FOs also carry data privacy risks, and when private family information and correspondence are stolen or leaked, it can create serious reputational damage and risk of litigation. With only a handful of employees, FOs have limited tools and talent to monitor and ensure the data privacy of the principals. Even when they invest in leading-class cybersecurity technology, too often they take a “set it and forget it” posture. The systems are doing what they are supposed to do, but FOs lack the in-house expertise to monitor and act on what the systems are telling them.
An FO sometimes sits within the FE so it can leverage the resources of the larger organization. However, that model puts private family information in the same systems as FE business information, where it is subject to additional threats from inside and outside the FE.
Cybersecurity steps for FEs and FOs in the short and long term
The good news is that there are steps FEs and FOs can take to protect their firms and families in order to lower these risks. “Those organizations that really push for that proactive involvement of cybersecurity are going to see very significant business benefits in both the near term and the long term,” says Dave Burg, EY Americas Cybersecurity Leader. This will require both immediate steps and a long-term change of approach.
In the short term, to fend off the increase of cyber attacks due to the pandemic, FEs and FOs should:
- Make and keep an inventory of all routers and devices, and sensitive data on them, including those used in family members’ homes
- Maintain these devices with updated antivirus and firewall software; keep all software current and assess for vulnerability at least annually
- Use email encryption tools for any confidential messages and ask clients to validate any new account openings, credit requests and similar activity
- Monitor (or use an external firm to monitor) all networks 24 hours a day looking for signs of an intrusion and shut them down if there is an attack
- Store backups offsite or in a secure cloud repository
- Conduct financial and criminal background checks on new staff and vendors and annually thereafter
- Create a cybersecurity policy that includes connected devices, passwords, multifactor authentication, social media and payment authorization steps
In the longer term, FEs and FOs need to change the way they look at cybersecurity. Recognize that breaches and social media threats will happen, and the job of the FE and FO is to respond effectively and minimize the damage.
Work closely with principals, their families and employees to:
- Identify the scenarios that would impact them most, their risk tolerances and their pain points
- Analyze the most likely scenarios and rate the risk level for each
- Customize a good controls framework, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework to the organization to measure and mitigate risk to an acceptable level
- Explore, create and — most importantly — test business continuity and incident response plans regularly
- Continually educate all principals, family members and their households on the importance of adhering to these controls and the risks they face if they don’t
Protecting the legacy
Family firms need to protect their names, their brands and the organizations they have built over generations. Failure to do so can be catastrophic, but with the right approach, security technologies and control structures can help them protect their legacies for years to come.