Over the last few years, cyberattacks have grown exponentially, and the risk of falling victim to one applies to people in all walks of life. But the risk is especially great for "ultra-high-net-worth" families. Why? Because they are subject to uniquely complex and interconnected financial, business, ownership and reputational dynamics that make dealing with a cyberattack that much more difficult. This is why the growing sophistication of attacks targeting these families is concerning—and why the growing sophistication of approaches that can identify, mitigate and respond to them should be a source of comfort.
Indeed, families at the highest ends of the wealth scale are a particularly attractive target for phishing, ransomware and fraud, whether through their businesses, individual family members themselves, or their investments. Meanwhile, the pandemic-induced imperative to rapidly transform digital capabilities has only exacerbated this situation for many families.
This is because processes and procedures that worked well in an office environment may not work as well in a work-from-home or hybrid environment. Even people who've historically made relatively little use of technology are being forced onto video chats and other digital channels. These changes have created new vulnerabilities that cyber criminals have quickly adapted to exploit.
It gets even more complicated when these vulnerabilities lead to more than financial consequences. For instance, some families respond to ransomware attacks simply by paying the ransom. While this response may avoid a business disruption, it nevertheless creates a privacy disruption. We are all entitled to privacy, and besides, paying doesn't guarantee that the attackers won't be back—nor that they won't still publicly release private or sensitive information.
Similarly, a cyberattack on a family member's business could create significant disruption to their operations, especially given the current supply chain challenges. Furthermore, the family's privacy could be impacted. Of course, some family members may not be all that worried about their own personal privacy—it's obviously commonplace for people to share their private details on social media, whether about their wealth or anything else. But by piecing together personal information posted on these platforms, cyber attackers can generate more effective phishing attacks against the whole family, not just individual family members. And that could expose everyone involved to reputational risk.
Mapping risk, building moats
Families looking to protect themselves against sophisticated cyber threats should take an enterprise risk management (ERM) approach that recognizes the interconnectedness of their work and life. For these families, the risks can overlap between their personal affairs and their businesses, to other family members or to various investments, and vice versa. As an example, lack of attention to one's social media or private investment management (e.g., using a generic email account across these and a corporation) can create opportunities for hackers to gain access to confidential information.
An ERM approach involves having a strategy that identifies risks before an attack occurs, sets up governance and monitoring mechanisms, and manages and reports on those risks. Obviously, the services of trusted security risk specialists will be important. This person should understand the fulsome environment cutting across the personal areas and the public/incorporated ones. He or she can then advise on both technology enhancement, like using multi-factor authentication, virtual VPN or behavioural changes, including which apps or sites not to use and provide alternatives that are better protected.
Ultimately, though, an ERM approach seeks to create a risk-aware culture that runs through not just the entirety of the family business but also the family itself. This means making sure even children and vendors are conscious of risk identification and mitigation, such as not sharing too much on social media.
An approach like this starts by mapping out risk in "rings" by looking at the people and infrastructure closest to the family—investment brokers, for instance, or data—then moving to the next closest, such as office and household staff, and then perhaps vendors and other stakeholders. From there, build "moats" around each of these rings, identifying the risks within each and protecting against them.
Interestingly, just starting the conversation, creating the initial awareness and providing basic tips can make a big difference. After all, risk management is vitally important, for families and individuals—but by being aware that the risks exist and creating a family- and enterprise-wide risk management culture, everyone will be better positioned to always be at least one step ahead of the threat.