As a high or ultra-high net worth client, your biggest risk might be the professional advisors you rely on day to day. Why? Because however discrete they are in person, their digital avatars could be telegraphing your secrets across the world. The industry needs to solve this, but there is only one way that’s going to happen.
I did an informal poll of my peers in the financial services and legal industries this week. I asked dozens of them (outside of Boston) what they thought the top issues are when private clients choose a professional services firm, such as a lawyer, accountant, or commercial family office. Despite the Wannacry ransomware having been all over the news for several days prior to asking, not one of them mentioned cybersecurity in the top five. When I asked the same question of my peers in the IT industry, it never left the top three.
The discrepancy is telling. The big issue is that most professional service firms are still run by people who are not digital natives, meaning they don’t see the world through a digital lens. These are people who double lock the filing cabinet before leaving the office, yet use the same password (it’s six characters long, and the name of their favourite cat) for all 36 of their online logins. These people are the prey in an increasingly hostile digital world they are barely aware of, in which the highly-evolved predators have an enormous advantage. The problem for you as a client is that in today’s highly-regulated market of intense due-diligence screening, those soon-to-be-made-extinct professionals are carrying the keys to your wealth, your reputation, and your very identity.
Let me outline the extent of the threat. Whereas the average person might have to worry about mass-produced viruses using a spray-and-pray approach, the UHNWI individual and his or her service providers offer a tempting mark for targeted, customised attacks. Depending on the individual’s wealth or influence profile, these could come from sophisticated gangs, well-funded and unscrupulous industrial rivals, or potentially even state-sponsored cyber-hit-squads. If you’re being driven in a stretch-limo in Chelsea, you’re probably OK; doing the same thing in Lagos, however, you had better have a good physical security detail – everyone understand that, right? What digital natives know, which their elders may not, is that the borders of secure and insecure regions of the digital world are less well defined, so security should be a constant.
I can use my own experiences as proof of this. The Boston Multi Family Office network, for which I’m responsible, is assailed hourly by parties looking to gain access to the confidential information we hold on clients and the wealth that information can access. Without going into details that might compromise our defences, I can say that it takes 24-hour monitoring of a complex system, plus a significant continuous investment well above industry averages for companies our size, to keep those malicious actors out with the level of certainty our exclusive client-base demands.
We do this, yet it has never won Boston a client it wouldn’t otherwise have won, and therein lies the tragedy. When UHNWIs, family offices, and their representatives are choosing a provider to handle their affairs in a fiduciary relationship, cybersecurity needs to be one of the things that makes or breaks the deal. Whether you can trust their computer network is as important as whether you can trust them as individuals. Ultimately, this is the only way the industry will change: when clients start demanding top-tier cybersecurity as the entry price of even getting to present a proposal, let alone win the business.
It is not yet the case, with tangible results. We are a boutique provider, focusing more on quality than size. We’re nevertheless fortunate to have a Group CEO who is a digital native; which has led to our building an incredibly robust international data network. In contrast, the majority of corporate service providers our size do not even have a properly qualified IT manager, let alone a board-level security officer. Many multi-national providers with many times our headcount still operate wildly out of date systems with significant vulnerabilities. Mossack Fonseca is a perfect example: that loss of data was entirely avoidable; security simply wasn’t a business priority.
Change will be difficult. Many UHNWIs and family office principals are themselves not digital natives. For them, it can be difficult to separate those who talk a big game from those with genuinely impressive security: the language can be impenetrable for those who aren’t steeped in it. There are some international standards and accreditations that have weight, but they are necessarily quite static assessment protocols and have trouble capturing the fluidity of a good cybersecurity defence, so they aren’t a fool proof method for finding a good provider.
To me, the best rule of thumb is to look at the people. How many IT and security staff do they have? How senior are they and what weight do they carry in the organisation? Are you talking directly to a senior IT or cybersecurity specialist, or are you listening to salespeople regurgitate jargon they don’t understand? Perhaps most importantly, did they bring up cybersecurity, or did you have to? If they aren’t selling their security as a feature, it probably isn’t worth selling.
In summary, change has to be driven by clients who more carefully vet their providers, because money talks. So let’s build a secure industry, one sensible purchase at a time. If after reading this you’d like to discuss your next sensible purchase of a secure family office service with me and my colleagues, so much the better!