate risks that could lead to impersonation, fraud or even physical harm.

“The New York incident has made families rethink their privacy and what that really means,” said Bobby Stover, EY Americas family enterprise and family office leader. “I don’t want to be locked so much I can’t do things, but what risk does my digital footprint present to me?”

One of the tech providers at the forefront of protecting the online presence of high-net-worth individuals and their families is Hush, whose sign-ups among single- and multi-family offices have accelerated since Thompson’s killing. Hush’s platform scans the internet and a user’s social profiles to alert them when personal, identifiable information is shown online and then removes those vulnerable or reputation-damaging posts.

For example, a younger member of a family attends a party where “either they take photos of the event or someone else at the party does,” said Mykolas Rambus, a co-founder and CEO of Hush. “Maybe it's a compromising photograph, maybe it has information in the background about an address. Maybe it’s telling someone who shouldn't know that they’re getting ready to leave for vacation for a month in Mallorca. That’s when we flag it and say this is a problematic post, here’s why.

Rambus, who previously was an executive at Forbes Media and CEO of the wealth data firm Wealth-X, recommends that Hush’s affluent clients stay off social media entirely. “We often say the risk of someone being impersonated, the risk of the video they posted being used by someone to pull off a virtual kidnapping, the risk of someone impinging their reputation are substantial on these platforms,” he said. “And the recourse process is only getting more difficult.”

EY has devoted $300 million to building its cybersecurity practice, which serves family offices as well as major financial institutions and companies. For larger family offices, Stover said, families will look to hire a chief risk officer and chief information security officer to lead their internal cybersecurity, while smaller family offices will rely on outsourcing to boutique cybersecurity firms.

One of those firms is Summitas, whose encrypted engagement platform is used by family offices and their advisers to securely share documents related to trusts, wills and tax returns as well as family calendars, vacation plans, financial information and the delegation of tasks. Summitas is SOC 2-compliant, ensuring that it meets the latest cybersecurity standards developed by the American Institute of Certified Public Accountants.

Addressing third-party risk

Performing an overview of all the third-party vendors used by a family office is a critical initial step in cybersecurity planning.

“There’s been a huge uptick in third-party vendors having cybersecurity incidents and then reporting them back to the data owner,” said Annmarie Giblin, a partner in the global cybersecurity and privacy group at the law firm Norton Rose Fulbright.

An example of third-party cybersecurity exposure that can result in vulnerability to burglaries can occur when family offices work with an architect to renovate a home.

“Sadly, it happens where you’ll have an architect who will be involved in renovations; they’ll file a permit with the city or county,” Rambus said. “And the family has gone through great lengths to make sure their properties are held in trusts and obfuscated — and then come to find out it's now public record because the architect forgot to take the family’s name off the filing with the address. Can’t tell you how often that happens.”

Risclarity, a data operations platform for family offices, encourages centralized IT departments to be responsible for routinely updating the software on devices used by family office staff.

“We’ll see family offices on really old versions of general ledgers or really old versions of a software that the vendor no longer supports,” said Mark Wickersham, senior vice president of strategic marketing and business development for Risclarity. “There’s a big risk involved with that because those platforms are no longer being patched.”

AI to fight cybercrime

Risclarity has used NINJIO to share bite-sized cybersecurity training videos with staff and clients. Educational programming to learn how to detect phishing and social-engineering attempts has been deployed at the multi-family office Cresset, but the firm more recently has also developed artificial intelligence to fight cyberattacks.

“We now have some defensive tools that use AI, machine learning and other techniques to identify threats and filter them out of our incoming email and other channels to make sure they never even reach our users,” said Cresset’s chief technology officer, Paul Algreen. “In cybersecurity circles, the human is always the weakest link, they are easiest to fool. Computers are hard to fool because they’re built on programs.”

AI represents a double-edged sword of cyber defense and cyberthreats. Firms such as Cresset and EY have established policies to prevent client data from being shared with third-party AI services such as ChatGPT and instead have developed their own internal generative AI platforms that are monitored by their own IT departments.

“Just because it’s the latest and greatest, doesn't mean you have to put AI into your family office or into your home,” said Giblin, the cybersecurity lawyer. People don’t understand that if you enter information into the public version of a generative technology, that becomes part of its large language models. So if someone gives the right prompts, asks, ‘I want to know where so-and-so lives,’ that might spit it back out because I’ve already entered that information to send a benign email because I didn’t feel like writing it.”