Data breaches are constantly in the news and most companies know they should be concerned about privacy and the security of their data, or at least recognize this is an important and complex area. However, most family offices are not sure how to start addressing their concerns, or worse, don't view the family office as a target. The majority (58%) of malware attack victims were categorized as small businesses in 2018.[i] Small businesses, and family offices in particular, are attractive targets for a number of reasons. Family offices may have a more informal governance structure than other companies, and family offices often put a heavy reliance on smaller staffs who have disproportionate access to large amounts of data. The fame and prominence of those associated with family offices can make the family office a target as well. A family office manages a large amount of wealth, with careful attention and focus on protecting the wealth and creating a lasting and impactful legacy. Efforts to ensure security of data are not often a top priority for a family office, but that trend is changing. A recent report by Campden Wealth indicated that nearly a quarter (24%) of family offices surveyed reported protecting against cyberattacks as a governance priority for their family office.[ii] In 2017, Campden Wealth reported, within its Private & Confidential -- The Cyber Security Report, that 32% of family offices have experienced one or more cyberattacks, with a significant portion resulting in some form of loss, such as a loss in revenue (26%) or loss of private and confidential information (19%).[iii] Despite the threat, and actual occurrences, of a cyberattack, roughly half (52%) of family offices surveyed had a cyber security plan in place, leaving a large population of the family office community vulnerable to security incidents.[iv]
Complex and dedicated efforts to ensure cybersecurity are often not given the sufficient attention required within a family office, unless a serious breach has occurred in the past with the family. The potential impacts to a family office after experiencing a security incident are somewhat unique. A security incident can cause the common impacts such as financial loss and reputational damage, but when a family office is the target the far reaching legacy of family can also be damaged. A security incident can expose more than just financial data; think about the recent scandal involving Jeff Bezos where personal text messages were obtained and released.
What can our family office to do plan and prepare?
Being prepared for a security incident can make a difference in the severity and overall impact of a security incident when it occurs. Cyber-liability insurance policies can help to offset the potential losses associated with a security incident. An effective cybersecurity plan and training may even help to avoid easily preventable attacks. An effective incident response plan creates a clear plan of how to react and what steps to take when a security incident does occur. Testing the incident response plan once it is created through tabletop exercises helps to identify any gaps in the plan and allows for members to get comfortable with the process in the event of a security incident.
1. Prepare a Cybersecurity Plan.
The process of preparing a cybersecurity plan allows for the family office to obtain a better picture of the technology being used by the family office, what types of information the family office is collecting and processing, how to best protect that data, and more. A review of the types of data a family office collects and how that data is stored and processed is a good starting point. Involving oversight from the board, executives or the family to create the cybersecurity plan allows for all parties with a stake in the protection of the data to be involved. Involving parties outside of just the information technology (IT) specialist allows for greater understanding of the reasons behind the polices and plan.
2. Obtain a cyber-liability insurance policy.
A cyber-liability insurance policy has the potential to cover a multitude of losses such as liability for lost data, remediation costs for investigations, notifications and repairs to systems after a security incident and settlement costs associated with a security incident. Typically, a cyber-liability insurance policy will give a family office access to experts who can assist with a security incident.
3. Provide cybersecurity training and education to staff and family members.
Providing staff and family members with cybersecurity training is key; the first line of defense against a security incident is often people. By providing training and education about potential threats, best practices and appropriate processes, a family office can help to avoid incidents or attacks that are easily preventable. 4. Prepare an incident response plan. A security incident occurs, your emails have been hacked, financial information has been compromised, now what? Creating an Incident Response Plan will lay out the steps the family office should take following an incident. The process of creating a plan helps to eliminate the stress and confusion that often surrounds a security incident by establishing the actions and processes before an incident occurs. A well-crafted Incident Response Plan can have a significant impact on the amount of damage caused by an incident.
5. Perform table top exercises.
A tabletop exercise is an activity in which key personnel who are assigned management roles and responsibilities in the event of a security incident are gathered to discuss, in a nonthreatening environment, various simulated security incident situations. The exercises are provided by third parties and allow key family office staff, board members and family members a chance to run through the family office data security programs, policies, procedures and other related processes. Tabletop exercises give employees the opportunity to become familiar with the plans in the event of a security incident and hopefully help to ensure the data security programs, policies, procedures and other related processes are actually followed when an incident occurs.
• This article was authored by Nick Merker (firstname.lastname@example.org), Stephen Reynolds (email@example.com), Rachel Spiker (firstname.lastname@example.org) of Ice Miller's Data Security and Privacy Team, and Andrew Vento (email@example.com), Bill Ellsworth (firstname.lastname@example.org), Miranda Morgan (email@example.com) or another member of Ice Miller's Trusts, Estates and Private Wealth Team. Contact any team member for further information. This is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances. [i] Verizon. 2018 Data Breach Investigations Report. https://enterprise.verizon.com/resources/reports/dbir/
[ii] UBS, and Campden Wealth. The Global Family Office Report 2018. https://www.ubs.com/global/en/wealth-management/uhnw/global-family-office/global-family-office-report-2018.html
[iii] The Global Family Office Report 2018.
[iv] The Global Family Office Report 2018.