We are flooded with news reports of major data breaches and malware attacks. The reports focus on attacks against businesses with significant volumes of sensitive personal and financial information, like financial institutions, hospitals, retailers – and most recently, law firms. There is no question that the press pays the most attention to a data breach when large volumes of valuable information have been stolen or encrypted for ransom.
Some firms, like business managers and family offices, have not received much media scrutiny. But lack of media coverage is not a reason for comfort. These organizations are ripe targets for intruders, precisely because of the people they represent and the information they possess. Business managers and family offices hold the most confidential information of their clients – financial records, bank and securities account information, health records, estate planning and trust documents, physical locations of valuable assets and the like. Intruders do not gravitate only to the largest companies or those with the highest public profiles. Rather, intruders are attracted to targets with valuable information, regardless of who they are.
Many business managers and family offices operate under the dangerous and false assumption that they are not large enough to attract attention from intruders and therefore “operate under the radar.” As a result, many of these firms and family offices do not have adequate data security and privacy policies and practices. It is not unusual to see computer systems in business management firms and family offices that are riddled with vulnerabilities that permit intrusions and no policies and procedures to deal with intruders or the virtually 100% probability of a breach. Many business management firms and family offices also lack appropriate cyber insurance coverage.
Here are some realities that business managers and family offices must address to create a cyber secure organization:
- Over 95% of all breaches are the result of human error or recklessness. If your organization does not account for the “human factor” in cybersecurity, no amount of technology will prevent an intrusion.
- If you do not have an up-to-date incident response plan, any success you have in dealing with an intrusion will be random at best.
- If your organization does not know its cybersecurity risk profile, your organization’s cyber security efforts are, again, pretty much random.
- Don’t assume that you have not been hacked just because your IT person has not detected an intrusion or a client hasn’t called to complain about his or her information getting into the public domain. Hackers are clever. They can be roaming your system for months without your knowing about it.
- Having a backup system for your data only lets you continue conducting business if you are attacked. A backup system, no matter how good, does not protect you from hackers.
- If you have cyber insurance and you have not taken a good look at your coverages lately, you may be unpleasantly surprised by what is not covered. If you do not have cyber insurance, you should immediately investigate obtaining it.Immediate steps can be taken to improve your organization’s cybersecurity profile and incident response readiness – an effective and up-to-date incident response plan, tailored cybersecurity policies, appropriate cyber insurance coverage and, critically, raising the awareness of all employees so that your staff becomes a part of your cybersecurity solution.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.
Michael A. Gold is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Known for both legal expertise and an understanding of technology, he works with Boards of Directors, C-Suite executives and IT directors to address cyber risks. He advises clients on domestic and international requirements for information privacy and security. He represents companies in complex litigation and arbitrations, including class action defense actions connected with data breach and privacy claims. Contact Mike at MGold@jmbm.com or +1 310.201.3529.