As family office executives set up a family office or review an existing family office, it is important to make sure the privacy and cybersecurity concerns are addressed and the governance and information security infrastructures are set up to get it right from the start. Working with a family office means personalised and tailored services are delivered that take into consideration a family’s entire situation, including their assets and liabilities, as well as wealth transfer, intergenerational and philanthropic objectives. Thus, protecting the privacy and confidentiality of not only the financial and wealth management decisions but also the personal information, goals and preferences of the underlying family are of utmost importance. Family offices can establish privacy and cybersecurity controls that proactively mitigate risks related to cyber attacks and implement incident response playbooks that help families plan ahead in the event of a breach.
There are two types of family offices – single-family and multi-family offices. Whether the family office manages the financial and personal affairs of one family or multiple families are sharing resources and infrastructure costs through a multi-family office, delivering products and services in investment advising, financial planning or tax planning means a great deal of sensitive personal information will be collected, processed and managed by family offices. Below are checklists to assist family offices in identifying data privacy and cybersecurity risks.
Know your data: how to design a critical asset protection program
The first step to protecting the privacy and confidentiality of the most sensitive information housed by family offices is to know the data. By asking the who, what, when, where and how of what the family considers to be the most sensitive and critical asset, a family office can identify and design a critical asset protection program that is right-sized and risk-based. When designing a family office or reviewing an existing family office, consider the following:
- Who - Whose information is collected, processed and managed by the family office? Does it include multiple generations’ data, including children’s data for example, or is the data set limited to the family leaders?
- What - What types of data classification or access management controls are in place to ensure that only the right amount of data and personal information is used or processed by the family office?
- When - Are there repeated processes, regular schedules by which investment decisions or asset transfers are made, for example, which a malicious attacker or an insider could exploit?
- Where - If the family office has a presence overseas, or if it has clients overseas, what non-US laws might a family office need to comply with in terms of data transfer restrictions and other regulatory obligations?
- How - How is the data being used and for what purpose? Is the data being shared with any third parties, including service providers or other hosting services?
Protect yourself from cyber attack, but have a plan (just in case)
Once a basic level of governance and infrastructure controls is put in place as described above, specific protocols can be implemented to meet the physical, technical and organisational needs in terms of cyber security risks. Hacking and other cyber attacks have occurred with increasing frequency, especially in the financial services sector, but the potential harm may be mitigated if an organisation can deal with such incidents effectively. In preparing a response to a data breach, a family office may consider the following five core functions of a cybersecurity framework:
|
Five Core Functions of a Cybersecurity Framework |
Identify |
|
Protect |
|
Detect |
|
Respond |
|
Recover |
|
- Know your data. Establishing a comprehensive data privacy and cybersecurity program can feel overwhelming. To begin the process of determining a risk-based approach, the first step should be to inventory the data and establishing basic governance and infrastructure controls, such as implementing policies and procedures to identify the critical assets handled and managed by the family office.
- Have a plan. No cyber security program will be 100% successful in detecting and preventing all cyber attacks and data thefts. Implement a cybersecurity framework that sets industry-standard levels of controls to identify, protect, detect, respond and recover from data breaches.
Richard Hsu is a Partner and Global Head of the Intellectual Property Transactions Practice Group and co-leads the firm’s Privacy & Data Protection practice. He advises companies on intellectual property, privacy, data protection, licensing and associated business issues; and has extensive experience in structuring and negotiating technology transactions for the life science, semiconductor, medical device, electronics, software and financial services industries. Mr. Hsu is also a CIPP/US/E, CIPM and CIPT Certified Privacy Specialist, host of a Privacy Podcast series and Co-Head of the firm’s Technology, Media & Telecommunications (TMT) Industry Group.
Jeewon Kim Serrato is a counsel and Co-Head of the Global Privacy & Data Protection Group where she advises companies on privacy, cybersecurity, data protection and crisis management issues. She has extensive experience in developing and structuring comprehensive data and trade secrets protection programs, implementing and testing information security controls, and helping companies mitigate cyber risks and handle data breaches.
Marc Elzweig is an associate in the Intellectual Property Transactions and Privacy & Data Protection groups of Shearman & Sterling’s Menlo Park office.
Shearman & Sterling is a global law firm with approximately 850w lawyers in 20 offices around the world, developing creative ways to address their client’s problems in this challenging 21st century global economy. The firm’s lawyers come from some 80 countries, speak more than 60 languages and practice US, English, EU, French, German, Italian, Hong Kong, OHADA and Saudi law. They also practice Dubai International Financial Centre law and Abu Dhabi Global Market law. For more information please visit www.shearman.com