RECAP: 2019 FOX Family Office Forum

Breakout A: Internal Controls to Support Cybersecurity

Presenters:
Doug Herman
Principal, Technology & Business Transformation Services, BDO USA, LLP
Jason Lipschultz
Managing Director, Third Party Assurance, BDO USA, LLP

Session Description: 

There are a myriad of cybersecurity issues facing families and family offices in today’s complex private wealth environment. While some of the challenges may seem unavoidable, families may unintentionally put themselves at risk because the complexity of family office activities and the potential impact of external factors aren’t proactively identified and addressed. This session explored how to assess, evaluate, and mitigate some of the risks commonly found in the family office environment, key considerations that participants should keep in mind when evaluating cybersecurity risks and solutions, and best practices they should be incorporating into their internal controls processes.
 

“You can outsource the process, but not the risk. You can have the greatest policies and procedures in place, but if you’re not auditing them regularly it does not matter.”
- Doug Herman
“The bad guys are always one step ahead of us. We’re always reactive to the latest threat. It’s an uphill battle, however artificial intelligence will begin to level the playing field.”
- Jason Lipschultz
Key Takeaways: 
  • To prevent cyberattacks, it is important to remember that technology is only as good as the processes and controls that manage it. Key business process areas of focus include: purchasing, accounts payable, disbursements, HR and payroll, and general accounting. Key control considerations: policies and procedures, access management, delegation of authority (who approves what), segregation of duties, vendor master and, periodic reviews, and reconciliations.
  • In addition to the internal controls, you might also consider risks in vendor relationships and banking services and may establish proactive relationships with PR and Crisis Management firms as well as law enforcement.
  • Controlling human behavior remains your biggest asset and biggest risk. Most human behavior is driven by a desire for convenience and efficiency. The best way to instill best practices is through training, supported by testing, followed by auditing. But, before training can be accomplished, a clear and concise set of policies and procedures need to be developed, including: storage and handling of documents containing sensitive information or PII; transition of sensitive documents; and verification of transactions.
  • Best practices for maintaining confidentiality include: verification of vendors or other individuals for which disbursements are being made; servers are encrypted at rest; encrypted email communications; don’t use personal services for FO business (personal Gmail, DropBox, etc.).
  • A compromise is the external breach into your infrastructure, an internal breach where an employee leaked sensitive information, or ransomware. If you suspect a compromise has happened, involve outside counsel and investigate but don’t stomp on key artifacts. Involve external incidence response parties at the appropriate time.

VIEW THE SLIDES >
(FOX Members only)