ey happy coworkerss discuss projects

How family offices can maximize the upside of tech and minimize risk

A recent Wharton survey highlights fears in this fast-evolving era. Cybersecurity is vital — but it must be a facet of a broader strategy.

In brief
  • Consider technology in three areas: hardware, software and cybersecurity. An overarching strategy informs how to consider them so that you achieve your goals.
  • Where are your priorities? Mitigating risk often comes with inefficiencies, so trying to protect everything rigidly can be unfeasible and unwarranted.
  • Don’t lose sight of basic tech hygiene among your employees, and don’t overlook third-party risks, such as through software vendors.

Ernst & Young LLP (EY US) and the Wharton Global Family Alliance (Wharton GFA), a world-leading research forum created by the Wharton School of the University of Pennsylvania and the CCC Alliance, formed a three-year collaboration to advance knowledge on issues and trends impacting multigenerational family businesses and their offices. This article is an output of the collaboration and represents EY US’ views on the findings of the 2022 Family Office Benchmarking Report by the Wharton GFA.

Only 20% of family offices describe their enterprise data cybersecurity as resilient, while 50% believe that a data breach would be at least somewhat costly, according to the recent Wharton GFA benchmarking report — a sobering reminder of how technology, so key to unlocking future growth, also can open the door to ever-evolving cyber threats and new forms of risk. How can family offices respond with confidence, particularly when many of them have lean staffs targeted toward other critical tasks?

How EY can help

It’s important to understand that three topics often blur together under the banner of “technology”: hardware such as laptops and networks, the software and applications you run on that hardware, and the cybersecurity that protects it all. Together, the three act as legs of a stool, providing the balance to turn modern-day strategies into action — but they each require distinct expertise and frameworks, encompassing different vendors.

 

“Family offices must approach technology with an understanding of the interplay between these three facets, guided by an overarching vision,” said Bobby Stover, EY Americas Family Enterprise and Family Office Leader. “In technology, the consequences of inaction can be steep, yet a lack of clarity about what exactly you are hoping to achieve can be just as costly.” For instance, one family office developed a custom technology application to address operational needs — yet its internal server design rendered its performance (and therefore user adoption) lower than anticipated.

 

Specifically within the cybersecurity realm, the Wharton GFA survey reveals that information security and cyber risks are among the top three challenges that respondents cite in delivering holistic risk management to family members. And today’s landscape is fraught with risk: in the EY 2023 Global Cybersecurity Leadership Insights Study, organizations said they face an average of 44 significant cyber incidents a year, and 75% of respondents say it takes six months or longer on average to detect and respond to an incident. In the past five years, the known number of cyber attacks has surged about 75%.¹ Fallout from a cyber event includes:

 

The bottom line: Any piece of information should be treated as an asset, so you should define which assets are high value and protect them accordingly. Not everything can be high value, because the resulting controls would hamstring your family office — as the EY cybersecurity survey noted, about half of respondents say they struggle to balance security and innovation speed. Is it general ledger data? Family member addresses? When you decide, you can put the proper protocols and controls in place.

With so much at stake, here’s what family offices need to know about guarding against the downside of different types of technology.

ey website designer working digital tablet
1

Chapter 1

A big challenge for few staff members

Shorthanded family offices must strike the right balance on having an overarching strategy complemented with outsourced assistance.

On average, family offices in the Wharton GFA survey employ 4.6 IT professionals, but among those IT professionals, fewer than one is a cybersecurity specialist. “Most survey respondents rely on specialist and consulting firms rather than in-house staff, although there is about an even split between those who have both,” noted Raphael (“Raffi”) Amit, the Marie and Joseph Malone Professor and a Professor of Management at the Wharton School and co-founder and Chairman of the Wharton GFA, who led the survey.

Who provides your IT services?

How EY can help

The IT professionals employed by family offices are typically best suited to set the overall strategic direction of technology for the office and the family. Someone with a vision of the overall hardware and software needs and the resulting cybersecurity posture should sit at the center — one person should own that strategy, informed by the unique needs and goals of your family office. Separately, internal resources are useful for providing help desk support (such as in device management) and managing applications and vendors.

 

More technical items, like cybersecurity and network management, are generally best outsourced to teams that are up to date with today’s landscape of cyber threats and mitigating technologies and that have sufficient resources. At the tactical level, threat actors’ techniques and tools are continually evolving along with the enterprise technologies they seek to exploit. But short-staffed family offices can be left in the dark regarding both the downsides and the upsides, highlighting the need for managed services from established players. For instance, providers of managed services can have a better grasp on developments related to AI (including generative AI). This emerging technology is both a threat to mitigate against and a must-have tool that can boost productivity in different domains of security operations: AI can solve for missing data points in technologies, facilitate cross-technology data analysis, and make accurate predictions on the threats an organization will face.

 

Less than half of family offices carry cybersecurity insurance despite the potential costs associated with a data breach, the Wharton GFA survey shows. Like other forms of insurance, it should be carefully considered to understand what it covers and what it doesn’t within your context, but note that the fallout of being left without it can be steep. It also mandates annual compliance testing to stay valid.

ey serious man working on computer
2

Chapter 2

Defenses beyond your network

More broadly, security is everyone’s responsibility, not just within IT, and not just focused on hardware.

Family offices must focus on the human element that makes them vulnerable and the internal controls and policies that encourage a better security posture. Multiple studies affirm that human error is the source of at least 80% of breaches,² emphasizing how security is a people issue as much as a tech issue.

What areas are you evaluating in determining your cybersecurity protocols?

In the chart above, some family offices recognize the importance of security awareness training, out of many priorities. But overall the levels are quite low, which was reaffirmed in an EY survey from 2022, which found that less than a third of single family offices have cyber training for employees or family members. However, in a separate EY survey of CISOs and C-suite members from 2023, only half of cybersecurity leaders say their cyber training is effective, and just 36% are satisfied with non-IT adoption of leading practices. You can turn to external partners for such training, touching on topics such as how to identify phishing emails, including simulations, as well as general education and awareness.

Family offices should also consider important internal controls such as:

  • Alternatives to email. Family offices are lucrative targets for cyber criminals, because their security measures and overall tech infrastructure are often less sophisticated, as the Wharton GFA survey reaffirms. They rely heavily on email (93%) to send personal information; over 90% report that this information includes detailed investment data, and 70% say it includes details such as the family members’ total wealth, tax positions, political donations and more. Defining clear privacy policies helps set standards for data collection, usage, sharing and retention, and grant access to sensitive data only to those who need it to perform their job functions. Making information available via a website or intranet site (used by only 31% of family offices in the Wharton GFA survey) can reduce the risk that private emails are sent directly or forwarded to recipients who could inflict harm.
  • Password vaults. Many employees are still writing their passwords down on slips of paper that can be easily found, or they don’t change their passwords at all. And research shows that passwords in which letters are replaced with numbers are actually easier for computers to crack than if you were to use random, simple words run together. Today, password vaults offer an easy solution that is not onerous on employees yet is still secure. And when was the last time you changed your office Wi-Fi password?
  • Software search and selection. Some prominent cyber attacks targeted software vendors and, through patches, installed malware onto the systems that run their applications. As part of search and selection, family offices should ensure that the cyber postures of vendors are vetted, involving scrutiny of policies, procedures and SOC reports, typically performed by a third party.


Summary 

A recent survey by the Wharton Global Family Alliance, sponsored by EY US, reveals warning signs about how family offices approach technology risk in an evolving era, specifically cyber risk. Such problems include limited staff and outmoded processes, making them a target for cyber criminals. Leading practices indicate that these offices should assign an internal resource to own and oversee the overall technological strategy, complemented with managed services, while ensuring continuous training and enforcing proactive processes on email, passwords and software due diligence.

Related articles

How family offices can broaden their risk mindset in a volatile time

Leaders are focused on financial risk but are overlooking ways to gain agility and confidence before the next crisis. Here are nine steps to consider.

13 Oct 2023 Gio Maso + 1

Is your greatest risk the complexity of your cyber strategy?

Organizations face mounting cybersecurity challenges. The EY 2023 Global Cybersecurity Leadership Insights Study reveals how leaders respond. Read more.

01 Oct 2023 Richard Watson + 1

How to manage risks and protect family offices

Single family offices should implement a risk framework and management system to recognize potential areas of concern. Learn more.

01 Jan 2023 Robert (Bobby) Stover, Jr.

How single family offices are balancing tradition and transformation

As the role of single family offices evolves, how will they manage regulation, risk, technology, governance and strategy? Learn more from our research.

11 May 2022 EY Global

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.