Kyle MacDonald: A very warm welcome, everyone. I’m Kyle MacDonald, a project leader and venture builder at BCGX who, in his private life, spent eight years in family offices. Today, I’ll be your host of Simple’s webinar on family office security and risk management. To those of you joining us for the first time, Simple powers the next generation of family offices through end-to-end products and services that make the family office journey straightforward to access actionable insights and solutions. From today’s webinar, you can access Simple’s Family Office Security and Risk Report by heading over to our website at www.andsimple.co or by scanning the Simple QR code in that corner over there. Joining me today on the panel, we have three esteemed guests.
There’s going to be a fascinating conversation that unpacks everything to do with risk and, ultimately, security for family offices. The first of whom is Edward Marshall. Edward is a well-known family office insider, advisor, strategist and author. He’s also the founder and CEO of Prestige Global, an intelligence-powered risk and business advisory firm. Prestige helps clients overcome complex challenges, improves performance, and manages risk. It is also a trusted partner for CEOs, boards, family offices, and investors. Edward also co-led the Ultra High Net Worth Institute’s Family Office initiatives and co-authored the book The Family: A Comprehensive Guide for Advisors, Practitioners and Students. So we’re in good hands.
Next is Kate Bright. So Kate is the CEO and founder of Umbra. So that’s spelt U M B R A International Group, a chartered security professional with over 27 years of private client-facing experience in the private and family office sector. Kate is a speaker on the topic of Invisible Security, and under Kate’s leadership, UMBRA has grown into a security concierge and secure lifestyle services business for private clients and family offices working across generations of international clients and families in the UK and far beyond. Welcome, Kate. And then, finally but definitely not least, is Scott Ogenbaum. I’m sure that’s not the first time. Excuse my dyslexia. It’ll play out throughout this session today. So Scott is a retired FBI agent and the author of The Secret to Cybersecurity: A Simple Plan to Protect your Family and Businesses from Cybercrime. He is a keynote speaker and a cybercrime prevention trainer, frequently appearing on major cable networks.
In fact, he was just on one about five minutes before this call as a special contributor on Cybercrime. So, Scott’s passion projects focus on teaching children and seniors how to reduce their chances of becoming the next cybercrime victim. So, as you can see, today, we have a fantastic panel to unpack some meaningful options. If you have any questions during this fireside chat, please feel free to drop them in the chat. We’ll try to respond to them throughout the conversation as we go. So, really, the aim of today’s session is to explore the landscape of how security and risk play out and how family offices should think about mitigating this. A little bit of the agenda. We’re going to look at the state of risk today.
We’re going to be looking at areas of risk that the family office should be considering, how to go about managing them, how to think about key service providers and really the state of risk and security today and where it might be heading in the future. So perhaps without further ado, I’ll sort of pass over my first question, which let’s start with Kate. So, if you wouldn’t mind talking through some of the macro shifts that you see driving risk and security today for family offices.
Kate Bright: Thanks, Kyle, and thanks, SimpleTeam, for having me on today with my esteemed colleagues. I think I always preface anything that I say within the family office community that I was sitting on the other side of the table not even 10 years ago. And so I think if I look at 2013-2024 as the sort of the guiding principle. I was working in a single-family office, and we did not have the post-pandemic, European-wise, post-Brexit shift at that time. And as we’ve already said, you know, let’s not sort of dwell on geopolitics, but the time we live in is so complex.
And I think when you look at the world from the lens of things getting more dangerous, not less, you then couple that with the wealth trends that certainly I’ve seen since leaving the last sort of single-family office that I worked in. We’ve got a plethora of risks that didn’t exist. And I love talking about invisible security, invisible risk. And I’ll leave it to Scott to talk through specifically from cyber and digital. But I think again, going back to the former, I would have dealt with things in silos, and now I think things have become a lot more complex and a lot more, a lot less simple.
Although I know part of the mantra today, not least of which is the Simple mantra, which is making security simple, I think we are dealing with the macro and micro shifts that we’ve seen. What are you meant to do if you are the end-user client? How are you meant to navigate a space that is so complex? Our Umbra four-pillar approach tries to give some clarity on that chaos. But I think the way that we work, the way we exist, the way we travel, and the way that from a family office perspective is all managed. I think it’s a different world from ten, even five years ago.
Show DetailsKyle MacDonald: Brilliant. Thank you, Kate. And I think maybe this is a question. Let’s point this one towards you, Edward. You know, if we think about a family office, there are two sides to it. One is obviously, naturally, as we hope would be the focus, the family itself. Ultra-high net-worth families are facing increased risk and exposure. But family offices themselves, you know, are exposed and, ultimately, prone to being targeted these days as well. How is that changing? Yeah, over to you.
Edward Marshall: Sure. I think in terms of the risks that families are facing, it’s kind of a three areas that I would focus on. The first is an industry and a group that looks at families as a one-size-fits-all type of situation. The other is the nature of family offices themselves. Then, there are issues with security and risk vendor mismatch with family offices. I mean, in terms of one size fits all, I think you can’t. It becomes incredibly difficult for families to manage their risk with a one-stop solution or with one thing that comes out of the box. For them, it’s got to be bespoke because of the issues that they face. The vendors and the families have to have that agreement. It’s just like being able to fly an aeroplane.
Yes, every pilot flies with a checklist. But I certainly don’t want to be with the pilot who’s just flying or somebody who has a checklist and can fly that particular aircraft. Pick your analogy there. But I think that bespoke nature is something that’s challenging because family offices have things in common. However, families are different for a number of reasons. Multi, generational, all these other things. Family offices also tend to be finite in nature. If there’s a death in the family, something changes. It might not exist versus a corporation or an investment fund or something else that has needs and risks, needs that could well last past the founder or the CEO and things of that nature. The family office has to be adaptable to that. Those are just some of the issues that are there.
And then, when you talk about the nature of family offices, what makes them risky in particular? To go back to your question, it is really around the nature of family offices, but it’s not just about the money; it’s not about the wealth. I think that just focusing on the wealth portion is myopic. It’s too much on the Willie Sutton effect and not going at other issues that come up when dealing with families and family offices. There is a lack of resources that many family offices have to be able to source, as well as staff security elements and risk and threat elements inside of them. It’s not that they have outsized needs around those issues, but you know, the affordability is not there to bring in a complete security team. So, how do you find the right balance between all of that?
There’s a lack of and a focus on efficiency and putting out fires. Always it doesn’t matter the size of the family office. There’s always a notion of feeling that you’re putting out fires and looking backwards instead of looking forward and being focused on efficiency for the convenience of the principles versus effective security. That trade-off is challenging and results in some of the issues that we see out there. And then, you know, just a lack of understanding of the nature of the threats, where they come from and how they’re all interconnected. You know, if you have a particular hammer in the risk or threat world, you’re going to look at those. You tend to look at the world as those types of nails.
And I think with the risks that we’re seeing today, there’s definitely a need for understanding to put all of those from there. And then, vendors, it’s a challenge for these families to pick what excellent looks like based on their vendor selection. How do you pick what’s good? How do you avoid the fear, doom and gloom around risk and go from there?
Kyle MacDonald: Yeah, perfect. I promise I will get to you shortly, Scott. But I might ask Kate this question. So thinking a little bit about families today, particularly those who have family offices at a global scale. These families are global and they’re multigenerational. How should they think about when’s the right time to begin to consider approaching managing their risk?
Kate Bright: So I mean, there’s no time like the present. The number of conversations that we’re having, the increasing number of conversations that start along the lines of tell me what I don’t know is really encouraging. But it’s still not enough. And I think the unknowns that we face today need a risk owner within a family office to be so multi-talented and have so many different skills that, to Edward’s point, you know you’re having to outsource in source and work out which of the risk pillars and areas you want to actually hire in versus contract. So, I think the question is, when do you start thinking about risk? It’s got, from my perspective, 90%, which is Scott. I’ll let him come on to talking about it, you know, from a cybersecurity lens. 90%, 80% of the majority of the things that we are dealing with in a reactive fast state are not only expensive and stressful but entirely mitigable.
So, you know, this idea of a proactive posture just keeps it simple for me again. And picking up on what Edward said about using the magic word checklist, I do believe that there is a way that, particularly as the former family office executive, you can cut through the noise of looking backwards by presenting security as a cost-efficient and also a part of business as usual. And I think if you are able to, and this is the key point, have the right vendors, I totally agree. But the right internal process and the right people are managing it.
From personal experience, when we’re working with a family office team that has had this dumped on their to-do list, there’s a different kind of outcome as opposed to where it’s top to bottom, from the principal right through to the family office executive. There’s a real desire to tell me what I don’t know. Living in that growth mindset is where we have the best results with our clients.
Kyle MacDonald: Brilliant. And Scott, so many of our lives are lived so digitally these days. We kind of live in this parallel world. Right. It’d be really fascinating to hear a little bit about it from the other side of the veil. You know, how are families sort of managing this digital side of what it is that has everything to do with risk?
Scott Ogenbaum: I think everything’s been thrown on us so quickly that it becomes completely overwhelming. You know, I had an amazing 30-year career with the FBI and spent the majority of my time on the investigation and response to cybercrime victimisations. And let me tell you what I’ve learned. And this is not from reading books or watching movies. This is living in this. After dealing with a thousand victims, I’ve come up with what I call the four truths about cybersecurity. We’ll walk through each one, and here’s what they are. None of my victims ever expected to be victims. Why would anyone want to target me? This is what I always heard time and time again. When I dealt with these victims, they were always caught off guard.
Now it’s one thing when it’s your business, you know, it’s another thing when it’s your elderly parents or your kids who were hurt, but nobody ever thought it was them. And then when I would sit with individuals, I would say to them, ‘Hey, are you taking this threat seriously?’ The number one response was, oh, yeah, I got my IT guy handling it. And that’s always really not the answer you want to hear. Because what we’re going to unpack is we’re looking for a magic pill for what I like to call a people problem, a business process problem. So I want you to imagine for a second that your family office has been victimised. I’ve seen it all. Ransomware, identity theft. I just had one family member who was taken into a romance cryptocurrency scam for $5.8 million.
They got him outside of the safety and security of the infrastructure which was built within the family office. And just imagine if this happens to you. And the thing I want to tell you, from a law enforcement point of view, is the chances of law enforcement coming in and getting your money back and fixing the problem. I hate to say it’s slim to none. There’s no such thing as a magic reset button. Once the bad guys do their damage, it’s very difficult to get to fix the problem. The next truth is that putting the bad guys in jail is even more difficult because today’s threat actor is located overseas. When I was a young FBI agent, it was easy to describe what I did. Bad people did bad things to good people. I worked with state and local cops. We put bad guys in jail. What a fun and exciting job, back in the day playing cops and robbers.
But today, our adversaries are located overseas. We’re looking at China, Russia, Iran, North Korea, West Africa. All different. And there’s a merger now between nation-states and transnational criminal enterprises. Bringing the bad guys to justice is very challenging. Now, I know that sounds really depressing, but the big epiphany came for me probably about two years before I retired, and I realised what I call the fourth truth to cybersecurity. And that is almost 90% of what I dealt with easily could have been prevented if my end users were only armed with a couple of key pieces of information. I retired in 2018. I didn’t think the problem could get any worse than it did in 2018. I was told it was going to.
It was supposed to be a $6 trillion global problem by 2021. Covid comes in. Now, the problem is trillions of dollars. But I want to throw this question out to all of you here today. The cybercrime problem continues to get worse, but we keep throwing more and more money at the problem. What does that mean to any of you here? What does it mean when we throw money at a problem, and the problem gets worse? Edward and Kate, what do you guys think?
Kate Bright: We feel frustrated. I think the point is a really good one. Yeah. And I was going to actually bring and weave in value at some point because, again, former family office hat on my job as chief punch bag, sorry, chief risk owner, was also chief value officer. And I think, you know, let’s be real about this. You’re absolutely spot on, Scott. Security has often come with a really reactive, expensive tag. I think as risk practitioners, we need to really reposition this whole experience for our clients to be less of a time and energy and stress and, you know, a value-driven rather than value subtract process. I had a really interesting conversation with a client just recently about how to measure risk management spending.
And we came across a really interesting algorithm, if you call it that, which is how much would you spend on insurance in a family office and what is your net worth exposure? And so back to you, Scott and Edward. I think if we’re looking at giving people really practicable toolkits on this webinar, what should the value proposition be? What should people be spending? And are those two metrics actually where we should be starting, as well as having an individual bespoke conversation? Just as you rightly highlighted, Edward, no two family offices are the same. What do we even mean by family office? I’ll leave it there.
Scott Ogenbaum: Excellent.
Kyle MacDonald: I might steal the mic for a second and just sort of outline. So, if we imagine those who perhaps are newly emerging or next-gen family offices solidifying and professionalising what it is that they’re doing, let’s perhaps, as a group, walk through some of the typical risk types that family officers might experience. So I’m going to list a couple, but I’d love to crowdsource a few others that come to mind, and then perhaps we’ll circle back to some of those that are meaningful. So the first is that there’s obviously an operational and organisational risk, which is a beautiful big bucket that can cover everything from security all the way through to the way in which due diligence is carried out in a particular investment type. Right.
Then, there’s fraud, there’s physical security, a huge one, which many, I think, take for granted but is increasingly becoming more and more important, particularly in developing economies. There’s cybersecurity, as Scott rightly mentioned. And then, obviously, there’s this idea of reputation management. For a lot of these individuals, a lot of their value sits in their reputation, the way they hold themselves in the world and the relationships they have. And it can be very difficult to claw your way back when that reputation is tarnished. So perhaps, Edward, are there others that come to mind for you? Are there any that you think are particularly important or relevant to bring up?
Edward Marshall: Well, I think one that kind of crosses a lot of the areas that you mentioned but has the human element that both Scott and Kate talked about, which I think is critical, is looking at how family offices are implementing insider risk programs. Now, insider risk does not always have to mean some sort of malicious actor. These can also be actors who make unintentional mistakes. An insider is just somebody who has access to your assets, your property, your information, whatever it is that has given them this privileged point of access to you. It could be somebody supporting a family’s estate. It could be the CEO of your family offices, vendors, or suppliers. It doesn’t matter.
However, the issue that we’ve seen is that there is a lack of focus on data and anecdotal conversations, and I’m sure Scott and Kate have seen that as well. There’s a lot of good work that’s done on the front end of getting an understanding of who those individuals are that you’re going to bring into a family office. But sometimes those things fall down. You’d be amazed at the amount of access that some people have to a family on a daily basis. A housekeeper or something like that. And you know, families don’t even know the last name of that individual.
Scott Ogenbaum: Right.
Edward Marshall: So there’s a lot of areas that you can do to protect the family, but also create a nice environment for everybody working there where there’s shared risk ownership around insider threat. It doesn’t have to be a top-down, scary thing around there, but you can get some resilience from that. And especially when you’re thinking about the war for family office talent, that’s a critical piece, too. When you have new people coming into the family office, what are you doing from there? And then you’re broadening your insider threat program. We’re doing that front-end test. How are we evaluating two or three years later when people’s circumstances change? And it’s not just about a criminal thing that may come up there. But, various circumstances will change a person’s issue. You can see that in government examples, people turn into spies for another country.
But you can also see it in terms of malicious or sometimes even unintentional behaviour for families. So, I would say insider threat is one of those areas that I think bears a lot of work. But it doesn’t cost, it doesn’t have the resource spend that I think a lot of families think it does and it doesn’t have to be this all-encompassing scary model.
Kyle MacDonald: Yeah. And I think so accurate around this idea of, you know, even just potential negligence.
Scott Ogenbaum: Right.
Kyle MacDonald: A lot of family offices have this sort of standard operating procedure, particularly when families are around or in residence. How easy is it for that routine and rhythm that is being passed from housekeeper to butler or investment manager on a regular basis? How does that then begin to play out, and how susceptible is that? Perhaps any others that we haven’t covered that you think would be really relevant to highlight or discuss.
Kate Bright: Yeah, I think this idea of a live risk register has never been more important. I have also spoken about the four pillars. I think I would add an underscore Edward sort of people-centric approach. The number of family officers we talk to when we’re helping them to recruit that don’t have a background checking, vetting, or screening protocol in place. You know, there’s some really low-hanging fruit and easy, quick wins. I think one of the pillars of our four pillars that I would really love people to, and I make no apology for probably Apollo for using this as a mantra, is emotional security of that fourth pillar, physical, digital, reputational, and emotional. Your need to build risk-resilient people starts with the teams that are handling information, data, and reputation.
They are the gatekeepers to these individuals and gatekeepers in the positive ring-fencing, protective sense. And I think for me the pandemic has given the risk management community the opportunity to put health and safety right at the forefront of a family office agenda. And I think the best examples of families that we work with are when not only they’re at a family and a principal level, the physical, mental and cognitive wellbeing and risk resilience and sort of states of fear mitigated on a continuum, but also that of their teams as well. And so I think there are family officer corporates like any other at any corporate business, small, medium-sized enterprise, family office included, that isn’t investing in the emotional security of their teams is missing a trick because security has to be people-centric.
Kyle MacDonald: Yeah, yeah. Scott, anything in the wonderful world of digital and cyber that it might be good to double-click before we dive in?
Scott Ogenbaum: Yeah. There are really two things that I really want to drive home here right now. First of all, what I see in a number of my clients when they become victimised, and they’re like, oh my God, I can’t believe we got taken in a very sophisticated breach, it’s because they didn’t secure all their remote access with something called a two-factor authentication. So for anyone who’s out here listening to me today, if you do not have a second form of authentication on your email, the cybercriminals are going to get into your system. They’re going to read all of your emails, and they are going to trick you through social engineering. Those are the two things. The first is two-factor authentication. I’ve been talking about this since 2008. And the other one is social engineering.
The other question that I’m going to ask out there is how well your family office is trained to spot social engineering attacks. And when you tell me that you have a platform that provides phishing security, remember that phishing is only a small part of social engineering. And social engineering is tricking us into doing something we normally wouldn’t do either. Through email, text messages, telephone calls, through social media account takeovers, and pop-ups. These are the things that I’m seeing that are occurring all the time across the board. Whether you’re a family office, a small business, or a major Fortune 500 company, these are the issues that everyone is still dealing with. And you know, the response that I get is I go, someone just dropped something. Because I go, hey, what’s your strategy? And they go, hey, we got this great firewall.
And I go, well, that’s a pretty nice control, but that’s not a strategy. So, you know, and as I try to unpack a couple of these through the things, those are two main points that none of my victims had. They couldn’t identify social engineering, and they didn’t use two-factor authentication. When my clients come to me, and they say, look, we don’t want to do it, I’m like, I don’t care. Just make sure that you have a good intrusion response company on standby. Because, you know, even to support what Kate and Edward are saying, look, we can’t live in a world of reaction. We have to be proactive in our approach.
And I know I’m oversimplifying things when I say, “I mean, we do need to invest in technologies, but if you don’t do these simple basic things, it doesn’t matter what technology you have in place.”
Kyle McDonald: Yeah, brilliant. So maybe shifting gears. We’ve heard a little bit about the state of risk today and the types of risks that family offices and those they serve are exposed to. Perhaps we should talk a little bit more about how to manage these risks in effective ways. So maybe again, sort of starting with yourself, Kate, you know, what are some of the practices where you’ve seen family offices really get started on this journey of managing risk? So imagine a world in which I am a family office approaching you for the first time, coming to a liquidity event. And I’m thinking about stepping into the world of [of security] How do I get started? What should I consider first?
Kate Bright: I’d say congratulations for finding us as a navigation service in risk management. Sometimes a complex risk management sector. You know, Umbra’s approach is soaked in insider family office experience. So, for me, the proactive outreach is fantastic. And I think this idea of being able to pick up the phone to somebody, to your point, Scott, when things haven’t gone wrong, to have a proportionate risk partner that isn’t engaged in any commercial way, but that can just have a conversation with you.
And some of the best, most long-term enduring relationships that we have, other than the families that I worked with on the client side, are simply where we’re happy to have conversations in what are, you’ve quite rightly said, sort of positive, upbeat moments, liquidity events, succession planning and all these wonderful phrases that we hear that actually are change events. And where change occurs, risk follows. And so I think this idea of sitting down, and wargaming is one of the things I think I would bring into this, and one of the approaches that we found most successful is when we have all of the advisory village partners around that table. We often say that risk management used to have a sort of stool hurriedly put up at that table.
Well, now I think we deserve to have a place at that table. Tax, trust, wealth, investment, legal, all of these partners around the table, looking at a client’s life secure lifestyle, taking the words out, taking the security risk, stripping it out and putting in a protocol, a strategy. To your point, Scott, have a plan and look at it from a value perspective. I make no apology for looking at it from a value perspective because that is where most people will end up stopping when they don’t actually look at where that spend can be set across. And when it is crucial to bring that risk in-house when you should be recruiting your own CTO and have your own data management in-house, as opposed to, you know, Scott, the ubiquitous. I got my IT company. Who are they?
When did you last test them? Let’s do some fun exercises around testing our assumptions. And so the best conversations we have with clients are where we walk through a very simple checklist that we have, our secure lifestyle checklist, and start to have a conversation with a client because we don’t know what their perception of their own risk is. One of the key pieces of the last four years for us has been the conversation about how safe do you feel. And that is a perception-based question. The answers to that are sat with some of the most impressive individuals who have come through the other side of wealth events and who feel very unsafe and unsafe in a way that is a holistic strategy that can only help them in that instance. So yeah, proactive. I think we’re going to be. There’s a mantra here: simple and proactive.
Kyle McDonald: Love it. I guess maybe this one’s for you, Edward. Where have you seen examples where family offices began engaging in trying to manage their risk, and actually, they’ve just gone about it completely the wrong way?
Edward Marshal: I don’t know if it’s completely the wrong way, but I think there are probably ways that you can find more efficiencies as part of it because it comes down to a couple of fundamental factors. Bad actors only have to be right once. You have to try to think about what a world would look like for you to have a 100% success rate. Is that always going to happen? Absolutely not. Anybody who promises you that is living in some sort of a theoretical bubble. So I think that’s. That illusion is important. We’ve talked about this as well, which is that families can be victims of their own success. There’s this survivorship bias around if something hasn’t happened to me in the past or bad hasn’t happened to me in the past, then you know, it’s not going to happen to me in the future. I’m off the radar.
Nobody knows who we are. I mean, these are very natural biases. Everyone wants to look at flood insurance after the flood, and that becomes one of the big issues that comes out of him. And you’re always heading down into, you know, fixing the problem that’s there. So, when we look at an issue from there, I would say this is a pretty universal thing: risks are changing. They’re getting more complex, but it’s just changing. Right? Rockefeller’s very sophisticated family office. You know, a long time ago, they didn’t have to think about the social media presence of their children, but they had risks that they had to deal with. You know, three years ago, if you asked anybody about drones and executive protection, they probably would have said that’s a minimal threat.
Look at what Russia’s war and invasion in Ukraine have done in terms of drone threats there and the edge cases that have come out of there. How are we going to protect against the traditional ways that we’ve done executive protection with those issues that come out of there, let alone threats of physical issues from drones, but cybersecurity threats from drones, surveillance from drones and other things? And how is that affordable? How many families can afford to put those things into place?
But I think when you look at it holistically, what I always say is to think about looking at a risk matrix evaluation. We take the 10 domains of risk that we see, and then we have this universal model that fits, and then we build it for that particular family that comes across all of those issues, and it becomes a heat map. It becomes an ability for them to actually score themselves. Project management, one of those, you know, as Kate mentioned before, one of those critical issues is empowering that chief get stuff done officer in your family office to actually go get that that area done on risk. And I think this creates an opportunity for families as they’re putting it together.
And then lastly, if something goes wrong or you’re preparing for when something goes wrong, have something simple enough to be able to use. People ask me what the best technology is for X, Y, and Z, or what the best is. It’s the one that you’re actually going to use. So, if you have a process around when there’s a crisis, or something happens, pick something simple. We have five questions that we always tell people to think about. Ask yourself five questions. When you’re faced with a crisis, a breach, a privacy issue or whatever it may be, number one is, who am I? What’s your mission? What have we lost? What do we have yet to lose? And what are we missing?
If you answer those five questions, whether you’re in a boardroom for a large multinational company or a family office that’s just getting started and something bad happens, it’s going to give you a lot of answers and can prepare you for what you need to do next.
Kyle McDonald: Yeah, we’ve had a great question come through in the chat. So, is there any sort of evaluation or checklist? Maybe it’s even principles, you know, that someone should begin to think about when starting to assess their cybersecurity as a family office.
Edward Marshall: This one, yeah.
Scott Ogenbaum: Well, I just want to jump into one thing, Edward, that you said. You know, we sit here, we plan, and we plan, but I forgot the great poet. Oh, it was Mike Tyson who said the plan is only as good as the plan until you get punched in the mouth. And so often, that’s why, you know, having the plan and rehearsing the plan and going through these things is so important. And the one takeaway that I want to jump on with what Edward was saying is, look, they’re going after the family. They’re going after social media. So they’re mapping all of this out. And it doesn’t matter your net worth. They’re still able to go after the weakest link here. And it’s the lack of sophistication that is required.
For me, I’ve created a really simple framework that I will send to you all to connect with me. And really, if I had to boil it down to go over it at a really high level, it’s really this. It’s understanding that we can’t keep. The problem gets worse. We keep throwing money at the problem. Okay, when I was with the FBI, I said, we’re not going to arrest our way out of the problem. We have to realise the four truths of cyber security. Edward hit one of them. Nobody expects to be a victim. No one’s going to target me. Bad guys steal your stuff. You’re not getting it back. Putting the bad guys in jail is really hard. That really makes us feel hopeless. It makes us feel vulnerable. But a majority of it could be prevented.
So what do I do? What if I had a minute to go back in time and sit with my victims? Social engineering is the number one tool in the cybercriminal’s tool belt. There are seven or eight different disciplines that you really have to be aware of. There are different scams. You have to realise it’s an account compromise. Today, all the bad guys need to do is steal your username and password. We are no longer keeping our information in a locked file cabinet within our family offices. I’m going to ask all of you: How many different cloud-based platforms are you using that have sensitive information? I do this with Fortune 500 companies. It’s impossible for them to figure it out. Make sure we’re not using the same password. For mission-critical platforms, use a password manager or a strategy to do that.
Use two-factor authentication on all bits of remote access and then think about that. And even if you do all of those things, your third parties aren’t. So when you get an email from somebody you know and somebody you trust, and there’s no malware in the email, they say, hey, we need you to send a wire transfer; what are you going to do? What are your policies in place? Do you have policies? Those simple things that I haven’t formalised. This is a strategy that anyone can pick up and implement, and it really doesn’t cost you anything.
Kyle McDonald: Perfect. Kate also has a point on this, which I’d love to pick your brain on. You mentioned a bit of a checklist earlier, so perhaps there’s something you could lean into here.
Kate Bright: Yeah. So I think that there’s just one thing to add on from my sort of generalist side of the house. The four-pillar approach, when it pertains to digital risk, does not forget the bleed between physical and digital and just the link between the two. Again, we go back to this idea of a people-centric approach. But I just wanted to touch on one thing to add to what Scott has brilliantly given as a really good, immediate sort of, you know, you will stop something from happening to your infrastructure by doing what he’s just said. Something I’m noticing here in the UK and, to a certain extent, between family offices in terms of investment is this idea of accreditations in cyber. And so Cyber Essentials.
Cyber Essentials Plus here in the UK is actually a really good framework that you can use to test your IT systems. And anecdotally, now more of our family office clients are using that as a benchmark with which to actually even interact, if not invest, with other family offices. So I think this idea of becoming more of a corporate approach to risk and looking at where, as a family office ecosystem, you can really test your standards and actually pin your standards to ones that are out there. And I’m not sure if there’s a similar version in the U.S. Scott, but I’m pretty sure that things like the National Cyber Security Center’s Board Cyber Toolkit are also really good for anyone struggling with IT at a governance level. Those are two really useful frameworks that we’ve used.
Scott Ogenbaum: The only things those aren’t really covering, and I agree with you, is just the attacks we’re seeing on the end users, the attacks we’re seeing on the families, on our kids, the sextortion, what we’re seeing towards Our senior members, you know that we can secure the network with tools. We can’t secure the end user without some kind of awareness. And to be honest with you, very few of us want to go sit down, and I mean, I build training for companies, and no matter how good you can provide training, just think about it: nobody really wants to sit down and do an hour training on the threat of social engineering, particularly a 15-year-old.
Kate Bright: Next-gen. Yeah, exactly.
Scott Ogenbaum: So that’s the challenge we all face. It’s not easy.
Kyle McDonald: Yeah. I think there’s only a matter of time before it becomes more sophisticated, more targeted and AI-driven. But that is a topic for the end of this conversation, perhaps shifting gear again to thinking a little bit more about service providers as a whole. So, if you are a family office today, you know what type of service providers can and should a family office consider to try and support them in their journey towards being more conscious and secure when it comes to their risk and security. Ed, maybe over to you some. Yeah, it’d be great to get a bit of the lay of the land for some of the considerations they should be taking in.
Edward Marshall: Well, I think there is a disconnect between people who look at risk and risk vendors and family offices, which we talked about at the beginning of our conversation, and I think that needs to be addressed. Sometimes there’s a language barrier, there’s a lot of jargon that’s used in that industry, and how do you translate that for somebody that’s not, you know, deeply focused on this particular area of risk, whether it’s legal, regulatory, cyber, political or privacy, or reputationally managed. That becomes an issue as you’re looking at how you’re building out the different vendors that are there, and families just do not understand what’s available to them as a result of what’s affordable.
You will look at risk management and take it some extravagant expenses that you have to build your own intelligence agency to be able to go do this internally and with the right expertise and the right partnerships, the right communities of other family offices that are looking at this issue. There are ways to do it that are quite reasonable on the resources and don’t give you what you commonly see with families on this is the illusion of security. It looks good on paper as part of it. I think the other issue that you’ll see with providers there is that you really want to look for people who have expertise in their area. It is very challenging to do all of these things and have expertise in all of these different areas, geographically, functionally, or whatever it may be.
And it’s a natural thing for a lot of providers all across the family office spectrum to have the scope creep issue. If you put $500 million on the table, every provider is going to come up and say that they could do absolutely everything. And that’s an issue that you need to face. And families need to be ready for that. Vendors, suppliers, and advisors of the same ilk should be prepared to know and provide services that are compatible with what families are looking for. Another implementation is you can do a lot of things as a service. Bringing in a physical executive protection team for a family office is an incredibly expensive endeavour, complex, filled with all the different issues around HR that people have to face that.
But if you need things and need areas of that, with your travelling to an area that requires heightened security for whatever the reason may be, I mean, there are ways to do it and to work with people where you can have that ability without having somebody in a house full time. So I think, and the last thing I’ll leave you with is all the different domains that we’ve talked about today, health, privacy, reputation, operations, and technology, and they all interact. And if you’re not focusing on them in an area and watching how they interact with your particular family and your situation, you’re just going to be playing whack-a-mole. And that’s just going to introduce new issues for you as part of it.
Kyle MacDonald: Yeah, Kate, I’d actually be quite interested to hear a little bit more about, I guess, some of the service models, obviously the service models that you offer, but also the service models that you see in the market. Yeah, it’d be great to hear that.
Kate Bright: Yeah. So I think Edward picks up a really valid point, this idea of Mission Scope Creek. I think for us, the first point of call, and if we go back to the word simple, is helping our clients navigate. And that’s based on a conversation. So, what are we actually helping our clients navigate through? And a really deep understanding of what they’re facing. I think the way you can really amplify that is by quickly building trust with the individual that you’re talking to.
And certainly for us, being able to introduce clients to other clients, not only does it give that sense of reassurance, but also between them, they can, you know, whether it’s at principal level or family office exec level, they can actually start to answer some of the questions in slow time and actually look at the difference between their individual secure lifestyle aspirations and what actually might be proportional. I think that our job as risk management professionals is to bring that proportionality back but also put the value in. I make, as I said, no apology about talking about value because I was the sort of chief fire hose, but also the one who had to pay the bills and explain the bills at the end of the day. And I think it’s just a final point on in-house versus contract.
I think the number of people who we speak to who have no idea of the different ways that you can manage risk both in-house and also contracted for a family office at a certain time in their wealth journey. It may be entirely inappropriate to own people’s risk for others. That might be exactly what they need to do in terms of scale and succession. And again, just like any corporation. So I think when to do it in-house, when to contract, and when to have your in-house humans. To Edward’s other point, talent is the biggest, the big issue. Who do we have as the people in our organisation, in our family office organisations that are owning those different risk areas, are they equipped?
Are they, are they the people who are going to guide you through to this next phase of your family office succession liquidity events? So you know, for us at Umbra, again, four pillar approach, walking through a conversation with our clients and being able to connect them with other clients that have gone through or who have maybe the similar sort of same worries about the things that they may have on their horizon.
Kyle McDonald: Yeah. And I think again, it’d be good to, and I’ll sort of throw the ball back at you, Kate, around this idea of right-sizing, you know, the support you need. How should a family office begin to think about the right sizing and that type of support?
Kate Bright: You mean in terms of this sort of advisory village community around them?
Kyle McDonald: Correct.
Edward Marshall: Yeah.
Kate Bright: I take you back to, I think I said earlier, the work that we do, particularly when it’s coming at us red hot. One of the first questions we’ll ask our clients is: who is your advisory village? Who is the wider community? I think risk management needs to work in parallel with legal, tax, trust, wealth, and all of the different people and practitioners who are protecting wealth and protecting reputation. And I think I’d finish with this idea of the family office reputation being as fragile as any large corporate brand. And that is something that is hard for, hard-earned, particularly in multigenerational dynastic families, and so easy to pull apart.
So I think we need to look at what we’re trying to protect, how we’re trying to protect it and who wider than the risk management community we as practice practitioners need to look in order to protect the advice we’re giving and make sure that’s ring-fenced in a really robust way.
Kyle MacDonald: Yep, perfect. So maybe, Ed, I’ll throw this ball back to you. So if I think of a family office today, you know, beginning to embark on this risk management journey, and they’re thinking to themselves, I’m going to have to develop and form this new relationship with an outside entity. I’m going to have to welcome them in and figure out how to prepare for this new relationship. What are some of the things that a family office could expect, and how might they sort of prepare their teams?
Edward Marshall: So if the question is about how you prepare it like an outside risk advisor to come in and look at, listen, any kind of time you bring a new relationship into a family office or a high net worth individual or any kind of closely held business, there’s always a bit of potential consternation because there’s a hyper, especially family office, there’s a hyper-focus on privacy. You know, we live in a world where privacy is eroding. You know, you can think of it as a privacy recession or depression, depending on your mood for that particular day. So now you’re introducing another element into the family office that they have to be thinking about. Is this person going, or is this team going to be? How are they going to be looking at these issues?
Are they going to be looking at these issues from a perspective of enhancing our ability to function and be efficient? Or is this going to be just a focus on like, hey, you want to be 100% secure, don’t use your phone, don’t use your emails, turn off everything and then go live in the woods, which is just not acceptable for family offices? I think there’s a good point about families working with different communities and organisations. Certainly, Simple is one of them, and you have the ability for other families to share their experiences. Working with an individual like that or a firm or a group of individuals around your risk threat or whatever issues come up with supplier selection for a family office, there is value in that network effect.
And then the last one, you know, family office is one of the lonely, loneliest jobs out in the world because you’ve got to keep everything private. So, you have the ability to network with other families and share what’s worked, what hasn’t, who’s been helpful, and who hasn’t. There are a few substitutes for that, as you’re looking at all this. But listen, don’t be afraid to ask for advice on this issue. You know, you’re not filing your own taxes. You know, you’re paying experts to do this. So, there is a benefit to this approach, and it’s a healthy checkup for families on a number of occasions.
Kyle MacDonald: Excellent. Perfect. Well, I’m going to sort of wrap up our final discussion and maybe give you one question, Scott, and then I’ll ask a broader question to the group. How are you feeling about the wonderful world of AI and how that’s reshaping, you know, cyber security today?
Scott Ogenbaum: A lot of great stuff is going on in the world of AI, but once it gets into the hands of these cybercriminals, they’re able to do an amazing amount of reconnaissance. They’re able to go over and do social media scraping. They’re able to find out every single thing about you. You know, in the old days when I was an FBI agent, it was easy. I had an unlisted phone number in the US, and when you had an unlisted phone number, nobody knew where you were. They couldn’t find you. But today, everything is available online. We’re providing way too much information about ourselves, you know, on our privacy settings and on social media. We’re telling people, hey, look at me, I’m out of the country.
And now, with AI, we’re able to craft perfect social engineering responses through emails, text messages, telephone calls, and account takeovers through social media that look absolutely perfect. And you know who’s falling for this? A lot of young people. You know, I see that there was one question they were talking about: how do you not scare the kids? And, you know, we have to really have these conversations. It’s not easy. There’s no easy button. There’s no easy button to believe that’s going to solve this. It’s having those communications with every member of the family to do that. And it’s only going to get worse because now we have so many other different platforms being used. I hate to say it, but 66% of the population is using the same passwords for mission-critical accounts.
So, the bad guy gets access to the Facebook account and, from there, access to the iCloud account and access to all the pictures. So these are simple things that we all really need to take. And that’s why I call it the cybersecure mindset. It is not a one-and-done situation. It’s not a check-the-box. We did our 30 minutes worth of cybersecurity awareness training. So we’re going to be okay. And the worst thing, too, is I don’t think we could really wait to see if insurance is going to solve this problem because I don’t care how much insurance you have, when your kid’s the victim of sextortion, there’s not enough money to fix that problem. And remember, a lot of this sounds harsh, but if 90% of it could be prevented, just follow these simple steps.
Kyle McDonald: Yep, brilliant. So, final question for each of you. One sentence answers. What is it that gets you up and excited about this space today? If you were sort of saying this to a family office. So maybe I’ll give you a second to think. Three, two, one. Ed, over to you. What gets you excited about this space?
Edward Marshall: Listen, the big risks have evolved from newer advances of convenience and technology. Artificial intelligence, you know, is one that’s banshee about the fear of deepfakes and other things that come out of that. But the exciting thing is that all of these tools and advances can be used on the offence to protect yourself. And I think that’s something too: don’t live in fear, doom and gloom. There are a lot better ways to do that and not exist in a state where you’re accepting the unexpected but expecting the unexpected.
Kyle McDonald: Brilliant, Scott. Sort of. One send. What gets you excited about this space?
Scott Ogenbaum: Cybercrime. You have the ability to reduce your chances of becoming the next cybercrime victim. Connect with me on LinkedIn, and I’ll send you the strategy document. It’s just that simple.
Kyle McDonald: Brilliant, Kate. What gets you excited about this space?
Kate Bright: Well, true to my surname, I’m glass 3/4 full and relentlessly positive that a proactive posture can really save the day. But I think in a world of unknowns, let’s control the controllables, right? You know, the secure lifestyle checklist is there for a reason. Hit me up for that. But also security as a service. This is ongoing subscription model revenue that needs to be invested in a holistic security strategy. And we think we’ve got that with our Umbra plus methodology. So yeah, happy to chat at no cost anytime.
Kyle McDonald: Excellent. Thank you so much to everyone today and to all the viewers. Thank you for joining today’s webinar on family office security and risk management. If you would like to learn more, you can log in or sign up for the complimentary account to access everything. That is the wonderful Simple platform. You can read 2024’s Family Office Security and Risk Management report available at Simple.Co., or you can scan this little code on your screen.
With your account, you can connect directly with Simple Team and the network of experts like myself and everyone on the panel today and further explore a broad array of guides, tools, and data services across the simple platform. Stay tuned for our next webinar, which will be on Family Office recruitment. Thank you so much for joining. That’s it for me.
Leave a Reply