A US wealth management firm has produced a major White Paper which scrutinises the mass of risks family offices face, and examines how well, or not, these organisations fare in tackling hazards such as cyberhackers, rogue staff, business disruptions and reputational damage.
(An earlier version of this story was published last Friday on Family Wealth Report, sister news service to this one. The lessons here are surely global, and not just confined to the US.)
Single and multi-family offices have “worrying” approaches to risks such as cybersecurity threats, family management issues, investments and employees, according to a White Paper from Boston Private.
The US wealth management firm argues that a change in mindset is needed at many family offices, which either underestimate threats (47 per cent) or are complacent about risks (41 per cent). Limited staff and a focus on cost and convenience are other barriers to improved risk management, the firm’s study said.
The 38-page study is entitled Surveying The Risk and Threat Landscape To Family Offices. The report, which was produced in association with The Chertoff Group, Dentons, McNally Capital and Datatribe, drew on an online survey with more than 200 executives at single and multi-family offices, mostly in the US. The study calls for actions including risk checks that should be done at least once a year; background checks on all staff, measuring insurable risk exposures, and regular staff training.
“The survey findings clearly show how a dangerous combination of limited resources and poor attitudes could expose family offices in terms of risk management,” the White Paper said. “These challenges add to the worrying picture of a lax and complacent approach to risk management, and a lack of staff and other resources that are needed.”
Among other findings, the report said that 26 per cent of surveyed executives said their firms have suffered a cyberattack. In almost two-thirds of these cases, the attack happened in the past 12 months. Smaller and newer FOs underestimate the chance of an attack and the potential impact of such breaches. Older and larger offices are more likely to have put protections in place (60 per cent versus 31 per cent for newer organisations).
The study has been released at a time when risks faced by family offices and wealth management firms have been put under a harsh spotlight by COVID-19 and the associated disruptions to business and family life. Remote working has created new risks for data security, staff wellbeing, travel and overseeing employees. In view of this, this news service is also charting how the sector is handling a range of risks.
Some 29 per cent of offices did not have a business continuity plan in place before the COVID-19 pandemic and 27 per cent said putting secure remote working protocols in place is a top risk management challenge.
More than half (58 per cent) of family offices have trained employees and family members on risks, but only 28 per cent have carried out stress tests or scenario analysis to support training and planning. Some 81 per cent don’t carry out periodic background checks on all personnel, with 68 per cent only doing this when staff are first hired. More than a third (35 per cent) of offices say getting a good external risk and threat management vendor is difficult; some 28 per cent of FOs have never conducted a review of risks posed by using a third-party vendor.
On the investment side, the main risk focus for family offices is mitigating “tail risk” (the chances of a supposedly unlikely threat to client assets).
Elsewhere, international travel and health advisory risks are neglected by a big majority – only 16 per of family offices use medical advisory services.
On page 7 of the paper, for example, the report spells out a cluster of risks that family offices should have in mind: Property damage; disclosure of sensitive information; health matters/death; business disruption; identity theft; kidnapping/stalking; workplace violence; regulatory penalties/lawsuits; loss of investments; financial/liquidity issues; tech/operational failure; crises/damage to reputation; burglary/robbery; fraud/embezzlement; theft of intellectual property; and assault.
It is a struggle convincing cost-conscious family offices of the benefits of tightening their processes.
“Family offices face the challenge that there is little or no ROI on proving a negative from what-if scenarios. For every dollar spent in other parts of an FO or organisation, security many times is overlooked because it cannot be measured until a problem occurs. At that point, it’s too late. Remediation and incident response could cost orders of magnitude higher compared to being proactive and being ready with an effective defensive risk and threat management game,” Jeremy King, of the organisation Benchmark, was quoted in the White Paper as saying
On the subject of cyberattacks, several family office figures said they’d been hacked and gave examples. For example, one FO executive was quoted as saying: “We have had several unsuccessful attempts by outside parties to pose as employees and have us wire money to them.”
Another was quoted as saying: “We experienced a sophisticated cyberattack from hackers based overseas. They accessed family office data through a server we shared with the operating company, which was also hacked. The hackers wanted us to pay a ransom, or they would release confidential information to cybercriminals. We refused to pay a ransom and stopped the security breach.”