Family Office Connections: Begin Your Conversation on Security Today
In this week’s Family Office Connections, we are joined by Tim Robinson, Partner at Schillings, to discuss our family office risk survey findings. Listen now as he covers the impact of underestimation of cyber risks, insider threats, and common themes when family office security is attacked.
Edward: Welcome to Family Office Connections. I'm Edward Marshall, managing director at Boston Private.
Today, we continue our series of discussions focused on the results of the Family Office Survey that we released recently. In that report, we asked over 200 family office executives to give us their thoughts on risk and threat matters that they face every single day. The results were illuminating, on one hand, answered many questions that we faced in the past, but also posed some new ones and provided some unexpected insights into the risk management characteristics and behaviors of family offices. These findings certainly opened some new areas to evaluate and present opportunities for families and the advisors to those families and family offices to address risk more effectively.
My guest today is Tim Robinson of Schillings. Tim, before we get started, do give us a little bit about your background and specifically around your experience working with family offices.
Tim: Thank you, Edward, and thank you for the invitation. It's a pleasure to be with you. Well, I'm a partner at Schillings, as you say, and just to explain, because it adds context to the way we have received and viewed the report, we are a fairly unusual organization, law firm by history, but now, multidisciplinary. And that means we've grouped together a strange cast of characters - lawyers, intelligence officers, cybersecurity specialists, and crisis management experts -- from the military, law enforcement, and other organizations, to protect three assets: reputation, privacy, and security, because in our experience, those three are often linked in threats that one person can face, an organization can face, against one of those assets can affect the others.
I joined Schillings as a partner about five years ago, having had a full military career. I was a two-star general in the British Army. And I guess that means I bring into the organization some expertise in resolving conflicts dealing with very stressful situations and dealing with particularly sensitive problems, analyzing them, and making sure the solution improves the situation. It doesn't make it worse.
Edward: Well, thanks, Tim. Yeah, I think, you know, one of the things that we had discussed in terms of this white paper and the survey results itself was the aspect of...are these issues, you know, a North American or U.S.-centric or limited to that, or is there some universal truth that can be seen around the world? I know, from your purview, you certainly work with a lot of families in many different parts of the world, particularly in Europe. What are your thoughts on that based on the findings that we talked about?
Tim: Yeah. So just to pick up the kind of clients we have, I mean, our clientele, there are really four categories. The largest category are private individuals, including family businesses and the family offices that support them., so let's say unlisted companies, some of them can be enormous, but nonetheless, they're not public companies. Then there is a whole bunch of public companies and multinational list of companies. We have quite a large entertainment clientele, which is how the firm started actually, so the very high-profile people in that world. And then governments and they tend to be quite closely linked with the family businesses, actually, to complete the circle, because in some parts of the world, governments and the families, the ruling families, for example, that are couched as governments have their own family offices. So we have a very diverse clientele. And the family business part of it is probably the most significant, in terms of size.
And in linking that kind of perspective back to the report, I mean, what's striking to us is that although most of the families that took part in the survey are from North America, actually, if we had to come up with a list of issues, risks that threaten or concern family offices on every continent, it will be the same one. So it's a very comprehensive...we think it's a really strong report in terms of capturing the risks. We don't think there are any missing. And the findings broadly match what we would expect to see on other continents, with taking account of some cultural differences you might find.
Edward: Tim, one of the findings that we discussed earlier was around underestimating of cyber risks for family offices. How do you see that play out in the families that you work with?
Tim: Well, actually, underestimation, I think, is a big theme of the report for all the risks. There's this expression, I think, a culture of us underestimating risks, and you explain why it may be the case that...and it's not just family offices, to be honest...but why busy organizations with lots to do and not enough people to do it sometimes underestimate these risks, or don't want to think about them, or maybe don't even know about them. So I think underestimation is a theme across many of these risks.
In the case of cybersecurity, which is the one that, kind of, is possibly the most talked about because it's very public and keeps people awake at night, what jumped out at me actually is the fact that 26% of the family offices consulted had suffered a cyber-attack, which, I think, is, you know, probably only at the tip of the iceberg. I mean, I'd be more concerned about the balance, the rest of family offices, who either didn't want to ask the question or think they didn't...haven't had a cyber-attack. So that's the statistic, in some senses, you might think that's quite small and it is too small. You know, there will be many more family offices that have suffered an attack and don't know it.
So the big takeaway from that really is if you know you've experienced some sort of attempt to attack or actual hack or some sort of data breach, that implies you've got a system in place to know that. So you're, kind of, in a better place than all of those out there who consider going around saying, "We haven't had one," because it's unlikely that's the case. It means that their systems haven't picked it up.
Edward: Or it could also mean that the attack is a little more subtle. I think you bring up a really good point in terms of families that don't even know they've had some sort of a breach, whether it's in cyber, privacy, or other areas as part of it. I think, on one hand, it would be interesting, how do you begin that conversation with families to take a look at that more seriously? And then what are kinds of things that you're seeing on your end, when families do get attacked, what are some common themes in that?
Tim: Well, alertness is the key to this, really, because if you're...and this applies to many of the risks, you know, for example, the risk of an employee behaving dishonesty or something like that. You know, it's all about alertness. I mean, if you're not looking, then you won't see. If you're not listening, then you won't hear. So alertness is very important. And having a kind of risk mindset, which I think things like this report, should your family offices dig into it, is a great tool because it enhances alertness.
Then you have...you have to be very careful about the information you put out there. I mean because people think that hackers are, kind of, computer experts. I mean, they know a little bit about computers, but first and foremost, they're intelligence experts. They're good at gathering information, the actual act, technical act of hacking, pressing keys on a keyboard, is relatively simple. You can pick it up, you know, watching a YouTube video. The tricky bit is finding out how to do it, how to get in, what are the vulnerabilities. How do I convince somebody to click on this link? How do I convince somebody to let me in, essentially? It's about persuasion. And the persuasion comes from observing behaviors.
We reckon that the average hacker spends about 150 days inside someone's system before they do anything, which is pretty scary. I mean, that's a long time that they're in there, observing and gathering information, having got in already. So it's kind of a long game for many hackers. And they might put out lots of attempts and see which one delivers, because they're looking for relative weakness.
So if you put out information about who's doing your accounts, you know, then don't be surprised if someone uses that profile to maybe make an attempt to divert some funds away from your family office by intercepting an invoice or something because...and that's come from them being able to pick up this intelligence. So that's really important is to be very careful about how much information you publicly disclose, because it will be just used as intelligence to put together an attack.
And then the third ingredient, and which is the one that often people focus on, is actually testing your systems. You know, people will go out and pay a cybersecurity business to do a pen test or something like that, or run an attack against...to test the system. And that is also essential and is expensive. The problem is it's often done badly. People look for the cheapest option often and it's cheap for a reason. And you really need to get a good quality attempt to penetrate. You need to not put out information that could be used against you, and you need to know what sort of information that is, and you need to be alert and suspicious.
Edward: You raised some interesting points around, you know, misconceptions, you know. I can easily see how you're thinking of these attacks occurring from somebody in a hyper-technical expertise, but your thoughts on psychology and using that for individuals to try to gain access to computer systems or to families in general, I think, is an interesting point because it, kind of, leads me into the next finding that I wanted to discuss with you, and that's around insider threats and the risks that come from the actual individuals in the family office. I think most of the time, when people hear insider threat, and they're not familiar with that term, they're thinking of somebody acting, you know, in a malicious manner. But oftentimes, those can be, you know, unwitting individuals. What are your thoughts, based on your experience of working with families, on insider threat risks?
Tim: Yeah. So just bridging from your...the way you summarized the last question and talked about psychology. I mean, we use the term social engineering to, sort of, understand the organization that somebody might want to attack. And it's the same, not just for a hacker, but also maybe a journalist who wants to run a story on a family. You know, there's a bit of psychology in all of this, studying people and their motivations.
Just a little interesting anecdote to bridge to the idea of the, sort of, way people behave inside organizations. You know, we have run many penetration testing exercises or attempts to, sort of...you know, ethical hacking, white hacking, it's sometimes called, to test companies and people's systems. And it amazes me how these guys in our team who do this, they come up with some very devious ways of convincing people to, you know, let them into the system. And in one case, they sent around a bogus bonus document, which told everybody in the organization...it would tell them what the bonuses were going to be for that year. And, you know, you might think that that would encourage people to click on that link to see the document, they got an error, and that would let them in. But actually, that wasn't really the pitch. The pitch was to then follow up that email very quickly with one saying, "You've been set in this in error, please delete it by clicking on this link." And a significant number of people clicked on that link. In other words, they were appealing to the...what they'd observed as the basic decency and honesty of the people in the organization, not that they might try and get access to information. So pretty dark, kind of, way of studying behavior.
Now, I think linking that into insider threat, another...this caught my eye in reading the report was that the very high percentages of family offices who did even no due diligence into new hires or just did it at the beginning and didn't do it on a repeat basis, and also quite a high proportion that didn't really do any due diligence into vendors, third-party providers, where they're carrying a really big risk. I mean, we found, over 36 years of doing all kinds of work, that somewhere around 93% of all of the reputation, privacy, and security problems that we deal with have somewhere in the mix an insider of some type. So that's a very high proportion. And we're always looking for that link and the fact that a lot of family offices, according to your surveys, you know, not protecting themselves against that is quite alarming.
And this isn't because, you know, everybody's bad and you're going to be suspicious of everybody, but because you just really need to know who you're dealing with. And that applies not just to employees in the family office, and some of those family offices are quite small, so it's difficult checking everybody in a big corporation, but it also applies actually to family members. I mean, one of the other risks you've identified is, you know, which is perhaps the most sensitive one is, you know, disputes or falling out within families, between generations. But also, what about someone marrying into a family whose motives might be suspect, and that's a very sensitive area in which to conduct due diligence.
But certainly with providers from outside, from employees, people joining the family household, domestic staff, particularly heads of security, you know, all of the personal assistants, all of these people sit, no matter how senior they are, no matter how much they...how well paid they are, they sit in sensitive positions and if their motives are wrong or they're in trouble themselves, or they're blackmailed or approached, you've got to be clear on whether you can rely on them or not. And that means checking out where they've come from and really understanding who it is that you're bringing in to...essentially bringing into your home and certainly into your bank accounts.
Edward: You know, certainly, from your position as a former senior government official, I mean, you were entrusted with, you know, a trusted status and that involved, I'm sure, some background checks that were part of that. How do you work with family offices to convince them that, you know, periodic evaluations may be necessary, when it sounds like it's counter to the culture, at least for the families that we encountered in this survey?
Tim: Well, I think that top one is probably to make it not counter to the culture, you know, to accept it, perhaps to look at it in a different way, which involves, you know, people, I may, I suppose, laying it out differently and trying to be persuasive about looking at it differently. I mean, my point would be when you hire people or when people come into families through marriage, or, you know, whatever, or you're going into a joint venture with somebody, you're going to buy a business, I mean, you're basically putting your name and your money on the line. And just as you would expect to carry out, sort of, financial due diligence on an acquisition or a purchase, or you would satisfy yourself by looking at reviews before buying even the most basic item, why would you not do that with people? And it can be done in an ethical and transparent way. I mean, if someone's got a problem with what you're doing, then that's a bit of a red flag in itself.
So I think you just got to... You know, it's a conversation like the one we're having, where you just demystify it, highlight it as being just a statistical probability that family offices and families of means and influence and power and profile will experience a problem generated by some sort of insider. And I mean, there's a group of insiders we haven't talked about, like deliberate infiltration, you know, an undercover journalist joining an organization or someone involved in industrial espionage, competitive type of infiltration. So there's that, those are in the mix as well. And it might not necessarily be in the family office per se, if they're a fairly small team, but it might be in one of the companies, which can cause the same sort of problems.
So in summary, I think, they have to be aware of the likelihood that there's going to be this kind of problem, be...sleep easy at night by knowing exactly who they've got put on board, which is a fairly simple process and absolutely a fraction of the cost of dealing with the fallout if it goes wrong.
Edward: Thank you, Tim. I really appreciate you joining me today and for Schillings, for partnering with us on this podcast today. To the folks that are listening, if you'd like to get in touch with Tim or if you have any questions, do send an email to [email protected]
I'd also recommend that you check out our website. You can find numerous resources, including the paper that Tim and I had discussed, and sign up for our newsletter, get this podcast, and much, much more directly, right in your inbox. That website is bostonprivate.com/familyoffice. And be sure to subscribe to this podcast on Apple, Spotify, or wherever you prefer to listen.
That's it for today. Check back for our podcast next week. Bye, everybody.
Woman: This podcast is solely for informational purposes and is not a solicitation or an offer to buy any security or instrument or to participate in any trading strategy. The opinions expressed and information contained in this podcast are given in good faith, may be subject to change without notice, and are as of the date issued. All sourced information is believed to be reliable but has not been independently verified. This podcast discusses general market activity, industry, or sector trends, or other broad-based economic, market, or political conditions and should not be construed as personalized investment advice.
The following does not represent a complete analysis of every material fact with respect to the topics covered herein. All investments carry a risk of loss. Neither BPW nor its investment professionals or representatives provide tax, accounting, or legal advice. Listeners should review any planned financial transactions or arrangements that may have tax, accounting, or legal implications with their advisors.
For additional information about us, please refer to our Form ADV disclosure brochure, which may be obtained by contacting us at 800-422-6172 or [email protected] Private banking and trust services are offered through Boston Private Bank & Trust Company, a Massachusetts-chartered trust company. Wealth management services are offered through Boston Private Wealth LLC, an SEC-registered investment advisor and wholly owned subsidiary of Boston Private Bank & Trust Company. Boston Private Bank is an FDIC member and equal housing lender. Investments are not FDIC insured, not bank guaranteed, and may lose value.
Surveying the Risk and Threat Landscape to Family Offices
You may also like
The opinions expressed and information contained in any article published in the Vault are given in good faith and considered reliable. However, such opinions and information are subject to change without notice and are provided only as of the date issued. Neither Boston Private, an SVB Company nor its affiliates warrant the completeness or accuracy of such information. Any third-party opinion is solely the opinion of its author and does not necessarily reflect the opinion of Boston Private or its affiliates. The materials on this website are for informational purposes only and do not take into account your particular investment objective, financial situation or need. Since each client’s situation is unique, you should consult your financial advisor and/or tax planning professional before acting on any information provided herein.