Family offices are meant to protect and grow the wealth of high-net worth Canadians, but cyberattacks are making that job more difficult. With high value assets and sensitive information, family offices are attractive targets for threat actors. According to a survey by global law firm Dentons, more than 70% of family offices report that the likelihood of a cyberattack has increased dramatically.
Cyber criminals are becoming more sophisticated, with many using artificial intelligence technologies to craft convincing voice messages to use in their scams. Additionally, growing political uncertainty and recent natural disasters are giving them new opportunities to attack.
Larry Zelvin, Executive Vice President and Head of the Financial Crimes Unit at BMO Financial Group, is one of the foremost authorities on cyber risk. Having worked as the Global Head of Cyber Security at Citigroup and Director of the National Cybersecurity and Communications Integration Center with the U.S. Department of Homeland Security, he uses his extensive experience to help clients increase their security knowledge.
What are some of the key cyber security risks to family offices?
Family offices often comprise individuals of different ages and digital habits. Younger individuals tend to click links or download apps without first ensuring they’re safe, which presents risk. Older generations are being targeted by sophisticated social engineering campaigns. Both groups may be reluctant to speak up when they’ve been victimized because they are embarrassed. No one should feel ashamed of falling victim to a scam in a landscape of increasingly complex threat actors and schemes.
It’s important to create a security culture within family offices – encouraging members to See something, say something. Every breach begins with an entry: a starting point. This can be something like an individual’s password that has been compromised through a social engineering attack or phishing message. The threat can quickly escalate from an individual to a family office to a business, particularly if that individual is using the same password for multiple accounts.
How equipped are family offices at warding off an attack?
While the threat is always there, family offices have been getting better at addressing the risk of cyberattacks. One very simple tactic is to create a shared passcode that is only known within the family. This is especially useful with deepfake videos or phone calls, which can be convincing enough to make you think you’re talking to a real person – even someone you know well. Just like other forms of social engineering, deepfakes may use emotional or urgency tactics such as claiming that somebody is ill or has been arrested. If you get that phone call, take a moment, take a breath and resist the urge to act quickly and on impulse. Ask for the family passcode to make sure the person you’re talking to is who they claim to be. When developing a passcode, make sure it’s different from all other passwords. Also, passcodes should not be things related to your family that a scammer could easily find online—such as street names, birthdays, pets, or other personal information that may be shared online. They should also be changed from time to time.
Because wealthier individuals often have a public persona and online profile, hackers may gather this information and attempt to use it against you. As you become more public, be cautious about the ways information about you is being shared, and how that information could be used by cyber criminals to access you.
What are some of the other ways threat actors are gaining access to personal information?
The rise of political uncertainty and natural disasters is also creating new ways for threat actors to target individuals. Any time you have a major event – whether it be wildfires or geopolitical conflicts – fraudsters will find a way to take advantage of the situation for their own benefit. We must all be cautious when it comes to donations: clicking links, opening attachments, or giving out personal and financial information. Make sure the organizations you’re working with are who they claim to be.
Does where you live matter when it comes to the likelihood of an attack?
With advances in technology, attackers can access targets across the globe. As long as you’re connected to the internet, you’re at risk. In some cases, threat actors actually prefer targeting smaller companies because they don’t necessarily have the resources in place to actively be detecting and mitigating attacks.
What can an organization or individual do to protect themselves?
The harder a target you make your family office or organization – the better off it will be. Increasingly, attacks are becoming automated, so it’s important to protect yourself against this type of threat. This includes putting initiatives such as multi-factor authentication and encryption in place, as well as installing security patches to remove vulnerabilities within your networks. We keep reinforcing password best practices because strong, complex passwords remain an important tool to protect against threat actors.
In addition to having policies that govern how information can be shared and how to confirm the identity of an individual, family offices might also consider partnering with a dedicated cyber security firm or a reputable law firm that has experience in cyber security. Before you hire anyone to bolster your cyber security, however, do your due diligence. There is more demand for cyber security talent than there are credible people to meet the demand. Sometimes people hire a “cyber expert” only to find out later that the individual isn't up to the task.
A small organization may not have a dedicated IT team, so how should they approach cyber security?
It’s important to identify someone within the organization to be the point of contact on cyber security. They may start by establishing security best practices required by members and an incident response plan that lists steps to take in the event of an attack. That incident response plan should include details about any cyber insurance, outside legal counsel and other external partners or resources to work with in an emergency.
There are many excellent resources online; BMO provides general security information and resources on bmo.com/security, including security tips, articles on threats and how to help stay protected, updates on fraud scams and more.
Any final tips?
I want to emphasize again that no one should feel guilty for falling victim to a cyberattack or a fraud scheme. If somebody makes a mistake, there needs to be a general feeling throughout the family that it’s better to take action immediately, than to hide it. For more information, please speak to your BMO Private Wealth professional.