Ep. 29 | Cybersecurity for Family Offices

Show Notes

83% of U.S. Single-Family Offices rank cyber risk as a top concern, yet many lack the resources and knowledge needed to safeguard the principal's wealth, privacy, and legacy from cybercrime. BlackCloak's Managing Director of Private Client Services Sarah Rosen explains the scope of these threats and how Family Offices can close the gap. 

If you're interested in learning more, you can request a demo with BlackCloak here, or visit the BlackCloak website. 

Transcript

SPEAKER_00 0:12

Welcome to Uncloaked, a cybersecurity podcast brought to you by Black Cloak, the pioneer in digital executive protection and leader in personal cybersecurity. I'm your host, Dan Basco, and today I'm joined once again by Sarah Rosen, but this time in person, very excited to be here with you, managing director of private client services at Black Cloak, and we're going to be talking about cybersecurity for family offices. So, very important subject. Sarah, thanks so much for being here and great to see you.

SPEAKER_01 0:39

My pleasure, my pleasure. It is a very important subject and it needs more attention. So I'm glad we're doing this.

SPEAKER_00 0:45

It does, because obviously when we talk about cybersecurity, even at Black Cloak, we talk about the high profile individual, high net worth individual. But this is even, we're really honing in on the family office aspect. So that's why I really like this topic because we're getting into the nitty-gritty a little bit about this particular attack surface. And part of this, too, and you know, a shameless plug, we just published an ebook on our website at blackploke.io. Just go to the resources tab about cybersecurity for family offices, a really informative e-book there. And, you know, we found that, you know, some a lot of studies show that 43% of family offices just in the last year or two have said they've experienced some form of a cyber attack. And that's just the ones that they've identified, right? This is a unique attack surface. We're talking about people that are in charge of key accounts, finances, schedules. There's a lot of different touch points, right? So can you speak to the scope of the responsibilities of a family office and maybe why that makes it such a unique attack surface?

SPEAKER_01 1:51

Yeah, I'm happy to. And I think that when you think about a family office, it's a pretty unique entity in itself, right? Like technically it's a firm, it's a business firm, it's attached to a single family. So it has a single customer. That's pretty unique to it. And customer isn't even the right word, it's a bit more intimate than that. And the primary function is financial, right? The primary sort of core skill set they're developing has to do with finances and maintaining finances and looking into the future. However, there's a lot of ancillary expectations that come with a family office, right? You are there to essentially make the lives of the family and the multiple generations in the family potentially a little bit easier. And so the unique aspect within cybersecurity for a family office within cybersecurity really has to do with the fact that you have a firm. And that firm is a group of individuals who are working in a business-like way, and you need to protect the firm from cyberattacks, right? And that's where most of the focus is right now for family offices. However, think about the family themselves, the individuals themselves. And what we saw happen in business, right? We saw bad guys attack businesses. That became really hard, so they started attacking the executives of those businesses as a way to Trojan horse their way in. That logic applies directly to family offices too. And so as family offices do get best practices around cybersecurity for the firm, it is natural to think once that gets a little bit more challenging, this 43% or these bad guys that resulted in 43%, they're going to start looking to the principles. They're going to start looking to the personal lives of those individuals. So you've really got a similar scenario to a business, a firm, just with far fewer resources and oftentimes absolutely no cybersecurity specific, dedicated resources within the firm.

SPEAKER_00 3:44

Yeah, that makes a lot of sense. And even a more specified target in that instance, right? Versus uh, oh, the the C-suite or just a more broad-reaching target there. We're talking about a specific principle that they're looking at. And so that can obviously lead to some more risk as well. In your experience, what have been the primary reasons uh that family offices or principals with a family office choose black cloak?

SPEAKER_01 4:13

Yeah, that is actually a great question. So family offices do have one benefit that traditional businesses don't have. They don't need to be known. So a traditional business, it has to advertise within some group of individuals. It has to tell the world it exists so they can recruit customers. Family offices do not need to do that. They have absolutely no reason in many instances to let the world know they even exist. So they're starting off from a place where they could, given their situation and there's a lot of different situations, really stay under the cover almost uniquely from the world, so to speak. They don't have to have a website that's public. Oftentimes they'll have one and it just has like a, I saw one with a red background and a telephone number. So, you know, unless you know, you don't know. And so when we think about black folks specifically, we work with a number of family offices. And because of the nature of the firms, because they're so unique, they really rely on one another. So family offices rely on one another for best practices. So if you think about sort of functional groups coming together, CFOs from family offices coming together, there's a lot of this happening that may not be known to the rest of the world because it's deliberately kept really quiet. And so oftentimes family offices are choosing black folk because we know how to work with family offices and we have a number of family office clients.

SPEAKER_00 5:30

And speaking to the other side of it, when you're assessing the landscape from your discussions with prospects or just learning more about uh the threat landscape that's out there, what are you seeing from a misconception standpoint? I imagine that there are a lot of people that maybe miss something when it comes to the emphasis that should be placed on cybersecurity for the family office that maybe isn't being what where do you see those priorities kind of stack for them?

SPEAKER_01 6:02

So I think it's murky. So I think family offices know they're trying to solve a problem because another family office that they're familiar with, it had a cyber attack, right? They're reading it in the news. They realize that they're sort of at risk, but they're often trying trying to solve a problem that they don't quite understand because there really is rarely, almost never, a dedicated security professional within the staff of the cybersecurity. Now they can leverage them in like a consultative type way. So they absolutely have access to this knowledge, but it's very frustrating to solve a problem that you actually don't understand. And I think there's an element of it that's worth sort of discussing. I know you and I have discussed it on past, and it's the nature of the bad guy, right? And I think a lot of times family offices come to us and they're trying to solve the problem of the bad guy as it's defined by normal, everyday folks in the US, which is sort of a long tail approach, right? If I take a poorly constructed text or not meticulously constructed text and send it out to 2,000 people to try and trick them, right? Which is kind of step one in the bad guy playbook, a couple of them probably are gonna get tricked. This is very different. And the rest of us feel comfort in that. Ooh, I'm well aware that E470, which is the highway in Colorado, you know, really isn't going to arrest me, right? I can read through this. But there's this other level of bad guy that's attracted to family offices. I call them the Ocean 11 bad guy because it's all in the preparation before the heist. So, in other words, these guys will spend a lot of times and resources invested in a given target because they feel confident in the payout, and family offices fall squarely into these bad guys. And they tend to be the more sophisticated ones, right? Just like the movie Ocean's 11, those were the most sophisticated individuals in their given area. The family office is attracting the most sophisticated individual who will spend a year studying the family through emails or otherwise before they even begin to pull off some sort of crime.

SPEAKER_00 8:06

Yeah, these aren't the scam callers cold calling uh 2,000 places hoping to find a hit. These are the motivated, uh very hyper-specific uh individuals, which uh in in really anything, like the more motivation you put behind it, the the more impact that can have. So no, that's a great point. And I think going off of it too, the a lot of people understand the financial ramifications of a potential cyber attack as they see all the stories, they they know um uh obviously what they have in their accounts that could be subjected to um some sort of uh cyber attack. But on the other side, is the reputational damage, that capability, is that uh perhaps being not necessarily overlooked, but maybe underrepresented when we're talking about things like deepfakes or we're talking about um the name of the principal and their family being at stake. Uh, that's a big part of it too.

SPEAKER_01 9:08

Without a doubt. Now, the reputational damage to a business is financially significant because we trust our companies, the trump companies we do business with, whether it be a consumer product or otherwise, we trust them. And you know, a breach really kind of can chip away at that trust potentially. And it's a little bit different in a family office because you have an aggregated amount of wealth, arguably the same as a uh corporation, but it might be more centralized. I know they diversify, but still, you know, the the assets that are sitting there are sitting in a way different than a corporation would. Not to mention, usually the motivation in a corporation isn't to steal money directly, it's to steal something, usually usernames, passwords, user information, and then resell it, right? That's kind of the standard play. Family office is you're going straight for the finances in some way, shape, or form. And to have a family office, think about it, this is a firm dedicated to your family. All they do is support your family. You have to have a significant amount of wealth, right? Hundreds of that millions of dollars, most likely, before you start, it starts to make sense to have a single family office for your family. And so individuals who have that level of wealth usually have some level of stature in the community, in the country, on the global scale, whether that be from like an entertainment perspective or a political perspective, right? That's sort of the nature. And so 100% there's a reputational damage. And that might be in instances of politics and otherwise, that might be the intent, the intent, right? To pull one off, less so financial than reputational. So I think both sides of the coin, both firms and family offices or enterprise and family offices, certainly have that concern, but but it presents a bit differently. The dollar amount, maybe it's the same, maybe it's the maybe it's not, right? Both nobody's gonna go, you know, hungry as a result of this. But it's pretty significant. Hundreds of thousands of dollars sort of stolen in a moment, if not millions, and um, and then admitting that to the world. They don't. And that's why we've never heard of the Ocean's 11 hacker, because they absolutely don't. Under no circumstances do they want any press about these instances.

SPEAKER_00 11:17

And it's interesting too, because you know you mentioned like some that could be ideological reasons, some could be obviously for the financial reasons. The thing is, as you if you're the family office and you're the principal, you're not gonna know the reasons until it's probably too late, right? Which is why I think like a holistic protection is the only way to go in that instance, right? Because you never know uh what motivations are gonna be coming your way or where they're looking to target.

SPEAKER_01 11:46

And proactive as well. Now, across the board, I think we'd agree at Black Cloak, what we often find is about 40% of folks come, 40% of our customers will come to us in some sort of breach state. That might be minor, right? That might be something really small, it might be something major in a lot of uh instances. However, we want to turn that 40% into 10% because the reputation, the damage once it's done, is so emotionally devastating. It's almost like having a break-in at your house, if not worse, right? It's it's not so much the money impact, because again, these are quite wealthy individuals, right? It's really sort of not being in control of your world. And then if you put the family different from just a family, we have lots of families who join Black Cloak. Um, and when they do, they're trying to be proactive for their family. But when you add the family office firm, it is the job of the firm, of the family office to protect and reduce risk for their family. And that could be two households, that could be 68 households, right? There could be a small group and a large group, and to fail to do so, and they feel really confident, they're pretty good, they can reduce risks financially, right? They are usually professionals with a background in finance, but they're less confident on their ability to reduce risks when it comes to cybercrime.

SPEAKER_00 13:01

Yeah, it's just one aspect of it, and um so there's so much more out there to be protected, to uh implement in terms of that security posture. So uh any closing thoughts uh before we uh close out here, Sarah, on the family office, the landscape uh of cybersecurity in that respect?

SPEAKER_01 13:20

I'll just reiterate because I think a lot of um conversation is happening more and more within family offices about cybersecurity. It seems to be a really relevant topic that those who work within a family office are interested in grabbing. And the one sort of plug I'll make is think beyond the firm, right? Really think about the personal lives. And when I came to Black Cloak, I did not know personal cybersecurity was a thing. I had been in cybersecurity prior, had no idea there are personal cybersecurity options. So a lot of what we want to do within this community is let them know it's a thing.

SPEAKER_00 13:53

Yeah.

SPEAKER_01 13:53

You can get personal cybersecurity that employs all the best practices in individuals' or households' personal lives.

SPEAKER_00 14:02

Perfect. Thank you so much, Sarah. Really appreciate you having on the show. And it's great to be here with you and in person for this one. Um, a lot more on the Cybersecurity for Family Offices at blackcloak.io, but for now that will do it for us here on Uncloaked. You can listen to all episodes of Uncloaked at blackcloak.io slash podcasts or on your platform of choice. And if you're interested in becoming a member or want to learn more about how to protect your digital life, visit us at blackcloak.io. Thank you for tuning in, and we'll see you next time on Uncloaked.