Cybersecurity is an area of increasing focus and concern for the family office. It can also be a confusing and difficult area for the family office, where allocation of assets is always a concern and defining where to invest the same in cybersecurity is not always crystal clear. Indeed, a family office is charged with more than protecting wealth, but also ensuring legacy, reputation and relationships. In the past, the family office could insulate itself to some degree with discretion and proper hiring. This is no longer the case. Family offices must take proactive steps to protect themselves now to help to prevent a cybersecurity incident and, second, to minimise the damage should one occur.  

To further complicate this area, the aftermath of several high profile cybersecurity incidents and the government’s increased focus on this area has created a lot of noise about cybersecurity best practices and incident response. This article will attempt to quiet some of that noise by providing the general legal perspective of what a solid cybersecurity programme should include, combined with the boots on the ground realities of implementation.   

It is important to realise that cybersecurity, and security in general, is not a one-size-fits-all programme. Each family office or multi-family office must tailor its cybersecurity programme to fit the personality and needs of the office. It is also important to continually evaluate the office’s approach to cybersecurity for needed changes on an annual basis to ensure that the programme is keeping up with the growth and needs of the office. However, there are some general and basic steps that can be taken to ensure a basic level of protection in whichever programme best fits the individual office’s needs.

Back to basics – what is cybersecurity?
According to TechTarget.com, “Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programmes and data from attack, damage or unauthorised access. In a computing context, the term security implies cybersecurity.” It is common for the word cyber to receive too much focus in this area. Instead, the focus should be on “security”, which is the fundamental goal of any cybersecurity programme.   

Technology has made life much easier, but also has created a back door to information. The explosion of mobile technology has further complicated this area, as our smartphones and tablets, items of great enjoyment and convenience, make our information systems that much more vulnerable. If you think of the family office as a home, cybersecurity is the unlocked and unalarmed back door. A criminal just needs to figure out how to open the door and they are in the home. The goal is to secure that door as much as possible, and, further, protect the most valuable information as you would your valued possessions in the event that they get in.  

Preparing for the worst, hoping for the best – the legal perspective
From a legal perspective, it is best to assume that the family office will be the victim of a cybersecurity incident and prepare for the same. It is much better to be over-prepared and ready for the aftermath, than left holding the bag when an incident occurs. Of course, a scorched earth policy is not required and, as noted above, each office needs to tailor an approach best suited to address its security concerns. There are, however, several universal actions that can be taken to put the family office in the best position possible to deal with and protect against a cybersecurity incident. Regardless of the family office’s approach to cybersecurity, or security in general, it is imperative that the family office has a plan in place. In today’s legal and regulatory landscape, not having a cybersecurity programme is no longer acceptable.  

An initial first step in this process (whether starting a security programme from scratch or taking a fresh look at the one already in place) is to create an “information inventory”. An information inventory identifies what information the office maintains and why. Once the information is identified, then it must be organised into categories of importance, so that the most sensitive information can be identified and heavily protected. Using the house example above, this is akin to putting expensive jewellery in a safe in the event of a burglar breaking in. This is much easier said than done, especially if dealing with a multi-generational family office that is still using legacy systems, but it must be done nonetheless. Indeed, if the family office is the victim of an incident, the only way to know what was taken is to know what you had. Without this fundamental information inventory, there is no way to effectively protect the most sensitive information and ensure that it has not been compromised in the event of an incident.  

This is also an important step for the family office to actually know what information it is maintaining and why. This exercise may reveal that resources are being wasted on keeping irrelevant or useless information. It may also reveal information being maintained that is not supposed to be within the office. Most importantly, when completed, the information inventory will help to streamline the cybersecurity processes and help to put in place effective security.  

Second, once the inventory is complete, the information identified needs to be protected. Remember that, when putting these security policies into place, it is important to not forget physical security. Sensitive information can still be stolen from a piece of paper. Ensure that any cybersecurity programme identifies the physical threat as well as the virtual, and considers both when putting protections into place. In the same way that you would not use a shotgun to kill a housefly, there is no need to protect all of the information maintained by the family office in the same manner. Overkill can not only be useless, but extremely expensive. Thus, a layered system is likely to be the best way to ensure all the information is protected, with the most sensitive and important information receiving the strongest security. In order to do this, the family office will need a data retention policy (DRP), an incident response plan (IRP) and a team of professionals to implement them both. 

The DRP should be an outline of what general types of information the family office keeps, where this information is kept and why. The DRP should include a time frame for the storing of documents and the destruction of the same. The DRP does not have to be overly detailed and should be at the very least a general blueprint for the data collected and maintained by the family office.  

The IRP should detail what the office will do in the event of a cybersecurity incident. The IRP needs to be as detailed as possible to ensure that when an incident occurs the plan goes into effect immediately to stop the attack/loss of information, and find out what was taken. The IRP also needs to address the aftermath: insurance policy information so notice can be provided; necessary contacts (i.e. attorney, law enforcement, forensics, key family members, PR personnel, etc.); which breach notification laws must be complied with and the time frame for the same; preparation for potential litigation and regulatory hearings, etc. The IRP is a fluid document, and should be tested and updated as much as possible. Time is of the essence in a cybersecurity incident and the IRP should allow the response to an incident to start as soon as possible.  

Both the IRP and DRP need to account for third parties/vendors that the office shares its information with. Indeed, not only are third parties potential sources of an incident, but these relationships are being examined very closely by regulators now. Include not only a system for the sharing of information with third parties, but also a way to recover or provide for the destruction of the same after the information is no longer needed by the third party.  

Ensure that the employees of the office are familiar with the DRP and the IRP. Conduct annual training to ensure that both are being adhered to and that best security practices are being followed. A family office or any business for that matter can have the best policies on paper, but if they are not being followed, or if the employees are not familiar with them, they are useless.  

In addition to the DRP and the IRP, each family office should have a cybersecurity team. Ideally, the cybersecurity team will include outside professionals who are familiar with the office’s DRP and IRP (hopefully having been a part of drafting or testing of the IRP), who are ready to implement it in the event of a cybersecurity incident. The team at the very least should include a forensics professional and outside counsel. If possible, the team would also include a PR professional and an insurance professional. The team can also include anyone else essential to getting the office back to business, which can mean different things for each office. Importantly, the team should be assembled and practised before an incident.  

It is important to note that bringing in outside counsel and forensics professionals is very important in the event of a cybersecurity incident. Outside counsel can not only help to guide the legal aspects of the incident response, but also can help to keep certain portions or the entire investigation and response privileged, which will be important in the event of any resulting litigation. Outside forensic professionals are equally important because they will be needed to stop the attack, identify the vulnerability and, if possible, recover the information. Indeed, the family office’s own IT team may be too close to the situation to be able to effectively deal with this and/or too overwhelmed with other aspects of the office’s systems and will likely need the help.   

Finally, test all of the above. An IRP needs to be tested to reveal any holes that only a real world situation can show. The family office should work a cyber breach fire drill into its yearly schedule to ensure that the IRP is as tight as possible and effectively deals with any real world issues that were not considered. It will also see how effective the plan is when implemented, which will allow for necessary tweaks. The best way to accomplish this is to only include a few key members of the office in the drill, allowing for everyone else to believe that this is a real life event. These drills along with penetration testing should be an integral part of the overall security plan.  

Overall, it is better to be prepared and never have to use the plan than to be underprepared and suffer a greater loss from the incident. Remember that the above is a very general outline of what a cybersecurity programme should cover; but a programme that does cover at least these basics is a great first step to a more secure and protected family office.  

Part two of this article will explore the realities of implantation of a cybersecurity programme for the family office.