Client Affairs
INTERVIEW: Message To UHNW Individuals - Trust No-One Electronically, Says Kroll
This news service spoke recently to one of the largest firms advising people and institutions on how to protect against the threat of cybercrime.
With cybercrime attacks on banks and other organisations an almost daily source of news headlines – as seen recently following attacks on the US Internal Revenue Service – foiling such criminals is urgent. Unsurprisingly, the wealthiest members of society are particularly at risk.
The process of putting money into a discreet private bank account, however, has become more tricky these days because of how governments are less tolerant of bank secrecy (it is on the way out in Switzerland), and have cracked down on suspected money laundering. With more disclosure requirements come more vulnerabilities. The very fact that an organisation such as the IRS was hit is itself a sign of how wide-ranging the issue now is.
Law firms and other bodies are becoming increasingly vocal on the issue (and of course, they see it as a source of business.) Withers, the international law firm, for example, has weighed in with comments on the matter. Stephen Ross, Withers' head of fraud, told this publication recently: "Family offices are seen by fraudsters as a 'soft target', similar to charities, as they may not have robust policies in place to deter hackers. In our experience, this perception is inaccurate and family offices are alive to the threat, but nonetheless the perception means that they are being targeted. We have seen a spike in bank mandate fraud attempts on successful families or their family offices relating to purchases of fine art. A successful family may spend large sums every year on security and cybersecurity to ensure their privacy, but all it can take is a family member using social media to share which airport they are in and where the family are going."
Separately, Kenny Mullen, head of Withers' data protection team, said: "Targeting wealthy people for frauds has always been a fact of life but, with more personal/business interaction now conducted online, it's inevitable that criminal activity shifts to the internet. Where an investment manager or family office does not take adequate precautions (either at a technical level or through staff administration and training) to protect their clients' data and assets, then – as well as the financial impact to their clients - the regulatory implications can be very serious indeed. What these stories highlight is that responsibility lies on both sides of the fence. Wealthy clients and those managing their assets both need to have frank dialogues about how each of them put in place preventative measures – with professional input if necessary - to minimise their exposure to fraudsters."
Kroll's perspective
One of the most prominent firms working in security, risk control and analysis is Kroll. The business helps clients through investigations, cybersecurity, due diligence and compliance, physical and operational security, and data and information management services. This firm, with its roster of more than 2,000 employees and more than 50 offices in around 30 countries, has a ringside seat on the cybersecurity arena. Family Wealth Report, sister publication to this one, recently interviewed Benedict Hamilton, managing director of investigations and disputes.
What sort of threats have your team discovered that exist
and that are specific to the ultra-high net worth population?
Without naming names, are there examples of significant breaches?
Are we talking in six-figure or higher sums of money
stolen?
UHNW individuals are particularly vulnerable to cybercrime
because of their prominence. Criminals are able to research them
easily, gathering information about their families and associates
which they can use for their attacks. The most common type of
attack in our experience is taking over email accounts of the
principals, or their advisors or children, and using genuine
emails from the accounts to move hundreds of thousands, millions
in some cases, to accounts the criminals control.
Are there particular geographies where UHNW persons are
particularly vulnerable, and why?
Geographies where it is common for UHNW persons to run their
businesses from public email accounts (e.g. Gmail, Yahoo) on
their iPhone or iPad are particularly vulnerable - the Middle
East springs to mind. We have helped several UHNW individuals in
the ME track down and recover large sums of cash. African and
Asian entrepreneurs, British hedge fund principals… there are
many others with the same weaknesses.
Bank and other financial accounts are obvious targets: do
you see this as being a reason why UHNW persons might be
reluctant to adopt mobile banking and stick to more traditional
forms of private banking?
It should be, but we haven’t seen this happen. Typically UHNW
individuals email a finance person to move money - it’s that
email that’s the vulnerability, not the mobile banking platform.
In several cases it’s the children of the UHNW who
are targeted, emailing the family office.
The very wealthy will typically have personal assistants,
advisors and other employees working for the family. How
significant a vulnerability comes from this if such persons are
not taking precautions themselves vs hackers and what sort of
advice/work does your firm engage in?
Cybercriminals exploit trusted relationships – so the aides and
advisors are a significant vulnerability. Luckily there is a lot
that we can do to assist on this in terms of raising awareness,
improving their resilience to electronic attack and increasing
detection and response rates.
Governments are - they say - pushing for transparency,
and rules such as Swiss bank secrecy laws are under attack.
Paradoxically, does this make the wealthy more or less vulnerable
to hackers?
Open source information on the wealthy makes them vulnerable just
by being identified.
Are organisations such as the US IRS and its British
counterpart vulnerable points, given how much data they
hold?
Absolutely they are, and we saw attacks on HMRC last month,
possibly for this reason.
At a general level, what is the main advice you offer to
wealthy people about cybersecurity?
Move money orally, talking to people you trust. Run your own
email system and have it properly protected. Use long passwords.
There’s a lot of advice we can give about keeping work and
private lives separate and understanding your digital footprint.
Awareness is key.
Are there other points you would like to make about
cybercrime and wealthy individuals?
Cybercrime is only going to grow and grow. At its heart it often
relies on pretending to be someone you trust – trust no one
electronically.