That same issue makes payment of ransoms tricky as well. In the United States, many threat actors and developers of ransomware have been “designated” by the Treasury Department’s Office of Foreign Assets Control (OFAC). U.S. citizens and businesses are barred from transactions with these actors—including ransomware payments. The office has specifically warned against paying ransoms without making sure the money is not going to a designated group or person, and it is almost impossible to tell where the proceeds of a cryptocurrency transaction are actually headed.

Spear-phishing payments may similarly entangle family offices in complicated cross-border problems. Not only does the crime add to jurisdictional problems for law enforcement, but once the money has been transferred by wire, it can be extremely difficult to prove it was unintentional or caused by malicious action, which means it’s hard to retrieve the money after the transfer has been made. The bank accounts used by threat actors in spear-phishing attacks are almost always outside of the victim’s home country and, unsurprisingly, the money is usually moved out of the initial account immediately. Even if the money can be traced, it can be a dauting prospect for victims to work with international regulators to prove the nature of the transfer and reverse it.

Ways To Protect Yourself
Whether the victim is a Fortune 100 corporation or a family office, there is a common element in most cyberattacks: human error. The easiest way to get into a castle, after all, is not to break down the walls but to trick someone on the inside into opening the gate for you. A perpetrator can introduce ransomware into a computer network by “hacking,” but often the software comes via phishing emails containing malicious links. Those require a person to mistakenly click on a link.

It’s crucial for all organizations to add network and device security, but it’s even more crucial for family offices and wealthy families to train all the users of their computer networks to identify and avoid cyberattacks like phishing. That means everyone who has access to the family’s or family office’s computers or network needs to be aware of the threat of cyberattack and understand how to minimize the risk of one happening.

Training tools are widely available and, thankfully, the training is far less expensive than the kinds of security software and hardware used by large corporations.

It’s also crucial to regularly update software, especially operating systems like Windows, and to control and update the list of people who have access to devices and networks. And it’s important to continuously monitor and improve the physical security and data security of a family office. One of the biggest dangers for any organization is the tendency to treat data security as a “one-and-done” problem, and to assume that a solution someone found at one point in time will solve related problems indefinitely.

Data security threats evolve constantly, and family offices and wealthy individuals must be vigilant, informed and adaptable as well. 

Daniel Berick is the Americas Chair of the Global Corporate Practice of Squire Patton Boggs. J. D. Bridges is an associate in the Corporate Practice of Squire Patton Boggs.

First « 1 2 » Next