The private bank has brought a report charting what family offices must do to reduce vulnerability to a threat that appears to grow by the day.

Cybercrime will cost business and individuals an estimated $2.1 trillion by 2019 and create an annual $400 billion bill. Banks have been hit; most recently, the UK’s National Health Service, the German railway network and US logistics firm FedEx fell victim to a massive ransomware attack. Wherever you look, cybercrime is big news and threatening to weaken confidence in digital ways of doing business. 

For all these reasons and more, those who work in private banks, family offices and wealth management houses are or should be placing cybersecurity at the top of their agenda. (A recent Family Wealth Report conference discussed this topic; see here.) And in a new report, entitled Family Offices and Cybersecurity, Citi Private Bank examines where family offices are vulnerable, advises them on how to be more robust and considers future implications. (See here.) The report is written by Edward Marshall, a director in the global family office group at Citi Private Bank. FWR recently interviewed him.

In particular, Marshall talked about "ransomware" attacks and their significance, which he described as the “latest iteration of extortion”. 

“This form of cybercrime denies a victim access to critical data and systems. It is often spread through phishing emails. Think of phishing as form of social engineering where criminals pretend to be from a legitimate service provider (e.g. your email provider, a bank, a social media site. They try to get you click on the link, sometimes ask you to fill out a form, and then you end up downloading a piece of malware. People also fall victim to “drive-by” downloading of malware where a victim visits an infected website and malware is downloaded and installed without their knowledge. After ransomware has been executed on a victim’s computer, the attacker responsible for the malware demands a ransom payment before allowing the victim to regain access to their systems and data,” he said. 

“The actual `ransom’ demand comes on your screen after the malware has been installed where the criminals demand a payment or they will delete or release information they control on your system.  Cybercriminals will typically demand payment in cryptocurrency and often be thoughtful enough to provide instructions on how to set up digital currency accounts. After payment is made, the information is usually released however; the payment mechanism makes it nearly impossible for law enforcement to trace where the money went,” he continued.

“Ransomware is not going away anytime soon. A wide scope of industries have started to face ransomware attacks ranging from a hotel that couldn’t create new key cards for its rooms, free rides on public transportation because payment systems were overrun, or a police station losing evidence that was stored digitally. Moreover, individuals have also experienced ransomware attacks in the form of attackers threatening to share compromising pictures taken from an exploited laptop camera or threats to post personal data online. Medical facilities have been a common target of ransomware to date,” he said. 

Marshall set out some eye-popping statistics. “There have been over 4,000 new ransomware attacks on any given day since January 1, 2016 - a 300-per cent increase over 2015, he said, citing data from the FBI. In fact, he said, the FBI thinks that $209 million was lost in ransomware attacks during just the first three months of 2016, overtaking the $1.6 million total in losses reported to the FBI’s Internet Crime Complaint Center in 2015. “These figures are ransoms alone and don’t include costs associated with lost business or fixing the damage,” he continued. 
 
Family offices are vulnerable because they are where the money is. Family offices may think they are out of the firing line because they are supposedly discreet, little-reported bodies: what does Marshall think can be done to change that mind-set by FOs?

“Many family offices have the `wealth’ commensurate with small and medium enterprises, but typically don’t put in place the same levels of security, making them lucrative targets for hackers. Unfortunately, the idea that only corporations and governments are at risk from cyberattacks is prevalent. This lack of preparation makes Family Offices an easier target when compared to other institutions or businesses,” he said. “I think Sun Tzu has a better quote than Mr Sutton that encapsulates the cybersecurity threat to family offices and preventative measures family offices should take: `Know the enemy and know yourself; in a hundred battles you will never be in peril’.

“However, looking at wealth alone as a predictor of cyberattack threats is myopic. Family offices face complex cybersecurity challenges because informal governance structures, efficient service vs. effective security operating procedures, underinvestment in critical technology systems, heavy reliance on small staff with outsized access to critical data, security risks from external vendors (supply chain risk), and fame and publicity,” he said. 

“Prominence often accompanies significant wealth and wealth creation. This attention, whether desired or avoided, could make the family office a target. Many single family offices are notoriously private and do what they can to stay off the radar, attempting to anonymize and protect the underlying family they serve by choosing generic names and separate LLC entities. Despite these efforts, wealthy individuals are easily identified making them potentially lucrative targets for cyber criminals,” Marshall continued. 

The ransomware angle
“Early ransomware attacks mostly target individual consumers and seemed largely opportunistic. By 2016, however, attackers began to focus their efforts on both businesses and individuals, according to observations by the FBI.  Herein lies the problem for family offices - they are financial institutions, private individuals with substantial wealth, and quite often the family members they serve are business owners/executives,” Marshall said. 

“A number of factors may converge to bolster this trend.  Family offices and businesses may have more money to spend to pay ransoms to unlock their data than a typical individual victim; be more willing to pay because the data is more valuable, be subject to a legal obligations or privacy concerns to protect their data, or need to pay to perform critical operational functions. Moreover, because most ransoms are now paid using cryptocurrency, the transactions become very difficult or impossible for law enforcement to investigate after a ransom has been paid,” he said.

Action points
Marshall started by talking about prevention, which is a first step for FOs. “Employee awareness and training efforts are a critical first step to preventing ransomware, as employees who can identify and properly handle phishing emails and other common attack vectors that deliver ransomware can prevent many ransomware infections,” he said. Examples of steps that people can take include:

- Check the address: Did that email come from “@myvendor.com” or “@myvend0r.com?” Check email addresses for accuracy and look for anything suspicious, like improper formatting or misspelled names;
- Avoid clicking on links: Avoid clicking links in email altogether. If you must click the link, place your cursor over the link before clicking and observe the destination URL at the bottom left of your screen. When in doubt, Google the website you need instead of clicking the link;
- Be wary of attachments: Never open attachments from senders you do not recognize. When you do know the recipient, it is still wise to treat any attachment you didn’t request as suspicious;
- Do not conduct any personal business with your work email address: Avoid situations in which you might be tempted to click on emails related to issues like package delivery or other personal matters. 

If ransomware interacts with a system, family offices must be sure that security best practices are followed to reduce the chance it will penetrate a system. “Keeping your systems current on updates and security patches, disabling macros in Microsoft Office, and running antivirus software can help catch ransomware that isn’t caught by your employees,” he said. 

Another point, Marshall said – echoing comments from other experts – is to regularly back up critical data. “Having a data backup and recovery plan for all critical information renders the extortionist’s demands ineffectual. This could entail keeping copies of important files safe on an offline storage disk, or having a clean version of your operating system handy in case the machine itself becomes locked entirely.”
Marshall also urged family offices to get in touch quickly with professional and law enforcement when trouble strikes, arguing that just paying a ransom will leave threats unresolved. There’s no guarantee that a ransom payment will prevent future threats.

Where are the weak links in the chain?

“Businesses globally continue to be impacted by a long-standing scheme that exploits executive email accounts and email-based invoicing procedures to execute fraudulent wire transfer payments to foreign banks. This attack traditionally targets how your business processes wire transfers and exploits vulnerabilities in those procedures. As awareness is increasing among victims, actors have recently focused on also compromising sensitive data along with redirection of wires,” Marshall said.

Victims have recently reported a new scenario which involves fraudulent requests from a compromised business executive’s email account to internal HR, finance or auditing staff to compromise W-2 data or employee Personally Identifiable Information (PII). These requests for PII may or may not occur along with a request for a fraudulent wire transfer. Law enforcement reports that victims have fallen for this data loss scenario, even if they were able to previously identify traditional incidents of attempted fraudulent wire transfers,” he said. 

Marshall said that lw enforcement and security researchers agree that the primary BEC scenario involves the compromise of a senior executive’s corporate email account or the impersonation of a senior executive’s corporate email address. An email appearing to be from the executive is sent to an individual who is responsible for processing wire transfers with a message to process the transaction immediately. This scenario relies upon executive-level authority to authorize such a transaction and conveys a sense of urgency so the employee will execute the fraudulent wire transfer without double checking the authenticity of the request,” he said.

Marshall has some other words of advice: 

“Avoid using publicly-available email accounts for business purposes. Entities with open-source email accounts are the most targeted in BEC schemes as these accounts are easiest for the attackers to access and impersonate,” he said. 
 

Other points:

- Closely examine email addresses. Ensure that you check the entire email address and do not rely upon shortened addresses that some email providers substitute for the actual address – e.g. JohnSmith instead of john.smith@gmail.com; 
- The field following the @ sign in an email address is known as the domain name. When using a corporate email account, consider filtering email traffic to flag emails from domain names that are similar, but not identical, to either your domain name or your customer domain names. When possible, consider purchasing domain names that are similar, but not identical, to your company name to ensure these variations are not exploited for nefarious use – e.g. a legitimate domain: company-a.com and a possible attacker domain: company_a.com; 
- For individuals in the company who have been previously targeted, consider eliminating their ability to use the “Reply” function in email transaction requests. Instead, rely upon a secure list of addresses for contacts that are physically typed in during every email exchange; 
- Consider implementing procedures for verifying urgent or confidential wire transfer orders to eliminate this often used technique; 
- Explore a second factor authentication method for receiving internal wire transfer requests. This can be as simple as a phone call or as sophisticated as a PIN system to authenticate the user placing the wire transfer request. This will enable the payment processor to authenticate if the transfer order comes from an authorized requester or if the legitimate email account is being used by an unauthorized user; and
- Closely monitor high value transactions, new trading partners, new bank or account numbers, and transfers to any new countries. Once thresholds are established, implement maker/checker requirements to ensure anomalies are not overlooked in processing wire transfer orders.

FWR asked Marshall if turnover at family offices creates a threat. “People are often the weakest link in the information security system for a family office. The level of awareness on information security threats and the proper ways to combat them has great variability. Therefore, cybersecurity education should be a key part of family planning and business operations meetings,” he said. 

 Another simple way to help shore up cyber defenses is through the creation of family office cybersecurity policies. These policies can be derivations from parent companies that created the wealth that are customized to the unique nature of the family office. Policies should include recommendations on how to prevent cyberattacks and what to do in case a breach is detected. 
Inevitably, FWR had to ask about the implications of social networking. What is Citi Private Bank’s approach in the advice it gives?

Because they are largely unmanaged by businesses, incredibly easy to use and globally scalable, they present both an unprecedented opportunity to businesses from a marketing, branding and customer engagement perspective as well as an unprecedented threat from a cybersecurity, brand risk and compliance perspective. Family offices face issues from SNSs both from staff at the family office and from family members themselves.
                               
Often, family offices will downplay the risks stemming from SNSs by discussing their infrequent low usage of SNSs. This opinion is a form of cognitive bias and ignores several factors of cyberattacks that originate on SNSs. Firstly, cyber criminals that target businesses and family offices tend to work in complex organized crime networks. These criminal networks write programs that estimate your net worth based on largely publically available information and use highly sophisticated attack methods to infect SNSs. Moreover, there is a market for the programs that allow cyber criminals to conduct these SNS attacks. Secondly, SNSs are becoming more effective at profiling users. This profiling provides substantial demographic and net worth information that can be used to target heads of families through children, relatives, and staff.

Cyber insurance
“While cyber insurance is a burgeoning field for insurance companies and corporation businesses, it can serve as another potential line of defense for family offices. Insurance, at its core, is a risk management tool and with an evolving threat stemming from information security, Cyber Insurance presents an opportunity for Family Offices to evaluate gaps and build customized solutions,” Marshall said.

Cyber Insurance requires an underwriting process and this is an aspect that Family Offices should explore as well. While actuarial data for cyber insurance is in its infancy compared to more established lines, underwriting practices are being improved as the size of the market grows, threats expand, and the attack data sets are analysed,” he said. 

Finally, how can and should family offices work with other FOs on security?  

"These organizations will often jump at the chance to meet and network with other family offices to share intelligence. This data sharing is typically of the investment nature or concerning next generation issues. Family offices would benefit from expanding intelligence sharing to include cybersecurity issues. As family offices become distinct and visible, numerous conferences have emerged to cater to this group both in the US and abroad. Family Offices should also consider adding information security conferences to their annual circuit such as the RSA Conference, Black Hat, SANS, Spooks and Suits, or Infosecurity Europe," Marshall added.