News & Events

Privacy and Cybersecurity Checklist When Designing a Family Office

As family office executives set up a family office or review an existing family office, it is important to make sure the privacy and cybersecurity concerns are addressed and the governance and information security infrastructures are set up to get it right from the start. Working with a family office means personalised and tailored services are delivered that take into consideration a family’s entire situation, including their assets and liabilities, as well as wealth transfer, intergenerational and philanthropic objectives. Thus, protecting the privacy and confidentiality of not only the financial and wealth management decisions but also the personal information, goals and preferences of the underlying family are of utmost importance. Family offices can establish privacy and cybersecurity controls that proactively mitigate risks related to cyber attacks and implement incident response playbooks that help families plan ahead in the event of a breach.

There are two types of family offices – single-family and multi-family offices. Whether the family office manages the financial and personal affairs of one family or multiple families are sharing resources and infrastructure costs through a multi-family office, delivering products and services in investment advising, financial planning or tax planning means a great deal of sensitive personal information will be collected, processed and managed by family offices. Below are checklists to assist family offices in identifying data privacy and cybersecurity risks.

Know your data: how to design a critical asset protection program

The first step to protecting the privacy and confidentiality of the most sensitive information housed by family offices is to know the data. By asking the who, what, when, where and how of what the family considers to be the most sensitive and critical asset, a family office can identify and design a critical asset protection program that is right-sized and risk-based. When designing a family office or reviewing an existing family office, consider the following:

  • Who - Whose information is collected, processed and managed by the family office? Does it include multiple generations’ data, including children’s data for example, or is the data set limited to the family leaders?
  • What - What types of data classification or access management controls are in place to ensure that only the right amount of data and personal information is used or processed by the family office?
  • When - Are there repeated processes, regular schedules by which investment decisions or asset transfers are made, for example, which a malicious attacker or an insider could exploit?
  • Where - If the family office has a presence overseas, or if it has clients overseas, what non-US laws might a family office need to comply with in terms of data transfer restrictions and other regulatory obligations?
  • How - How is the data being used and for what purpose? Is the data being shared with any third parties, including service providers or other hosting services?

Protect yourself from cyber attack, but have a plan (just in case)

Once a basic level of governance and infrastructure controls is put in place as described above, specific protocols can be implemented to meet the physical, technical and organisational needs in terms of cyber security risks. Hacking and other cyber attacks have occurred with increasing frequency, especially in the financial services sector, but the potential harm may be mitigated if an organisation can deal with such incidents effectively. In preparing a response to a data breach, a family office may consider the following five core functions of a cybersecurity framework:


Five Core Functions of a Cybersecurity Framework


  • Have an understanding of how to manage cybersecurity risks to systems, assets, data, and capabilities. Have you considered specific kinds of cyber attacks? Different types of cyber attacks may demand different responses. A ransomware attack, for example, raises questions about backup policies, whether information is backed up thoroughly or held offline. Risk assessments should be conducted regularly to design and implement a comprehensive risk management strategy.


  • Controls and safeguard necessary to protect or deter cybersecurity threats. Are controls in place and have employees been trained on those controls? Establishing access controls to sensitive information and training employees and service providers on the safeguards will help maintain a cybersecurity program that protects the organisation from internal and external threats. To test the effectiveness of such controls and training, regularly-scheduled phishing tests or tabletop exercises are recommended to test how the organisation fares in response to attacks and breaches.


  • Continuous monitoring to provide proactive and real-time alerts of cybersecurity-related events. Are data forensic capabilities in place that will detect anomalies, fraud activities or data theft events? A robust data security program should include forensics and monitoring that will assist in not only detecting a cyber attack or a breach but also analysing and understanding them after such vulnerability is discovered.


  • Incident-response activities. Is an incident response team in place and does the team have a playbook to follow in the event of a breach? A cross-disciplinary team should be in place to receive reports, investigate potential breaches and to respond to known breaches. Response plans and playbooks should clarify roles and responsibilities, including how the family will be notified, whether law enforcement will be contacted and who will analyse various other legal requirements for notification that may be triggered.


  • Business continuity plans to maintain resilience and recover capabilities after a cyber breach. If a severe cyberattack renders the family office’s network unusable, how fast can the network be shut down and brought back into operation? Recovery planning should include not only procedures for how to best respond and keep the organisation resilient but also how lessons learned from “near-misses” can be incorporated to address data security gaps and reduce future risks.
Key takeaways
  • Know your data. Establishing a comprehensive data privacy and cybersecurity program can feel overwhelming. To begin the process of determining a risk-based approach, the first step should be to inventory the data and establishing basic governance and infrastructure controls, such as implementing policies and procedures to identify the critical assets handled and managed by the family office.
  • Have a plan. No cyber security program will be 100% successful in detecting and preventing all cyber attacks and data thefts. Implement a cybersecurity framework that sets industry-standard levels of controls to identify, protect, detect, respond and recover from data breaches.

Richard Hsu is a Partner and Global Head of the Intellectual Property Transactions Practice Group and co-leads the firm’s Privacy & Data Protection practice. He advises companies on intellectual property, privacy, data protection, licensing and associated business issues; and has extensive experience in structuring and negotiating technology transactions for the life science, semiconductor, medical device, electronics, software and financial services industries. Mr. Hsu is also a CIPP/US/E, CIPM and CIPT Certified Privacy Specialist, host of a Privacy Podcast series and Co-Head of the firm’s Technology, Media & Telecommunications (TMT) Industry Group.

Jeewon Kim Serrato is a counsel and Co-Head of the Global Privacy & Data Protection Group where she advises companies on privacy, cybersecurity, data protection and crisis management issues.  She has extensive experience in developing and structuring comprehensive data and trade secrets protection programs, implementing and testing information security controls, and helping companies mitigate cyber risks and handle data breaches.

Marc Elzweig is an associate in the Intellectual Property Transactions and Privacy & Data Protection groups of Shearman & Sterling’s Menlo Park office.

Shearman & Sterling is a global law firm with approximately 850w lawyers in 20 offices around the world, developing creative ways to address their client’s problems in this challenging 21st century global economy. The firm’s lawyers come from some 80 countries, speak more than 60 languages and practice US, English, EU, French, German, Italian, Hong Kong, OHADA and Saudi law. They also practice Dubai International Financial Centre law and Abu Dhabi Global Market law. For more information please visit