Family Office Solutions Podcast: Blackcloak
Host: Mark Tepsich
Guest: Sarah Rosen

Mark (0:01): In today’s episode, in honor of cyber security awareness month, we’re focusing on cybersecurity – a critical area for family offices, where implementing best practices isn’t just smart, it’s essential. I am joined by Sarah Rosen, Managing Director and Head of Strategic Partnerships at Blackcloak a security and privacy firm within our UBS Professional Network who protects ultra-high net worth individuals, families and corporate executives from cyber threats.
While these providers are not affiliated with UBS, and we do not endorse or recommend them, we’ve chosen them for their ability to offer services that align with the high standards our clients expect.
Sarah, thank you again for joining me today.

Sarah (0:51): It’s my pleasure – happy to be here.

Mark (0:54): So, let’s dive in… cybersecurity. This is clearly an increasing threat landscape for our family offices. You know, the Deloitte 2024 Family Office Cybersecurity Report found that 43% of family offices were worldwide experienced a cyber attack within the last 12 to 24 months. 25% of those targeted suffered multiple breaches. Additionally, RSM found that 83% of family offices report that cybersecurity is one of the top concerns in operational risk.
So, and I could tell you anecdotally from our family offices themselves, kind of speaking to them every week, you know, this is something that’s not necessarily on the back burner. It’s something that’s very important, and they’re really just looking for more resources to understand how they can safeguard their families.
So, what is happening that has resulted in the recent urgency and concern around cybersecurity?

Sarah (1:49): Yeah, I think it’s a great question, and in many regards it’s good to hear that the clients you’re working with are recognizing this as a concern. It’s sort of elevated to the point of ‘let’s better understand the problem so we can find some solutions.’
And I think with a family office, they’re in a really unique position, so when we think about the landscape for high net worth and high profile individuals in general. I think the business case that’s on the hacker’s side is clear, right. These are folks, they don’t have a ton of security in place, because generally it’s just within their personal lives whether it’s, you know, personal bank accounts or personal cyber hygiene practices which I think – I will attest to – we are all less vigilant in our personal lives than we probably are in our corporate lives where there’s a little bit of governance in that realm.
But when we look at the family office in particular, you sort of got the dual combination of an entity, right, a firm, an institution, and then the family attached to it. And unlike a corporation, there’s a lot less rigor put in place when you think about the basics of exchanging information in many instances.
So, with a corporation, you’ve got a team of security folks, and everybody is on the same domain, right, so you kind of have a defined digital space that you’re trying to protect which is very different than a family office. With most of the family offices we see, there some sort of central domain, some sort of email address ‘@familyoffice.com’ or whatever it might be. But the individual family members are on their Gmail accounts, they’re on their separate accounts, they’re using personal computers, and this is sort of the inconsistency that allows the bad guys to take advantage of.
When we think about what cybercrime is – just sort of wipe away the complexity of this concept of cybersecurity – in a nutshell, what’s happening is these bad guys, they are finding information about all of us. It is – much of it is seemingly innocuous. So, yes, they can find passwords on the dark web, and other important information, but a lot of what they’re gathering about each of us is seemingly innocuous because they’re going to try to trick us, they’re going to try and trick our devices, they’re going to try and trick third parties, so that they can ultimately pull off the heist. And I use the word heist very deliberately because I think this gets to the crucks of the ‘why now’ question that you’re asking.
There’s a level of hacker – I call them the Ocean’s Eleven hacker – because of the level of preparation that they’re willing to put into their heist. So, these guys, they see a target, and they are willing to invest time, and money, and resources into that target. And what that might look like in it’s simplest form is somebody sitting inside your email, studying you and a family member, for 6, 8 months, sometimes a year, before they pull off any sort of heist. And knowing that that is the type of bad guy that family offices should be concerned about – not the sort of day-to-day scam that we are all privy to that we’re familiar with and techs are otherwise – just, things that generally we can see through with some level of digital sophistication. These bad guys come so armed when they’re ready to pull off whatever crime they’re going to commit, usually financial, sometimes reputational, it’s almost impossible to see them coming.
So knowing the basics of cybercrime – what the bad guys are doing and how they’re doing it – and the type of bad guy you’re dealing with I think is really important.

Mark (5:27): Yeah, I mean you made a great point earlier when you said the domain to be defended is really defined with institutions. But with families, if you’re a family office you’re emailing the family members to your point, on the Gmail, on the AOL email address, and so that, I see that being a huge component of reliability with respect to cybersecurity.
So, how should a family office team be thinking about cybersecurity? And what are the components of the program that we should be considering and incorporating with both the firm and the family?

Sarah (6:05): Within the firm, whenever we think about the firm, usually what we’re going to find is at least some sort of tech resource. Usually, it might be a part-time tech resource it might not be solely dedicated to the firm, but they are able to be accessed. This individual might have a varying degree of familiarity with cybersecurity specifically and cyber practices. Certainly, they’ll have a cursory understanding, but I think when we think about protecting the firm, there are very well-established best practices as it relates to sort of, we’ll call it corporate – I know this isn’t exactly a corporation – governance. I think understanding what those are and consulting with a cyber expert – whether you’re setting up the firm or you’re trying to bolster hygiene practices – is really the best approach to make sure the bases are covered.
I would say first and foremost thinking about email and email compromise and ensure that email compromise doesn’t happen. Then, we’re thinking a lot about identity verification as it relates to interaction with the family members – making sure folks who are directing wire transfers or auto wires are in fact for the individual that we think they are.
Then next component, where Blackcloak is really focused, extends to the actual family members themselves. So, chances are pretty good that a bad guy is not going to target a family office that has some cybersecurity, but they may target the family members because, you know if you’ve got a fourteen year old who’s really into gaming, chances are good being able to access information through their accounts or otherwise. It’s probably going to be easier than any sort of formal governance.
So, understanding where the risk exists within the family, and where the access points are that the bad guys have to try and access the information they’re going to use to pull off the heist.

Mark (7:54): Perfect, so sticking with the family. It sounds like the family office really needed to be aware of the digital lives of their own family members, of the family members they serve, in order to assess the level of risk in the family.
Can you break down those components a bit – of the digital life and how the family office team should really be assessing that or helping the family understand the risk there?

Sarah (8:18): Yeah, and if we go back to our definition of cybercrime, it’s sort of simple to follow the path. So, first and foremost, is privacy, and so is data. Just lift privacy off your head – what we’re really talking about is a digital footprint. So, that digital footprint is all of the information about an individual, or the collective family, that exists online. Some of it is deliberate – it might be promotions, it might be participation in some sort of charity or otherwise is information that you want to be out in the world. Then others is this seemingly innocuous information that’s very much the tools of the trade of a bad guy. When they can’t find any digital footprint – if they don’t have any information about the family or the family members – they’re going to move onto their next target, because that is essential for them to do what they do.
So, understanding the digital footprint of the family is really important: How much information is out there? What’s the nature of that information? It exists really in two places – one is the traditional internet. There’s something called a data broker that you might be aware of – one of those firms that if you google somebody’s address, they charge you $1.99 for all of their information, that’s a data broker. Then on the flipside, the dark web – you can’t remove information from the dark web, but that’s where all the breached data ends up. Knowing what is on the dark web, which is something that’s completely knowable, Blackcloak can inform our clients about what’s out there, and making sure you’re monitoring for any new information, that’s where the information is bought and sold by bad guys. So knowing what is being bought and sold, allows you, through Blackcloak or through your security provider, to put the mechanisms in place to make sure that whatever information exists doesn’t become a problem.
So digital footprint is number one. The next is devices. So when we think about devices – whether it be a laptop or a phone – that is where information lives and we want to make sure the bad guys can’t get to the information. Whether it is consumer-grade malware, which has some limitations, we recommend enterprise-grade malware as it’s available to folks, but it is certainly better than nothing in making sure those devices are protected.
Within the devices we’ve got the apps – you’ve got your different apps whether it’s your email app or your social media apps. The bad guys – after they get into your device – they’re going to want to get into those apps, so, looking about and thinking about how those are secure. Whether it be through passwords or multi-factor authentication. At times, passwords can be overwhelming when you think about all of the logins that all of the family members might have. Our recommendation is really focus on four types of accounts or apps: social, health, financial, and emails. If you secure to the hilt, those four type of accounts, which usually adds up to be about ten to twelve total logins for a given client. If they have a couple of social media and a couple of emails, then you’re really ahead of the game.
Finally, if you think about the whole home ecosystem – particularly in the age of smartphones – you want to make sure that all the devices that are in the home are generating information, seemingly innocuous, are also protected and can’t be accessed. So, it can be as significant as an internal camera, from a security standpoint, to as basic as an electric, self-manned vacuum cleaner that collects the layout of your house. But making sure your Wi-Fi is secure and the router more specifically is secure, is really important to keeping all of that information generated by smart devices protected and out of the hands of bad guys.

Mark (12:04): Perfect, so let’s get even more tangible. Let’s talk about practices, let’s talk about remedies – So, what remedies can family offices recommend to their family constituents in order to reduce their overall risk?

Sarah (12:18): So, step one is convincing, in many cases, the family that there is risk. On a broad scale, everybody we talk to says ‘Yes, I’m familiar with cybercrime and I am concerned about it,’ however, helping them elevate to the level of needing a solution or feeling the acute risk that exists that they need a solution… more often than not, that really results from an incident. Whether it’s a friend’s incident – a friend had $70,000 stolen or a small incident that doesn’t cause too much harm – a lot of times that will sort of spark people into action.
Blackcloak will put together a ‘threat assessment’ for our family offices to bring to their principle or other family members. It helps to quantify, in that privacy area, how much data is out there, and also helps to illustrate how the bad guys are using that information. Explaining how cybercrime works often goes a long way in having the family have an appetite to either put in better cyber hygiene – the motivation, let’s say, to do it – as well as the ability to recognize what could be at stake.
So, I mentioned the password. I think when we think about passwords, password managers in particular for family offices are highly highly recommended if not absolutely essential. If there is any sharing of information of passwords or accounts, this is simply just the best way to make sure as you’re sharing that information that it’s staying secure.
I mentioned passwords but I think above and beyond passwords, we really recommend authentication. So, multi-factor authentication is one example of authentication. Often times, that looks like a code to your phone – If you’ve ever signed into an app and it sends a code to your phone. If you can use biometric instead, so if you have an option between a code being sent or biometric, the biometrics are always going to be higher level of security. Somebody could steal your phone or your SIM card and therefore they could steal that sort of passcode that gets sent to you.
You also can use an authenticator. So, Google has an authenticator, there’s something called Authy, and this is the type of system that generates a code but it resets every 30 seconds I believe or 15 – one of those. That’s also a really excellent option for keeping those applications secure.
Device protection: So, I know I mentioned consumer-grade malware. Consumer-grade malware – good, better than nothing one-hundred percent recommend in the absence of any other sort of anti-malware. But if we go back to that Ocean’s Eleven hacker – that sophisticated type of bad guy that’s looking at family offices – we may want to look at something a little bit more sophisticated than traditional malware. The way traditional anti-malware works is it recognizes trends. So, if there’s a bad guy, if there’s a ladder in front of my house, with a guy in a black hoodie rattling my window at 2:00 a.m., chances are pretty good something nefarious is happening – that might be a bad guy. Traditional malware works the same way. This digital instance has the indication that we’ve seen in the past – let’s flag it and it’s probably something bad that we don’t want to introduce to the computer.
When you think about enterprise-malware, it’s a bit more sophisticated. In my instance, there’s a guy in a black hoodie on a ladder at 2 a.m. If he were just to put on a yellow hoodie, for example, so the pattern doesn’t match, in theory, traditional consumer malware might not catch it, but the enterprise malware would. The challenge with enterprise malware is it requires a team of twelve plus individuals to manage the system and otherwise, but given the size of the family office it’s something that’s potentially worth considering.
ID verification is another important step. In most instances, the family offices we work with do have some sort of non-technical ID verification process. Whether it’s a code word, or a call-back process, or something connected to major requests –financial or otherwise – verifying the identity, and that’s great. We do have deep bank, sort of entering into the system, and a deep bank is going to allow us to – or allow the bad guys – to fake a voice. So if you’re a process traditionally has been a voice, a call with a voice sorts confirmation, you may think of more evolved ways to evolve that process around ID verification. But making sure the person is who they say that are, that are making the directives, is super important. I think we’ve all sort of have that near miss with the emails which can be terrifying because they really do – after sitting in someone’s email for a year – when in fact they send you sort of the fake invoice or the fake wire transfer, it is almost impossible to detect the difference between the real and the fake.

Mark (17:34): Alright, perfect, so that is a lot which brings me to my next question. So, you’ve mentioned dozens of things that family offices should do to keep themselves more secure and the family.
Where should they look to help them create a program, not just a one-single practice that’s going to help, but really a program that’s an overarching risk-reduction framework for cyber security… Where should they be looking?

Sarah (18:04): So I think the first step is really in whatever trusting advisors exist. So Mark, yourself and your team are a great example of a trusted advisor. You are not cyber security experts, but you know a few that you can direct them to. Now, when we think about governance and programs there are sort of smaller vendors, let’s say, cybersecurity experts who really understand family offices, that can help with the design of that governance program if none exist. Those trusted advisors, whether they’re financial or otherwise, also hopefully are starting to understand the options that exist for personal cybersecurity like Blackcloak. We spend a lot of our time educating that circle of trusted advisors – whether it’s lawyers, whether it’s accountants, whether it’s wealth advisors or even family office sort of staff and otherwise – so that they do have that information to guide the family in that realm.

Mark (19:01): So, that’s great – I mean that’s very helpful. So, before we wrap up, is there really anything else that the folks listening should know or think about when it comes to cybersecurity here?

Sarah (19:14): So, I think a rising trend – and I think we’ll see it more in 2026 – really has to do with multi-generations. Generational handoffs have always been a component of family offices. But if we look at it from a cybersecurity perspective, I think there’s a misperception that the younger generation, so let’s say twenty-five and under, are tech savvy. They are for sure – they were born and raised tech savvy – but what we’re starting to see is that they’re more the opposite of privacy savvy.
So when you think about how technology has played a role in their lives, it’s the opposite of private. They’ve seen and learned to put everything online. So, I think thinking about that next generation, educating them around privacy and the importance of privacy because again, there’s no information about the family or family members that are not going to be targeted. That is sort of step one. So really starting to focus in on the concept of privacy with that younger generation is something I think to put on the radar – certainly as a secondary tier importance when we think about broader cybersecurity. But I think it’s going to have growing importance here in months to come.

Mark (20:23): Sarah, that was great. Certainly a lot of things to consider and ponder. You gave some tangible advice and insight and thank you again for sharing to help us better understand the evolving cybersecurity landscape and its impact on our family offices.
As we’ve heard today, the digital lives of family members are deeply intertwined and with the integrity of the family office operation itself and of course protecting both requires proactive planning, and education, and the right partnerships.
For our listeners, if you haven’t already begun building your cybersecurity framework or revisiting your current protocols, now‘s the time. Remember, you don’t have to do this alone. There are trusted partners like Blackcloak, a provider within our UBS Professional Network, and your UBS advisors to help guide you through the process.
So thank you for tuning into this episode of the Family Office Solutions podcast. If you have any questions about UBS, Blackcloak, or even our professional network in general, please contact your UBS advisors.
Be sure to join us next time as we continue exploring the tools and strategies that empower family offices to strive across generations. Thank you everyone. Thank you, Sarah