Matthias Kulka | The Image Bank | Getty Images
Cybercriminals are increasingly targeting wealthy individuals, making cybersecurity concierges a new must-have for the rich and their families, including executives.
While companies are spending heavily on cybersecurity, personal and home devices are generally less protected, making them easier to crack. And despite their sizeable assets and growing threat of cyberattacks, family offices and wealthy families don’t think of themselves as targets because hackings are rarely publicized.
“Now the low-hanging fruit are high-net worth families, some of which have the resources of big companies with hundreds of millions or even billions, but are not as secure,” said Bill Roth, CEO of HardTarget, a cyber resilience firm for high-net worth families, advisors and family offices.
Cybersecurity incidents become known only if there’s some kind of public fallout. Jeff Bezos’ phone was hacked back in 2018 when the Saudi Crown Prince Mohammed bin Salman allegedly sent a malicious video file to Bezos through WhatsApp. It became public knowledge after photos of him with Lauren Sanchez were leaked due to the hacking. In 2022, the Twitter accounts of Bill Gates, Elon Musk and other prominent people were hacked to tout a bitcoin scheme.
“There have been big breaches — reputational, grabbing data, ransomware — all of that is happening to high-net worth families. It’s just not public,” said Bobby Stover, family office and family enterprise leader at Ernst & Young.
The secrecy surrounding breaches compounds the problem because many wealthy people aren’t aware of how often breaches happen. Families don’t have to disclose a breach, unlike companies or wealth managers. They’re also likely to keep quiet about any breach out of embarrassment.
Anwar Visram, co-founder of HardTarget, recalled how one family reached out after the son encountered an extortion scheme that moved from Tinder to Instagram. The son paid the original $500 ransom, but because it was paid promptly, it piqued the extortionists’ interest who raised the ransom to $3,000. By then, the son had shut down all social media accounts, but the extortionists had figured out his identity and went to the head of the family, the founder of a wealth management firm, to demand $100,000.
JPMorgan high-net-worth clients get help
To combat the growing risk of cyber breaches, family offices and wealth managers are talking about cybersecurity with their high-net-worth clients more frequently. Firms are not just securing their own platforms and ensuring clients don’t send sensitive information over email, but also making efforts to ensure their clients’ home networks and devices are secure.
JPMorgan Private Bank offers cybersecurity help to its ultra-high net worth clients, along with lifestyle and travel services. The firm has an in-house team, called the Advice Lab, with subject matters on topics varying from taxes to cybersecurity.
“Ultra-high net worth individuals, families, family offices have the wealth but also they usually have much less defenses in place,” said Ileana Van Der Linde, head of cyber advisory at JPMorgan Asset & Wealth Management. “I think one of the misconceptions is that — particularly for family offices — ‘we’re small and nobody notices us.’ But 75% of all cyberattacks are targeting small and medium-sized businesses.”
According to a JPMorgan Private Bank’s 2024 Global Family Office Report, 24% of family offices surveyed said they had been exposed to a cybersecurity breach or financial fraud. Despite this, 20% do not have cybersecurity measures in place.
“The mindset that most have is that ‘I’m too smart. It’ll never happen to me. I’ve never heard of this,'” Visram said.
“Nobody’s ready for what’s coming,” a Silicon Valley executive who lost $400,000 in a real estate scam told CNBC this week.
To raise awareness and improve security, Van Der Linde and her team educate clients and help them with tasks like changing the privacy and location settings on their phones, adding multi-factor authentication to accounts or identifying suspect emails. The private bank can also tap the IT resources from JPMorgan corporate.
“A lot of things you can do yourself, but we do evaluate where we see their need is,” she said. She recalled one client, a family with seven children, each with five devices, and knew that changing passwords on all 35 devices would be a lot of work, so “that’s where we might suggest a concierge,” she said.
Family office gaps in cyber defense
Cyber concierges are helping to fill in the cybersecurity gaps. Family offices, like small- and medium-sized businesses, are an underserved market. Enterprise cybersecurity solutions are generally too big, expensive or unwieldy. Ernst & Young, which typically works with larger enterprise clients, has a solution to help businesses detect and prevent data breaches that costs $300,000 to $500,000 a year. On the other hand, personal cybersecurity solutions don’t offer quite enough protection.
Cybersecurity is also getting increasingly complicated, especially for wealthy families with multiple homes and online security systems with cameras, devices, and networks. More connected devices are more work to secure.
Cyber concierge services focus on education and conduct on-site visits to ensure systems are set up securely. One cybersecurity provider, BlackCloak, says it offers protection 24-7, 365 days a year. “We’re their digital bodyguards and protect them,” said Chris Pierson, who started BlackCloak after working in government and corporate America and seeing individuals targeted outside of work. “I really wanted a solution for that,” he said.
According to a 2023 survey of IT professionals by Ponemon Institute, sponsored by BlackCloak, 42% of respondents said their executives and family members were attacked by cybercriminals, and 25% of respondents said they had experienced an average of seven attacks or more in the past two years.
The risks are ever-shifting. Van Der Linde noted a big uptick in high-net-worth clients wanting to remove their personal information from social media, public databases and other sources since the recent unrest in Israel.
Stover at Ernst & Young noted that he’s seeing cybercriminals take their time to scope out targets, conduct research and then attack at opportune times. According to an EY study of 500 c-suite leaders and cybersecurity leaders, there were an average of 44 “significant’ cyber incidents a year in those organizations and that it took organizations six months on average to detect that something was amiss.
“What you’re finding on a lot of these cyber breaches is somebody’s sitting there strategically listening and doing things. They may not even have to try to steal … they can use information to go other places and cause harm,” Stover said.
Pierson came across one instance where a bank CEO discovered his home’s entire camera and alarm system, which was connected to the internet, could be viewable by anyone. He said this wasn’t a simple off-the-shelf system like Amazon’s Alexa but a complicated smart home technology that controls the lighting, doors, heating controls, pool controls, movie theaters. “If they’re set up incorrectly, or not secured and updated, it creates a risk. It’s like your doors don’t lock,” he said.
With more of life and business conducted online, the stakes are getting higher.
“As goes the physical world, so goes the digital world,” said Christopher Budd, director at cybersecurity firm Sophos. “Just as people have their own private security and their own bodyguards when they have an elevated risk profile in the physical word, it makes perfect sense that we’re seeing the same happen in regards to the digital world.”