Bringing Cyber Security to the C-Suite: Addressing the Exposures of High-Net-Worth Individuals
December 1, 2021
Cyber risk has become a top concern for organizations in all industries, ranking number one in Aon’s 2021 Global Risk Management Survey. However, one important and expensive aspect of cyber security that is in danger of being overlooked by organizations is managing the exposure of high-net-worth individuals, particularly members of the C-suite.
High-net-worth executives typically have a larger online footprint and greater access to sensitive corporate information compared to other employees in an organization. At the same time, activities associated with top executives’ roles, including frequent travel or having an inner circle of staff members who have access to the executive’s personal and work information, can increase their exposure. In addition, many executives view the cyber risks they face as independent of their behavior and a matter solely for the organization’s IT department because of their busy schedules, generational or cultural perspectives on security, or a lack of understanding of risks associated with online exposure.
The move to remote work forced by the COVID-19 pandemic has further amplified the risk. All of these factors make them appealing targets of cyber criminals.
“The C-suite is relying heavily on those in information security, risk management and legal to protect them, the board and the organization,” says Christian Hoffman, CEO of Aon Cyber Solutions North America. “There’s a lot of work to be done to raise awareness on this topic, and all the elements of this particular risk.”
High-net-worth individuals are high-value targets for cyber criminals. An executive’s pattern of life, from attending business meetings, public speaking at industry conferences and getting involved in charities and community activities, may provide sources of personal information that can be used in malicious activities. In addition, these leaders have greater access to sensitive corporate information such as business deals and financial or personnel data. Executives also typically rely on staff to manage their travel, professional activities and even personally identifiable information such as social security numbers, passports and email accounts.
If not managed properly, this type of information might flow across different channels of the organization’s network, potentially exposing it to cyber criminals who can use it in identify theft or social engineering attacks.
As with other aspects of cyber security, many organizations tend to be reactive toward addressing the exposures of top executives, only responding after an incident has occurred. “They start to take cyber security seriously after experiencing an incident and facing the consequences of identity theft or financial fraud that impacts them or their family,” explains James Trainor, senior vice president at Aon Cyber Solutions.
Recognizing the Extended Network of Risk
Addressing the cyber exposure of high-net-worth executives must go beyond the front door of the business and the behaviors of the individual. Activities of those supporting the executive — and even family members — must be taken into account.
“In some ways, it’s actually the network that supports these executives that is probably even more critical,” says Catarina Kim, managing director of intelligence at Aon Cyber Solutions. “This support network has the keys to the accounts, to the car, to the home, to the office, to all the different ‘crown jewel’ information that the executive may have.”
“Administrative assistants, executive assistants, chiefs of staff, lawyers and counsel; they’re also subject to a lot of this cyber risk,” says Arshi Ahmed, senior director of product management at Aon Cyber Solutions. “Plus, the executives’ families pose a cyber risk, because the executives are only as secure as what a family member is posting on social media.”
Taking an Individual Approach to Changing Behaviors
Improving cyber security involves changing employee behaviors. Doing so with high-net-worth executives works best with a personalized, tailor-made approach. Executives’ cyber security should be viewed as part of a holistic approach to an organization’s broader strategy of protecting its overall security.
C-suite executives are constantly busy and, while some will be willing to take the time to understand their cyber exposures and discuss the behavioral changes necessary, others might be too in-demand to devote the time and attention. It is necessary, then, to get a complete picture of the individual’s lifestyle to determine the best way to get them to make the necessary changes.
“You have to have a good understanding of who the person is, their set-up and their communication style,” says Kim. “Typically, it’s hard to assess that from the outside. So you have to work with internal stakeholders to figure that out.” For example, while one executive might understand the risks from the outset and immediately make the needed changes, another executive may only be motivated to take action when fraudsters and cyber criminals start targeting their family members.
“If you take a holistic approach in a proactive organization, you have a more comprehensive strategy,” says Kim. “This approach can consider physical security, executive protection teams and cybersecurity teams to ensure that there’s no active targeting of their organization or of their executives.”
Caring for High-Net-Worth Individuals’ Digital Health
Ultimately, an organization’s efforts to protect their high-net-worth executives’ cyber security should follow the same lines as implementing effective cyber security across the enterprise. The effort should be top-down and enterprise-wide, not simply relegated to the IT or security departments.
Ahmed likens the cyber security effort to protecting executives’ physical health. “Cyber security is a complicated affair for someone who’s a 60- or 70-year-old to understand or for a C-suite executive who outsources their cyber security to their IT staff,” she says. “This should not be viewed as just an IT problem. High-net-worth executives have to increasingly view their cyber security as their own digital health risk problem, which they and their organization should be addressing.”