Family Wealth Report Family Office Cybersecurity and AI Post-Summit Report 2024
POST-SUMMIT REPORT:
Family Wealth Report
A collation of the summit's content sessions, including key take-aways, listing how to protect the family office against a cyber attack and how to leverage AI to secure and safely improve the efficiency of family office operations.
PUBLICATIONS
WealthBriefing is the leading subscription-based business intelligence service for the wealth management community, with the latest news, analysis and in-depth features from around the globe. WealthBriefing subscribers are part of an international community for whom staying abreast of the latest industry developments is a crucial part of their professional practice. Readers find our content on topics such as strategy, M&A, important people moves, investment management and asset allocation to be an essential resource in a fast-moving world.
The Asia-Pacific region’s meteoric rise as a major wealth management market has sparked huge demand for region-specific business information. WealthBriefingAsia was launched in 2009 to satisfy this growing information requirement, and it is the only wealth management news site focusing exclusively on the Asia-Pacific region. Providing indispensable news, features and industry views that are always relevant and concise, WealthBriefingAsia allows subscribers to conserve that most precious of all resources: time.
The North American wealth management market is one of the largest and most diverse in the world, and is markedly different from those in Europe and the Asia-Pacific region. Multi and single family offices in particular are a well-entrenched,integral part of the private wealth management landscape. Family Wealth Report provides need to know business intelligence in a convenient and easy-to-read format – straight to subscribers’ inboxes every day. Nowhere else will you find such high quality, in-depth and often exclusive content all in one place.
WEALTH MANAGEMENT AND PRIVATE CLIENT EVENTS AND AWARDS SERIES
A unique thought-leadership platform, WealthBriefing’s events foster intellectual debate on the challenges and opportunities facing the industry and are designed to be an optimal use of wealth managers’ precious time and present an excellent networking opportunity.
WealthBriefing has added to its offering for the global private banking and wealth management communities by running thirteen annual awards programmes for the family office, private banking, wealth management and private client communities. The awards programmes are focused around three main category groupings: experts (individuals and teams); products and services for wealth managers and clients, and institutions of all sizes and types
BESPOKE RESEARCH SERVICES
WealthBriefing has unrivalled access to the most senior wealth management professionals across the globe, meaning that our research reports represent guides to future best practice as much as being barometers of current industry trends.
Contents
Introduction
Archimedes’ Lever – AI And The Age Of Infinite Leverage
The Intersection Of Cyber Security And Physical Security
Hacking People – Cybersecurity, Reputations, And AI
The Use Of AI In Creating Social Engineering Attacks
Unleashing The Power Of AI: Navigating The Benefits, Challenges & Risks
Why AI Will Not Eliminate The Traditional Advisor
A Privacy Plan For Your Family Office
What Can We Learn From Highly Mature Cybersecurity Programs?
Addressing The Threat Of Artificial Intelligence To Physical Security
From Risk To Resilience: Strategies For Cybersecurity In Family Offices
by:
This report is a compilation of the sessions at the Family Wealth Report’s in-person Family Office Cybersecurity and AI Summit on June 4.
This summit successfully addressed cybersecurity and AI topics, emphasizing their intersection, specifically tailored for multi-family and single-family offices, as well as ultra-high-net-worth individuals. In a nutshell, we discussed the vulnerabilities that trigger a cyber attack, how cyber attacks can be prevented, and how the safe use of AI will increase the efficiency of family office operations.
The speaker line-up ensured a great variety of perspectives on cyber security, physical security and AI and their intersections.
Chris Wake, from Atypical, writes about Archimedes’ Lever - AI and the age of infinite leverage (page 4), he addresses the intersection between Cybersecurity and AI. Kate Norris, from Atténuer Risk, Lisa Gelles from Howard Insurance and Tom Aldrich from 360 Privacy talk about The intersection of cyber and physical security (page 6). Mykolas Rambus, Hush, speaks about Hacking people - cybersecurity, reputations and AI (page 8), he shows the potential dangers of the digital footprint. Gilad Zinger, Yemin Family Office, writes about Human vulnerabilities (page 10) and took the audience on a Dive into social engineering attacks.
John Boles and Danielle Valkner, from PwC explain how to Unleash the power of AI, and Navigating the benefits, challenges and risks (page12). Andrew Evans from Rossby Wealth and Rossby Financial explains Why AI will not eliminate the traditional advisor (page 14), and argues that efficiencies of generative AI will produce demand for growth of human-led advice. William Roberts from Day Pitney adds a legal perspective and presents A privacy plan for your family office (page 16)
Tim Schnurr from Inquisitive IT looks at What we can learn from highly mature cybersecurity programs (page 18). Tristan Flannery, Orbital Risk, and Liz Buckley, Praetorian, discuss Navigating the potential perils of AI: Understanding and mitigating the risks of deepfakes (page 20). Ileana van der Linde from JP Morgan and Dale Buckner from Global Guardian talk about From risk to resilience: Strategies for cybersecurity in family offices (page 22)
We hope that you will find this report informative and that it will provide you with new insights into the world of cybersecurity, physical security and AI in the family office and wealth management space.
Archimedes’ Lever – AI And The Age Of Infinite Leverage
IChris Wake Founder - Atypical
Chris Wake is the Founder of Atypical, where he brings two decades of experience as an operator to his investing, including work on both hardware and software in the fields of aerospace, AI, and cybersecurity.
have three things to talk about with you today. Cybersecurity. Artificial Intelligence. And the point at which those two forces come together. Pretty simple.
I titled my talk Archimedes’ Lever. Among many things that Archimedes gave us, including Pi – the number, not the dessert – he is credited with my favorite quote about AI. This guy was way ahead of the curve. He said:
“Give me a lever long enough and a fulcrum on which to place it, and I shall move the world.”
This quote is all about leverage. How much can one individual accomplish with the right tool? It turns out, an awful lot. AI is leverage. AI is near infinite leverage, in fact. Now this can work for you, and it can work against you. We will touch on both today.
Which brings us to cybersecurity. Cybersecurity is protection from unwanted attacks. We do not live in digital palaces, however. Higher, thicker walls — or their digital equivalent — are not the answer. Most attacks happen at the human computer interface — where you and I engage with the systems that help each of us to operate.
To protect against such attacks, we started asking for something that you know. A password, the name of your first grade teacher, the make of your first car, etc.
When that defense broke down, we started asking for something that you have. An authenticator app or device, a text message to your phone, etc.
Our solution, in short, has been to add weight to the user experience — to weigh down the human computer interface
with more work, assuming that our adversaries are too lazy or slow to do the work. And we are all caught in the crossfire.
Artificial intelligence. AI. When you hear these terms, assume it is marketing as much as it is technology. AI is any attempt to use software and machines to simulate or augment human mental capabilities. It is a term that encompasses many different pieces of technology.
Among its relative superpowers, AI is really good at pattern recognition. It can identify patterns in large sets of data, text, or images that you and I would struggle to consume in a lifetime. Even assuming we could, it’s debatable whether we would find the same patterns that an AI can.
Ai is also very good at the inverse of pattern recognition — identifying anomalies, or items that do not belong. For anyone that ever read Highlights magazine as a kid, AI would beat every single one of us at ‘Which of these things is not like the other.’
AI is wicked fast, both in its development pace and its current responsiveness to user questions.
Having an effective security posture is about knowing where to focus your efforts. What are the real threats, and what are the actions that you can take now? This is especially important now, in a world where AI can be used by adversaries as infinite leverage to take advantage of your attack surface.
In the same vein, at Atypical we invest in plausible science fiction — points where technology has finally caught up to solve foundational problems. We have looked at a lot of cybersecurity companies, and we’ve only made a few investments to date.
One of those is focused on identity, a foundational problem. It is not about what you know, or what you have; rather, it’s about who you are. They use behavioral biometrics —
literally the way in which you interact with systems – and AI to continuously authenticate that you are who you say you are, and that someone else is not pretending to be you.
Another is focused on trust infrastructure for payments — or knowing precisely who you are paying before your wire transfer lands where it shouldn’t. They use advanced AI to defend against AI in the wrong hands, including against the use of deep fakes.
Remember, AI is leverage. AI is near infinite leverage. It is important to remember that your adversaries will use this leverage against you, and you can use the same leverage to battle back.
KEY PRESENTATION TAKEAWAYS:
• Give me a lever long enough and a fulcrum on which to place it, and I shall move the world.” ~ Archimedes
• AI is near infinite leverage, putting the collective intelligence from humanity in the hands of each individual.
• AI is great at pattern recognition.
• AI is great at anomaly detection.
• AI is wicked fast, and will impact every activity where brute force is an option.
• Bad actors use AI to increase the scale and impact of their attacks.
• You and I can use AI to increase the effectiveness of our security posture.
• Begin with AI applied to areas of foundational importance; e.g. Identity and Money Transfers.
Company Profile:
Atypical is an investor in plausible science fiction — points where technology has caught up to solve foundational problems. Investments include the first data center on the Moon, cybersecurity and cyber physical systems, guardrails for artificial intelligence, nuclear, and even an organoid platform delivering human clinical trials in a dish.
For more information visit: www.atypical.com
The Intersection Of Cyber Security And Physical Security
ITom Aldrich
Chief Revenue Officer - 360 Privacy
Tom Aldrich joined 360 Privacy in 2022 after having worked at Goldman Sachs as a private wealth advisor. He came to Goldman from the US Army, where he served as a Green Beret and functioned as both a communications and intelligence subject matter expert. He deployed overseas four times, where he was responsible for tactical and strategic targeting, intelligence, and digital exploitation. Tom is a Certified Ethical Hacker and obtained his CIPP/US certification from the International Association of Privacy Professionals.
Lisa Gelles
Executive Director - Private Client - Howard Insurance
Lisa Gelles serves as Executive Director in the Private Client Group at Howard Insurance. In her role, Lisa sits at the helm of the firm’s family office practice, working closely with each family and their advisors to provide a consolidated approach to complex risk issues. Under her guidance, the team designs and implements sophisticated insurance portfolios. Lisa has extensive risk management and specialized insurance expertise surrounding high value collections and real estate on a national and international basis.
Kate Norris
Founder and CEO - Atténuer Risk
Kate Norris is a recognized industry expert, having served hundreds of family offices and wealth advisory firms for over 25 years working on the broker, carrier, wealth advisory and consultancy sides. Kate founded Atténuer Risk in 2021 and serves her clients as a fee-only risk and resiliency consultant. Kate maintains her insurance licensing and graduated from the University of Kansas. She serves on the Advisory Board of the Council for Insuring Private Clients & High-Net-Worth Individuals and is a faculty member for the National Alliance–CPRM designation.
n an era where digital threats are increasingly intertwined with physical risks, the session “The Intersection of Cyber Security and Physical Security” delves into the critical nexus between these two domains.
This session explored how advancements in technology have blurred the lines between cyber and physical security, necessitating a unified approach to protect assets, information, and family members.
FACTS & FIGURES:
• According to the FCC, there were approximately 1.5 billion targeted attacks on IoT devices in the first half of 2021.
• The number of IoT devices is projected to climb to 25 billion by 2030.
KEY TAKEAWAYS
Families and family offices need to take a proactive approach to their security both physical and cyber, this includes:
• Conduct a physical security and cyber security threat assessment at both the family office level and the household level. Be sure to include any vulnerabilities present on the open web through data broker websites (like Spokeo.com, BeenVerified, etc.), as well as the deep and dark web.
• Review and understand their vulnerabilities uncovered in the assessment.
• Create an action plan to mitigate or eliminate their vulnerabilities.
• Build a resiliency plan that will respond to either a physical security threat or cyber security threat. The plan needs to be communicated and reviewed with all staff and family members. When selecting team members, from a cyber security perspective consider choosing those with expertise in:
- Digital: data brokers, B2B websites, social media, and AI.
- Legal: AI governance, domain ownership, and the newly enacted Corporate Transparency Act.
- Physical: travel and emergency risk management, as well as access control.
Review, revisit and adjust – you cannot put this in the drawer and forget.
Hacking People – Cybersecurity, Reputations, And AI
IMykolas Rambus CEO and Co-Founder - Hush
Mykolas Rambus is the CEO and Co-Founder of Hush, the AI cybersecurity and privacy platform for companies and their employees. Before Hush, Mykolas was an executive at the credit bureau and data broker Equifax, co-founded Wealth-X, the world’s largest database of information on wealthy people, and led information technology at Forbes Magazine and the real estate firm W.P. Carey. He’s an award-winning technologist, having begun his career launching a tech startup from his dorm room at MIT.
spent over a decade conducting research on the world’s wealthiest people and their families - people are open books. Unless they’re taking steps to actively be private, it’s extremely likely that everything is out there about them, their families, their companies, and their service providers.
Hush’s experience stems from its founders being targeted at a previous business Wealth-X by threat actors - intelligence services, oligarchs, and organized crime.
It turns out that even publicly available information, which too many people including HNW and UHNW individuals, think is benign, is in fact extremely valuable, sensitive, and sometimes lethal, as in the case of Forbes’ former Russia editor.
Most people are scarcely aware how their information can be used against them. And that’s probably a good thing, but the reality is there are myriad scams, extortion schemes, types of cyberattacks, with more being invented all the time.
“It’s easier to hack a human than a computer.”
Yes, the internet was developed for the free flow of information, speed, and in many cases anonymity. But those same virtues have enabled sprawling cybercrime.
In fact, the sum total of all cybercrime is greater than the entire illicit drug trade. It’s because cybercrime is getting increasingly easy to perpetrate, is rarely prosecuted, and is relatively low risk compared to drugs, guns, and other illegal activities.
Take SIM swapping for example - a shockingly easy crime that only requires a few pieces of information to effectively
impersonate an individual, take over their mobile phone, and defraud someone of their bank or investment account holdings.
Even burglary is fueled by poor privacy, with 80% of thieves researching their target homes and residents online before committing a crime.
“No one really knows exactly how they’ll react when they, or just as likely a member of their family, is threatened.”
Online harassment too has reached epidemic proportions, with two-thirds of young people reporting they’ve experienced such problems, with a quarter of those sharing the harassment was violent in nature. No one really knows exactly how they’ll react when they, or just as likely a member of their family, is threatened.
We see again privacy, or lack thereof, being the problem. Over 90% of cyberattacks, directed at individuals, family offices, and corporations starts with social engineering - and the first step of social engineering is reconnaissance - with hackers learning as much as possible about their intended targets, whether the CFO of the company, a teenage family member, or an accounts payable clerk.
This issue of reconnaissance against people comes up again in reviewing cases of extortion, and especially a variant named virtual kidnapping. It’s entirely enabled by lax privacy, inexpensive voice processing tools, just as is true for sextortion, a crime being actively scaled by criminal gangs around the world.
Assembling all of the risks reviewed so far, is impersonation. Depending on the position, influence, and relationships of the affected individual, the impact can be extraordinary. Unfortunately, generative AI is quickly increasing the risk of impersonation, driven by various motives.
KEY PRESENTATION TAKEAWAYS:
• Humans are the targets of today’s Internet crime, not systems.
• Bad actors conduct in-depth reconnaissance on families and their employees to find financial opportunities, psychological weaknesses, and work their way into secure systems.
• There are many steps family offices can take to protect privacy, but being aware and actively not oversharing are critical.
Company Profile:
Hush is the AI cyberprivacy service that reduces social engineering and phishing risks for family offices and their employees. Hush empowers family members by finding everything the internet knows about them, educating them on their vulnerabilities, and making it one-click easy to reduce their targetable information. Combining AI-led detection and removal, Hush is the most comprehensive privacy defense against cyber, financial, physical, impersonation, and reputational threats. Hush has won several awards including from Google, WealthBriefing, is SOC2 certified, and is a ‘top cybersecurity-companyto-watch”.
The Use Of AI In Creating Social Engineering Attacks
IGilad Zinger Investment Director - Yemin Family Office
Gilad, an Investment Director at Yemin Family Office, specializes in nurturing mid-early stage cybersecurity, Fintech, Agri&food startups. Previously at PwC, he served as a Senior Manager and OT Security Specialist, empowering governments and organizations to safeguard critical infrastructures. With over 17 years at the Israel Security Agency, he cultivated unparalleled experience in defensive and offensive cyber operations. As the Cyber Division Team Leader, Gilad managed elite cybersecurity teams, spearheading the identification and analysis of cyber events for the Department of Cyberwar Risk Management at the Israeli National Information Security Agency (NISA).
n my recent presentation, I explored the critical subject of using Artificial Intelligence (AI) to orchestrate social engineering attacks.
Social engineering exploits human vulnerabilities, and the incorporation of AI into these attacks poses new and sophisticated threats.
The objective was to highlight how AI can be leveraged to create more convincing and effective social engineering schemes and to demonstrate the urgency for enhanced security measures within the family office sector.
THE HUMAN FACTOR: THE WEAKEST LINK
The presentation began with an overview of social engineering, emphasizing its reliance on manipulating human behavior rather than exploiting technical vulnerabilities. I discussed common techniques used in social engineering, such as phishing, baiting, and pretexting. These methods are designed to deceive individuals into divulging confidential information or performing actions that compromise security.
I pointed out that despite advancements in cybersecurity technology, the human factor remains the weakest link. This vulnerability is particularly pertinent to the family office industry, where personal relationships and trust play significant roles in operations. The potential for AI to exploit these human weaknesses underscores the need for heightened awareness and improved defensive strategies.
LIVE DEMONSTRATION: AI IN ACTION
To illustrate the potential dangers, I conducted a live demonstration using ChatGPT, an advanced language model developed by OpenAI. The demo showcased how AI could be employed to automate and enhance social engineering attacks, making them more believable and harder to detect.
I used ChatGPT to build a script that creates a fake webpage designed to look like a legitimate “Wealth Report” site. The purpose of this site was to trick victims into entering their credentials. The demonstration included the following steps:
1. Script Creation: ChatGPT was prompted to generate HTML and JavaScript code for a fake webpage. The AI produced a professional-looking login page with a convincing layout and text, mimicking a typical wealth management portal.
2. Integration with Google Sheets: The script included functionality to capture the credentials entered by the victim and store them in a Google Sheet. This integration was crucial to demonstrate how easily the stolen information could be collected and accessed by the attacker in real-time.
3. Execution: I deployed the fake webpage and showed how an unsuspecting victim might interact with it. Upon entering credentials, the information was immediately transmitted to a Google Sheet, highlighting the efficiency and stealth of the attack.
RESULTS AND IMPACT
The live demo was highly effective, demonstrating the seamless and potent capabilities of AI in facilitating social
engineering attacks. The audience witnessed firsthand how AI-generated content can deceive even the most vigilant individuals. The demonstration underscored the pressing need for robust security measures and heightened vigilance among family office personnel.
CONCLUSION: STRENGTHENING THE HUMAN FACTOR
The key takeaway from the presentation was the critical importance of addressing the human element in cybersecurity. While technology continues to evolve, human behavior and decision-making processes remain vulnerable to manipulation. The integration of AI into social engineering tactics amplifies this threat, necessitating comprehensive education and training for individuals at all levels within the family office industry.
To mitigate these risks, I recommended the following strategies:
• Continuous Education and Training: Regular training sessions on cybersecurity awareness and the latest social engineering techniques can help staff recognize and respond to potential threats.
• Enhanced Security Protocols: Implementing multi-factor authentication (MFA), regular audits, and stringent access controls can significantly reduce the risk of successful social engineering attacks.
• AI-Based Defensive Measures: Leveraging AI to develop and deploy defensive tools that can detect and counteract social engineering attempts can provide an additional layer of security.
• Fostering a Culture of Security: Encouraging a culture where security is prioritized and openly discussed can help build a more resilient and informed workforce.
In conclusion, while AI presents new challenges in the realm of social engineering, it also offers opportunities for enhancing our defensive capabilities. By focusing on the human factor and integrating advanced security practices, the family office industry can better safeguard against the evolving landscape of cyber threats.
Unleashing The Power Of AI: Navigating The Benefits, Challenges & Risks
John Boles Principal - PwC
John is a Principal within PwC’s Cyber Practice, focusing on threats prevention and remediation. With over 27 years of experience in federal law enforcement, national security, and cyber operations, he has a unique perspective on cyber security and risk. John served in the FBI for over 20 years, leading investigations worldwide in areas such as cyber, fraud, terrorism, and violent crimes. As Deputy Assistant Director, he oversaw the federal response to notable cyber attacks and advised the White House and National Security Council on cyber-related issues.
Danielle Valkner
Partner,
US Family Office Leader - PwC
Danielle is an advisory partner leading our family office practice in the U.S. She advises clients on the unique needs of family offices and private wealth owners in the areas of technology automation and innovation, finance effectiveness and reporting, process improvement, operating model transformation, risk management, and vendor selection and implementation. Prior to joining PwC Danielle worked for two large global asset managers, gaining extensive industry experience in Chief Financial and Chief Administrative Officer roles. She also spent over 10 years as an auditor in the financial services sector.
Unleashing the power of AI: Navigating the benefits, challenges, and risks was presented by PwC’s Danielle Valkner and John Boles. The presentation focused on the power, benefits, challenges, and risks of generative AI (GenAI), with a particular emphasis on its use in the private sector and family offices. The discussions included general use cases of GenAI and its application, the challenges of safeguarding data for family offices and individuals, and industry-leading examples of how to protect your family office. Artificial Intelligence (AI) is a collection of advanced analytics and algorithms designed to inform decisions and take action to achieve a specific purpose. It encompasses machine learning, a subfield of AI that builds quantitative insights and predictions, and deep learning, a machine learning technique based on artificial neural networks in which multiple layers of processing are used to extract progressively higher level features from data. GenAI, a type of AI, uses large amounts of data and large pre-trained models to generate new content,
such as text, code, images, videos and audio which is highly accessible to developers and end users.
GenAI has a variety of applications, including summarizing complex documents and agreements, searching for specific information within a document through Q&A, creating a transformed version of data, responding to a given question using chatbots, service bots, and virtual assistants, and creating net new content.
Leading firms are combining GenAI and other AI tools to deliver the best business outcomes and help reduce risks. Some real-life practical use cases include organizational chatbot and inquiry management, deal sourcing research support and synthesis, automated document generation, market risk analytics, investment and performance report generation, variation analysis and commentary generation, contract review and ad hoc reporting.
With any new technology, particularly one as novel and complex as GenAI, unanticipated consequences introduce potential risks. Risks can include model risks, data risks, system and infrastructure risks, use risks, legal and compliance risks and process risks. Regardless of whether your family office pursues GenAI, others — including bad actors — will use the technology, so it’s important your family office staff is prepared with training, responsible AI policies, and enhanced cybersecurity.
To protect personal data and identity in today’s environment, wealthy individuals are advised to educate themselves on AI/GPT and its uses, police their online presence, increase vigilance for scams/phishing/ social engineering, double down on controls, and consider reducing their online footprint.
Family offices should also consider establishing an acceptable use case policy and educating their employees.
To double down on controls and help mitigate cyber risks, consider assessing all wire transfer/payment requests and changes in banking information, establishing and educating employees on GenAI use policies, and considering monitoring its usage. It’s also crucial to educate users on AI tools, their capabilities, deficiencies, and risks and train helpdesk or call centers on social engineering risks. Lastly, enabling end-to-end encryption, considering managed service security provider support, and updating response plans are leading practices you can use for your family office.
KEY PRESENTATION TAKEAWAYS:
• Leading firms are combining GenAI and other machine learning patterns to deliver the best business outcomes and mitigate biases and risks. Use cases include organizational chatbots and inquiry management systems, deal sourcing research support and synthesis, automated document generation, market risk analytics, investment and performance report generation, variation analysis and commentary generation, contract review and key term processing, and ad hoc reporting.
• The use of GenAI also comes with several risks, including legal and compliance risks, process risks, model risks, data risks, system and infrastructure risks and use risks.
• To mitigate these risks, individuals should consider establishing an acceptable use case policy for employees and providing proper education and training, doubling down on controls, increasing vigilance for scams and phishing and policing online presence.
• Leading practices for controls can include assessing all wire transfer/payment requests and changes in banking information, training helpdesk or call centers on social engineering risks, enabling end-to-end encryption and updating response plans.
Company Profile:
PwC’s global network of nearly 328,000 professionals in 152 countries has been dedicated to building trust in society and solving important problems for more than 170 years. We work with ultra-high-net-worth individuals to holistically manage the complexity of personal wealth and help create a legacy that will endure for generations to come.
For more information visit: www.pwc.com
Why AI Will Not Eliminate The Traditional Advisor
AAndrew J. Evans CEO & Founder - Rossby Wealth & Rossby Financial
Andrew has been in the financial services industry for over 17 years. He has worked with many individual clients on their goals. A Graduate of Ohio Northern University and Indiana University of Pennsylvania. He also served as Executive Vice President of TAG Advisors, a National Firm with over 300 independent Financial Advisors. Andrew and his wife reside in Melbourne, FL with their two children.
ndrew J. Evans is the Founder of Rossby Financial, an RIA focused on curating superior tools for financial advisors, with an emphasis on cutting-edge AI offerings. Andrew was a founder of a large Enterprise group inside of Cambridge Investment Research.
During the Family Wealth Report presentation, he emphasized that while AI is increasingly prevalent, it is still in its infancy and not yet ready for large-scale usage. He highlighted the need for more powerful infrastructure, such as increased GPU production by companies like Nvidia, to support the growing demands of AI. Andrew also stressed the importance of security and encryption as AI devices interact with each other.
Furthermore, he pointed out the limitations of AI, such as its inability to determine the best course of action for clients, and the ongoing threats posed by bad actors seeking to exploit AI for fraudulent purposes. He concluded by reaffirming the continued importance of human advisors to navigate these new threats. More of Andrew’s thoughts are below.
The challenge of AI adoption starts with the simple need of more GPU chips. Without these chips and chip makers, there will be no AI.
Nvidia is the current favorite in this field but you have others, such as Motorola making up some distance. The Chinese have their own offerings but they are further behind.
Secondly, we need to enhance our data center infrastructure to provide the power needed to make these new chips and systems work. We know there are a solid amount of
energy companies working with large tech to supply this power. Amazon is currently buying up power right and there is also talk of developing micro nuclear reactors.
Next we have a large problem with security. A current AI agent and assemble a string of tokens to speak to another AI agent to pull information that is sensitive. We saw during the day’s events that you, a human, can prompt ChatGPT to give you the coding to build a phishing scam. So the development around security of our prompts and how agents can protect the information is also pretty far behind.
Lastly, there is not enough utility for AI. You can see most of the population now is using it for a very powerful search program or to build data tables. But these programs cannot reason. To develop reason or “intuition” is almost impossible at this time. Since our engagement with AI is mostly bound to LLMs (Large Language Models), we can only get a probability of the outcome being acceptable. The system will give you output based on the next best word in a string of probabilities. This is why, even though it’s wrong, Google Gemini gave a recipe to make pizza with glue. The LLMs don’t “know” what that actually means to humans.
I would like to leave you with this question to ponder on AI. Would you take a flight in a plane across the country with no human pilot? Just let the autopilot fly? Many modern planes are mostly flown by autopilot. But how do you account for anomalies or comfort of the flight? The autopilot won’t make adjustments and will shut down when presented with a problem outside of it’s program. In the end, you need a pilot to address and monitor for the unexpected. That would be in the air or within the wealth and needs of a family office.
KEY PRESENTATION TAKEAWAYS:
• Evans discussed the nascent state of AI, highlighting its need for robust infrastructure and security measures.
• He emphasized the necessity for increased GPU
production, particularly by companies like Nvidia, to support AI growth.
• The importance of security and encryption for AI interactions was stressed due to risks of sensitive information being exploited.
• AI currently faces limitations in decision-making and reasoning, necessitating human advisors to manage these challenges.
• Adoption of AI is hindered by a shortage of GPU chips and the need for enhanced data center infrastructure.
• Security concerns include the potential for AI agents to misuse sensitive information and create phishing scams.
• The current utility of AI is limited to advanced searches and data tables, lacking true reasoning or intuition.
• Evans compared the reliance on AI to autopilot in planes, stressing the need for human oversight to handle unexpected issues.
Company Profile:
Rossby Financial, LLC, is an open-architecture registered investment advisor (RIA) dedicated to empowering advisors. Built by advisors, for advisors, the platform provides top-tier compliance, data analytics, and technology tools to support a broad range of advisors’ needs. With transparent pricing and flexibility, Rossby is committed to innovation for the success of its advisors and their clients.
For more information visit: www.rossbyfinancial.com
A Privacy Plan For Your Family Office
FWilliam Roberts
Co-chair of the Data Privacy, Protection and Litigation Practice - Day
Pitney
William Roberts is a co-chair of the Data Privacy, Protection and Litigation practice. He focuses his practice on advising businesses, family offices, and high net worth individuals on protecting their privacy, complying with relevant law, and responding to data breaches and government investigations. He has received numerous accolades for this work advising family offices across the country on data privacy and cybersecurity matters.
amily offices are faced with an ever-increasing number and variety of cybersecurity threats and tools to lessen the risk or severity of these threats. Family office principals have a plethora of choices from a variety of vendors deploying cutting-edge tools, and what tools make sense for a particular office will vary depending upon the office’s size, risk profile, budget, and operations. While all of this is important, family office principals and managers should not lose sight of the basics that underpin all of this – compliance with data privacy laws and implementation of a data privacy program.
Data privacy laws address how organizations may collect, use, and disclose personal data and such laws apply to all sorts of entities and operations, including family offices.
These laws may touch upon, and impose legal requirements on, family offices in a variety of contexts: (1) the personal data of family members, employees, and former employees; (2) sharing personal data with vendors, service providers, and advisors; and (3) joint ventures, affiliations, and investments. In each, a family office may be subject to a variety of data privacy laws, each with their own requirements and penalties for non-compliance.
These laws may include, for example, the General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act (“CCPA”), state laws requiring a privacy program to be in place, and data breach laws found in all 50 states.
Compliance with data privacy laws requires a data privacy program to be in place. Such a program should be set forth in writing, such as through a policy, which addresses the program’s structure, leadership, data handling practices, and approach to complying with applicable law. Whether an individual or a committee, program leadership should work to ensure that the office is aware of the laws that apply to it, understands what it must do to ensure compliance, and develops the policies and procedures necessary to demonstrate compliance and ensure the proper handling of data and response to data breaches.
Program leadership should also ensure it is addressing data privacy risks and legal compliance through its collection of personal data from family members, employees, and others. Such collection may require, at times, notices of collection that explain the purpose of the collection and the family office’s data handling practices. These notices also require the family office to assess if it is selling family member data or sharing family member data for another entity’s private purposes.
A focus of the presentation was the importance of data privacy law in the context of contracting with vendors.
Every contract a family office enters into that involves (or that could involve) the vendor collecting, receiving, accessing, or using personal data (think family member or employee data) should, and often must per law, address data privacy and security. When contracting for data privacy, family offices should examine compliance with law,
limitations on use, cross-border data transfers, return or disposal of data, data ownership, and many more topics.
Similarly, when contracting for security incidents, the vendor agreement should be clear on what the vendor must report to the family office, how it must make the report, when it must make the report, what the report must contain, how the vendor should respond to the incident, and many more terms to ensure that the family office and its stakeholders are adequately protected. Waiting to address the who, what, where, and how of data breach response until one actually occurs makes it exceedingly difficult for the office to protect its data and ensure a reasonable and legally-compliant response.
In world full of cybersecurity tools, this presentation urged family offices to get the basics done right – understand the law, comply with the law, and prepare for data breaches. As often said, entities don’t get in trouble with the law because of a breach, but because they didn’t comply with the law, plan for the breach, or respond appropriately.
KEY PRESENTATION TAKEAWAYS:
• Understanding and complying with the law is the foundation for a robust data privacy and cybersecurity program.
• Family offices are often subject to a variety of data privacy laws, each with their own penalties and sanctions for non-compliance.
• Make sure your office knows which laws apply it to and that you comply with the laws’ requirements.
• A data privacy program gives family offices the structure necessary to comply with the law, protect personal data through best practices, impose data privacy requirements on vendors, and plan for and respond to data breaches in a legally-compliant manner.
Company Profile:
Day Pitney, an East Coast-based law firm with national and international reach, has more than 300 attorneys in 13 offices in Boston, Connecticut, Florida, New Jersey, New York, Providence, and Washington, DC. The firm offers clients strong corporate and litigation practices, with experience on behalf of large national and international corporations, as well as emerging and middle-market companies. With one of the largest and most sophisticated private client practices in the country, the firm also has extensive experience helping individuals and their families, fiduciaries and tax-exempt entities plan for the future.
For more information visit: www.daypitney.com
What Can We Learn From Highly Mature Cybersecurity Programs?
TTim Schnurr, CRISC, CFA Founding Partner - Inquisitive IT
Tim Schnurr, CRISC, CFA is a founding partner at Inquisitive IT, a company that is striving to protect retirees with cyber awareness and managed devices. Previously Tim co-founded FortMesa, a governance, risk, compliance (GRC) and vulnerability management workflow platform. Tim had a long career at Deloitte in cybersecurity, product development, and data analytics. Tim also spent some time at MIT in a Deloitte collaboration to scout, validate, and commercialize new technologies. Tim frequently speaks about insider threat and the nexus of cybersecurity and intellectual property (IP) protection.
im Schnurr, CFA CRISC discusses his experience advising mature cybersecurity clients (The 5 largest Banks and Federal Agencies with confidential information)
HUGE CYBERSECURITY INVESTMENT
The Largest banks spend considerably for cybersecurity. In 2021, Bank of America announced that it spends $1 billion on cybersecurity. This equates to over $400 a month per employee. Similarly, Morgan Stanley quotes $4-5 billion on IT with 10% flowing to cybersecurity (over $400 a month per employee). Small Business (SMBs) typically spend $40-80 per month on cybersecurity per seat or employee. This is a small fraction of the outlay of mature cyber programs.
THE ALLOCATIONS
In 2023 Deloitte provided a survey and breakdown of the average areas of spend. Large companies are spending the most on (in descending order): Governance, Network Security, Detection & Response, Identity Access, Application, Emerging Tech, Privacy, and TPRM (third party review). While SMBs are spending on Detection & Response, Network Security, Identity access, and awareness.
Two large takeaways: Mature companies are more proactive and they spend on the people and process aspects of cybersecurity (vs only focusing on tools).
Governance which involves delegation, policy making, risk measurement, and evidencing security is missing from SMBs.
LESS ATTACK SURFACE
The overall strategy of mature programs can be summarized on Least Trust Lean Function. Least trust (also known as zero trust or least privilege), is providing the minimum of access to data on a need to know basis. The “right access” to the “right person” at the “right time”. This silo technique provides resilience to a company just as a ship with compartments does. If you access one person’s credentials you can’t access all data and systems.
Similar to flooding one compartment in the ship does not sink the ship. Lean Function focuses on giving employees only the necessary tools to their job and no more. All other software and applications are banned and put on the (shadow IT, non-allow list, or non sanctioned list). This limits the amount of vulnerabilities attackers can utilize in an attack. It also limits TPRM, third party due diligence cost and risk. Least Trust Lean Function is about making yourself SMALL.
DONT FORGET INSIDER THREAT
Protecting against external attacks is only 50% of the strategy. Insiders are the greatest source of data leaks or data theft. A disgruntled employee walking out with a family office customer list or confidential information is an example of insider threat. Mature programs are keenly focused on stopping both external and internal threats.
FAMILY OFFICE RECOMMENDATIONS
How can SMBs or Family Offices take the next step to mature? Predators attack the weakest prey. Stepping up investment to not be the weakest prey is necessary, but
spending too much is also possible. It’s recommended to do a risk and gap assessment vs a common framework like NIST or CIS Controls. Delegate and empower a leader or employee at your family office. Measure and track progress. Lastly, “Make yourself small” by siloing data access, building data flow diagrams, and installing gates and guardrails to secure both customer and proprietary data.
Company Profile:
Inquisitive IT is on a mission to secure individuals, retirees, and independent investors by providing personalized cybersecurity programs. Inquisitive IT’s managed services include custom policies, in depth training, and managed devices. Inquisitive IT also provides cybersecurity advisory (Virtual CISO) to small businesses and family offices. For
Addressing The Threat Of Artificial Intelligence To Physical Security
TElizabeth Buckley Director of SafeHaven - Praetorian
Elizabeth Buckley is a seasoned security consultant with over 15 years of experience in offensive targeting and operations, having worked extensively in both the intelligence community and the private sector. Her illustrious career includes positions at the United Nations, Federal Law Enforcement, and various commercial enterprises. Most notably, Elizabeth’s expertise was honed at the CIA, where she specialized in technical operations, focusing on High-Value Targets and long-term targeting strategies.
Tristan Flannery Partner | Risk Management | Family Offices - Orbital Risk
In my role as Managing Partner at Orbital Risk, I steer a global risk management firm serving a diverse clientele that includes Fortune-ranked companies, family offices, and government entities. Our expertise spans corporate and national security dimensions, allowing us to offer sophisticated risk management strategies crucial in our interconnected era. Orbital Risk prides itself on being a dependable and insightful ally, dedicated to empowering our clients to comprehend and maneuver through a spectrum of risks.
he summit focused on the critical issue of cybersecurity within the sphere of family offices, with a special emphasis on the implications of artificial intelligence. The event gathered industry experts to discuss the integration of AI technologies in enhancing security protocols against the backdrop of increasing digital threats.
Our panel provided insights into the evolving threat landscape posed by artificial intelligence, with a particular focus on deep fakes and their impact on physical security and executive protection.
Scenarios addressed ranged from time sensitive threats incorporating children to the extortion or manipulation.
PANELISTS
Elizabeth Buckley: Expert on offensive cyber security, emulated attacks, and security-related cyber strategies.
Key Points Addressed:
• Ask “why?” or “Who?” one more time than you feel comfortable. People with a good-faith reasons for asking for something will have patience and be able to provide a reasonable answer.
• The fundamentals of security remain, protect your business logic, operate on principle of least privilege
• Educate yourself on detection models, because there will be solutions as the challenges evolve: benchmarking and understanding how they work is essential to choosing proper solutions for your office as they are launched.
Tristan Flannery: Expert on physical risk management, protective operations, and crisis management.
Key Points Addressed:
• The importance of integrating AI detection tools into
existing security protocols to enhance response times and accuracy.
• Training needs for Executive Protection teams to recognize and effectively respond to AI-generated threats.
• Strategies for fostering collaboration between AI technology specialists and executive security teams to ensure seamless security management.
DISCUSSION HIGHLIGHTS
The discussion offered insights into the intersection of artificial intelligence and physical security, with a strong emphasis on practical solutions and preventive strategies to safeguard assets and individuals.
1. HOW DO FAKES WORK?
a. Things that can be faked:
i. Images
ii. Videos
iii. Voice
iv Text
b. Types:
i. Plagiarism
ii. Computer generated text
iii. Cheapfakes
iv. Deepfakes -a false sound, image, or video that has been designed to evade detection by naked eye or ear, and maintains visual or audio integrity within the metadata
c. Things that can be deepfaked:
i. Images
ii. Video
iii. Voice
iv Platforms: sora.ai, argon, DALL-E, Midjourney, Stable diffusion, D-ID, runway, etc.
2. HOW DO YOU MAKE A DEEPFAKE?
a. Video: creation through text to image and acute editing tools within the software
b. Speech: as little as 3 minutes for a good deepfake, with most platforms claiming strong cloning capabilities at 20 minutes
c. All open-source and cheap
3. HOW DO YOU DETECT A DEEPFAKE?
a. Circumstantial
i. Your grandfather calls you for money... and they have been dead for a decade.
b. Modeling
i. Data input (yaml, imagery upload, whatever the medium)
ii. Data processing: unzipping, structuring, bucketing
iii. Data modules:
- Naive modeling
- Spatial modeling
- Radio frequency modeling
iv Current detection software: (have specifics on hand for anyone that asks)
- Benchmarking is currently being done under NeurlPS and others
- GitLab has a lot of great integrated deepfake detection models in one place
RECOMMENDATIONS
The panel concluded with a consensus on the need for ongoing education and adaptation of security measures to keep pace with AI advancements. Going back to the basics, rather than trying to create additional complexity will likely reduce vulnerabilities.
Recommendations were made for continuous training, investment in technology, and a proactive approach to security planning, including the use of secure and duress words.
For more information contact: tristan@presageglobal.com elizabeth.buckley@praetorian.com
From Risk To Resilience: Strategies For Cybersecurity In Family Offices
IDale Buckner CEO & President - Global Guardian
Dale Buckner has been leading Global Guardian since its inception in March 2012. He is a decorated U.S. Army Combat-Commander and former Green Beret with multiple combat tours and classified operations in the Middle East and Latin America. Dale has Bachelor’s Degrees in Criminal Justice and Business, Master’s Degrees in Public Administration and Business Administration, a Masters Certificate in Strategic Leadership from Cornell and was a Senior Fellow at the Tufts University School of Law and Diplomacy.
Ileana van der Linde Head of Cyber Advisory & Executive Director - J.P. Morgan
Ileana van der Linde is an Executive Director in J.P. Morgan Asset & Wealth Management (AWM) with extensive experience in wealth management, technology, and cybersecurity. As Head of Cyber Advisory, Ileana educates clients and employees globally on how to better protect themselves, their families, and their businesses from increasing cybersecurity threats.
n a compelling fireside chat at the Family Wealth Cyber Conference in New York City, Global Guardian CEO Dale Buckner and Ileana van der Linde Head of Global Cyber Advisory from JP Morgan highlighted the significant vulnerabilities within family offices managing substantial wealth.
Despite overseeing millions to billions of dollars in some cases, these offices are alarmingly unprepared for cyber threats: Only 8% of family offices have in-house cybersecurity personnel; meanwhile, 67% have not engaged third-party defense providers, and 63% do not mandate cyber training for their staff, leaving them exposed to cyberattacks.
The conversation emphasized that family offices are prime targets for cybercriminals. Eye-opening data revealed that global cyber losses reached nearly $3 trillion in 2020 and are projected to rise to $10 trillion by 2024. If cyber losses were an economy, it would rank as the third largest globally, trailing only the United States and China. This stark comparison underscored the magnitude of the cyber threat landscape and the urgent need for family offices to enhance their defenses. Based on the recent JPMC FO survey, 24%+ of family offices surveyed globally have already experienced a cyber breach.
Dale and Ileana highlighted the critical difference between IT support and cybersecurity. Many family office managers mistakenly equate the two, not realizing that while IT focuses on connectivity and functionality, cybersecurity centers on protection, encryption, and defense against threats. This misalignment leaves family offices vulnerable, as IT personnel often lack the specialization needed for comprehensive cyber defense.
The experts stressed that a robust cybersecurity framework requires specialized knowledge and a proactive approach to threat management.
A significant portion of the discussion addressed authentication and the risks posed by artificial intelligence. Buckner introduced multi-factor authentication (MFA) as a crucial safeguard, particularly for large financial transactions. With AI increasingly capable of replicating voices and images,
additional verification layers are essential. One practical solution proposed was a code word system, changing every 90 days and known only to key personnel. This third authentication layer ensures that even if AI replicates a voice or image, the transaction cannot proceed without the correct code word, significantly enhancing security.
The conversation also underscored the importance of robust cyber policies and the legal ramifications of neglecting them. Without comprehensive cyber policies, family offices face significant legal exposure, especially when sensitive information crosses from corporate to personal domains. Implementing strict information compartmentalization, regular password changes, and thorough cyber audits were identified as fundamental steps in fortifying family offices against cyber threats. These measures protect assets and safeguard the reputation and integrity of the family office.
One of the most striking revelations was the lack of regular cyber audits among family offices. Buckner noted that 90% of the audience had not undergone a cyber audit in the past 18 months. Such audits are critical for detecting vulnerabilities, potential breaches, and ensuring overall cyber health. He urged family offices to conduct these audits regularly to establish a security baseline and identify existing threats from entities like foreign actors or internal leaks.
The session concluded with actionable takeaways for family offices to implement immediately. Buckner stressed the importance of covering the basics – such as robust cyber policies, regular password changes, comprehensive audits, and proper authentication measures – before delving into the complexities of AI. These foundational steps are crucial for protecting family offices’ assets and ensuring their resilience against cyber threats.
Additionally, the experts recommended ongoing cyber education for all staff to cultivate a culture of security awareness. This involves regular training sessions, simulated phishing exercises, and staying informed about the latest cyber threats. Family offices were also advised to consider cyber insurance as a safety net to mitigate potential financial losses from cyber incidents.
The conversation at the Family Wealth Report Cyber Conference served as a wake-up call, urging family offices to recognize the gravity of cyber risks and take decisive action to secure their financial futures.
The insights provided underscore the importance of a proactive and comprehensive approach to cybersecurity, tailored to the unique needs of family offices.
KEY PRESENTATION TAKEAWAYS:
• Family Offices’ Cybersecurity Preparedness:
Lack of measures: Only 8% of family offices have in-house cybersecurity personnel, while 67% have not hired third-party defense providers.
Training deficit: 63% of family offices do not require cyber training for their staff, indicating significant vulnerabilities.
• Cybersecurity Risks and Statistics
Targets for cyberattacks: Family offices managing billions of dollars are prime targets for cyberattacks due to insufficient cybersecurity practices.
Global cyber losses: Cyber losses are projected to reach $10 trillion by the end of 2024.
• Authentication and AI Risks
Multi-Factor Authentication (MFA): Family offices need to adopt additional layers of authentication to mitigate risks of AI-driven fraud, especially for large transactions.
Code word system: A proposed solution is the use of a code word, known only to key personnel, as a third factor of authentication to enhance security against AI replication of voices and images.
• Cyber Policy and Legal Exposure
Necessity of cyber policies: Having a robust cyber policy is crucial for legal protection. Lack of such policies can lead to legal vulnerabilities, especially when sensitive information gets involved in legal cases.
Password management: Most family offices lack adequate password security systems. Implementing regular password changes and robust management systems is essential for reducing cyber risks.
• Actionable Takeaways
Back to basics: The conversation stressed the importance of covering basic cybersecurity measures. Family offices should prioritize fundamental security practices to protect their assets effectively.
Insurance safety net: Family offices were also advised to consider cyber insurance as a safety net to mitigate potential financial losses
Company Profile:
Global Guardian protects and delivers families from political, environmental, and bad actor threats around the world. Our comprehensive global security solutions are custom-tailored to help clients identify and mitigate the risks of traveling and doing business both overseas and domestically.
