Cybersecurity is an area of increasing focus and concern for the family office.  It can also be a confusing and difficult area for the family office, where allocation of assets is always a concern and defining where to invest the same in cybersecurity is not always crystal clear.  Indeed, a family office is charged with more than protecting wealth, but also ensuring legacy, reputation and relationships. In the past, the family office could insulate itself to some degree with discretion and proper hiring. This is no longer the case. Family offices must take proactive steps to protect themselves now to help to prevent a cybersecurity incident and, second, to minimize the damage should one occur.  

To further complicate this area, the aftermath of several high profile cybersecurity incidents and the government’s increased focus on this area has created a lot of noise about cybersecurity best practices and incident response.   This article will attempt to quiet some of that noise by providing the general legal perspective of what a solid cybersecurity program should include, combined with the boots on the ground realities of implementation.   

It is important to realize that cybersecurity, and security in general, is not a one-size-fits-all program.  Each family office or multi-family office must tailor its cybersecurity program to fit the personality and needs of the office.  It is also important to continually evaluate the office’s approach to cybersecurity for needed changes on an annual basis to ensure that the program is keeping up with the growth and needs of the office.  However, there are some general and basic steps that can be taken to ensure a basic level of protection in whichever program best fits the individual office’s needs.

Back to basics – what is cybersecurity?

According to TechTarget.com, “Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, the term security implies cybersecurity.”  It is common for the word cyber to receive too much focus in this area.  Instead, the focus should be on “security,” which is the fundamental goal of any cybersecurity program.   

Technology has made life much easier, but also has created a back door to information.  The explosion of mobile technology has further complicated this area, as our smart phones and tablets, items of great enjoyment and convenience, make our information systems that much more vulnerable.  If you think of the family office as a home, cybersecurity is the unlocked and unalarmed back door.   A criminal just needs to figure out how to open the door and they are in the home.  The goal is to secure that door as much as possible, and, further, protect the most valuable information as you would your valued possessions in the event that they get in.  

Preparing for the worst, hoping for the best – the legal perspective

From a legal perspective, it is best to assume that the family office will be the victim of a cybersecurity incident and prepare for the same.   It is much better to be over-prepared and ready for the aftermath, then left holding the bag when an incident occurs.  Of course, a scorch earth policy is not required and, as noted above, each office needs to tailor an approach best suited to address its security concerns.  There are, however, several universal actions that can be taken to put the family office in the best position possible to deal with and protect against a cybersecurity incident.  Regardless of the family office’s approach to cybersecurity, or security in general, it is imperative that the family office has a plan in place.  In today’s legal and regulatory landscape, not having a cybersecurity program is no longer acceptable.  

As an initial first step in this process , is to create an “information inventory.”  An information inventory identifies what information the office maintains and why. Once the information is identified, then it must be organized into categories of importance, so that the most sensitive information can be identified and heavily protected.  Using the house example above, this is akin to putting expensive jewelry in a safe in the event of a burglar breaking in.  This is much easier said than done, especially if dealing with a multi-generational family office that is still using legacy systems, but it must be done nonetheless.  Indeed, if the family office is the victim of an incident, the only way to know what was taken is to know what you had.  Without this fundamental information inventory, there is no way to effectively protect the most sensitive information and ensure that it has not been compromised in the event of an incident.  

This is also an important step for the family office to actually know what information it is maintaining and why.  This exercise may reveal that resources are being wasted on keeping irrelevant or useless information.  It may also reveal information being maintained that is not supposed to be within the office.  Most importantly, when completed, the information inventory will help to streamline the cybersecurity processes and help to put in place effective security.  

Second, once the inventory is complete, the information identified needs to be protected.  Remember that, when putting these security policies into place, it is important to not forget physical security.  Sensitive information can still be stolen from a piece of paper.  Ensure that any cybersecurity program identifies the physical threat as well as the virtual, and considers both when putting protections into place.  In the same way that you would not use a shotgun to kill a housefly, there is no need to protect all of the information maintained by the family office in the same manner.  Overkill can not only be useless, but extremely expensive.  Thus, a layered system is likely the best way to ensure all the information is protected, with the most sensitive and important information receiving the strongest security.  In order to do this, the family office will need a data retention policy , an incident response plan and a team of professionals to implement them both. 

The DRP should be an outline of what general types of information the family office keeps, where this information is kept and why.  The DRP should include a time frame for the storing of documents and the destruction of the same.  The DRP does not have to be overly detailed and should be at the very least a general blueprint for the data collected and maintained by the family office.  

The IRP should detail what the office will do in the event of a cybersecurity incident.  The IRP needs to be as detailed as possible to ensure that when an incident occurs the plan goes into effect immediately to stop the attack/loss of information, and find out what was taken.  The IRP also needs to address the aftermath: insurance policy information so notice can be provided; necessary contacts ; which breach notification laws must be complied with and the time frame for the same; preparation for potential litigation and regulatory hearings, etc.   The IRP is a fluid document, and should be tested and updated as much as possible.  Time is of the essence in a cybersecurity incident and the IRP should allow the response to an incident to start as soon as possible.  

Both the IRP and DRP need to account for third parties/vendors that the office shares its information with.  Indeed, not only are third parties potential sources of an incident, but these relationships are being examined very closely by regulators now.  Include not only a system for the sharing of information with third parties, but also a way to recover or provide for the destruction of the same after the information is no longer needed by the third party.  

Ensure that the employees of the office are familiar with the DRP and the IRP.  Conduct annual training to ensure that both are being adhered to and that best security practices are being followed.  A family office or any business for that matter can have the best policies on paper, but if they are not being followed, or if the employees are not familiar with them, they are useless.  

In addition to the DRP and the IRP, each family office should have a cybersecurity team.  Ideally, the cybersecurity team will include outside professionals who are familiar with the office’s DRP and IRP , who are be ready to implement it in the event of a cybersecurity incident.  The team at the very least should include a forensics professional and outside counsel.  If possible, the team would also include a PR professional and an insurance professional.  The team can also include anyone else essential to getting the office back to business, which can mean different things for each office.  Importantly, the team should be assembled and practiced before an incident.  

It is important to note that bringing in outside counsel and forensics professionals is very important in the event of a cybersecurity incident.  Outside counsel can not only help to guide the legal aspects of the incident response, but also can help to keep certain portions or the entire investigation and response privileged, which will be important in the event of any resulting litigation.  Outside forensic professionals are equally important because they will be needed to stop the attack, identify the vulnerability and, if possible, recover the information.  Indeed, the family office’s own IT team may be too close to the situation to be able to effectively deal with this and/or too overwhelmed with other aspects of the office’s systems and will likely need the help.   

Finally, test all of the above.  An IRP needs to be tested to reveal any holes that only a real world situation can show.  The family office should work a cyber breach fire drill into its yearly schedule to ensure that the IRP is as tight as possible and effectively deals with any real world issues that weren’t considered.  It will also see how effective the plan is when implemented, which will allow for necessary tweaks.  The best way to accomplish this is to only include a few key members of the office in the drill, allowing for everyone else to believe that this is a real life event.  These drills along with penetration testing should be an integral part of the overall security plan.  

Overall, it is better to be prepared and never have to use the plan than to be underprepared and suffer a greater loss from the incident.  Remember that the above is a very general outline of what a cybersecurity program should cover; but a program that does cover at least these basics is a great first step to a more secure and protected family office.  

Part two will explore the realities of implantation of a cybersecurity program for the family office.