Family Offices: Get Interested in Your Data Before Someone Else Does

05 November 2018

Fame and publicity often accompanies significant wealth. Such attention, whether desired or deflected can also make the Family Office a potential target for cyber-criminals.

Many Family Offices handle assets and investments equal to a substantial corporate entity but without the same levels of governance and security. While the corporations that create the wealth for a family are likely to be fortified with firewalls and well-trained employees, the Family Office might typically operate quite separately in a location more convenient for the Principal and without any of the same resources.

Furthermore, it’s usual for Family Offices to maintain a relatively flat managerial structure with a small number of dedicated staff to reduce operating costs. A small group of staff can have broad access to sensitive data that would normally be compartmentalised in a larger organisation.

Family offices with limited staff, lacking training and with an informal approach to data security are vulnerable to supply chain risks in the storage and transition of their most valuable asset - data. However, it is not just wealth that makes them vulnerable to a cyber attack or data breach. In addition to investment administration, staff in many Family Offices are also tasked with concierge functions such as arranging travel and paying invoices which exposes them to phishing attacks.

When Principals are in different time zones their staff can sometimes be expected to work odd hours and respond to requests as soon as possible. A tension can quickly develop where efficient service takes precedence over effective cyber security.

Cyber security for a Family Office is a marriage of personal privacy planning by the principals and data protection auditing by the staff. Malevolent data loss usually begins with an attempt to obtain sensitive information such as a username, password or financial data by fraudulently posing as a known, trustworthy entity in a text or email called a phishing attack.

The plausibility of a phishing attack depends on the quality of the information in the fraudulent text or email. The cost of living in our connected world is counted in the hundreds of seemingly valueless, unconnected pieces of information scattered across social media, geotags, apps and behavioral trackers. This private information can be cross referenced with public records like Land Registries, Companies House or the Securities and Exchange Commission. The simple act of aggregating the disparate pieces of your private jigsaw can produce a very detailed, invasive and valuable picture for those wishing to attack or exploit you.

Auditing all the information about you that is available online allows you to see the connections that could be made and the inferences drawn about your private life that would be used in a cyber attack. Only when a comprehensive overview has been compiled of all the available information about you is it possible to start anticipating the associated risks.

Data protection auditing starts by embracing the matrix of location, staff and assets that the Family Office has to work with. How many households, offices and other locations such as yachts form the physical network? How many jurisdictions are in play and is data being transferred in or out of EU states? How many staff service the Family Office? How many service providers provide support to the family? What platforms and devices do the family use to communicate with each other and their entourage and what level of encryption is used? How many investment transactions occur in any one month? How many banking relationships does the family have? How many ownership structures include employees? How many assets require active management?

The answers to these questions will describe the life-cycle of data around the Family Office and, more specifically, what information is being collected, stored and processed by the organisation. The answers will also help determine whether the Family Office requires the appointment of a Data Protection Officer. That will be determined by the number of people whose data is being processed and the duration of that processing, the volume and sensitivity of that data and the geographical extent of the Principles’ activity.

In the event of a breach there are four stages to effectively manage the process: (1) detection and containment (2) recovery and assessment of ongoing risks (3) notification, and (4) remediation and review.

The first stage of managing a data breach is dominated by the four technical objectives of detection, containment, identification and preservation. Detecting the source and scale of the breach are paramount. Quarantine the breach by isolating the affected systems and minimising the entry points in the system that a cyber-criminal could use to extract data from the system. This is a precursor to identifying the cause of the breach, its duration and its impact. Finally, it is vital to preserve all the information needed for any subsequent investigation such as server log files and meta data whilst minimising disruption to the running of the Office.

The impact of most data breaches is felt across more than one country or jurisdiction. In some territories it is mandatory to notify the Data Regulator (e.g. The UK’s Information Commissioner’s Office). In some territories it is mandatory to notify the affected individuals. There are also likely to be other third parties to whom the breach will have to be notified such as insurers, banks and the Payment Card Industry Security Standards Council. In some jurisdictions the duty to notify the regulator or affected data subjects is time limited. Family Offices based in the EU have only 72 hours from the point of detection to notify their regulator and possibly the affected individuals.

So what should Family Offices be doing right now?

With such a tight timescale for reporting it is vital that Family Offices, in addition to ASSERTing their cyber strength, have a clear and regularly rehearsed plan for managing a data breach. That plan needs:

  1. A team with clearly defined roles, expectations and training;
  2. An internal Breach Register or Log also needs to be set up and maintained. Data should be stored with appropriate security measures determined by its sensitivity and value;
  3. All staff should be trained to look out for suspicious behaviour and online activity;
  4. Data protection clauses should also be reviewed to ensure they require data processors and other third party handlers to proactively notify the Family Office of any breaches they might suffer and insurance policies should be revisited to assess their coverage in case of a breach.

With research undertaken by Schillings revealing that 28% of Family Offices have experienced a cyber attack in the past and of those, 77% had been subject to phishing campaigns, Family Offices must begin the process of making the transition from ‘we’re not a target’ to ‘everybody is a target’ when it comes to their cyber security.

This starts with Family Offices getting interested in their data before someone else does.

This article was first published by Family Capital on 1st November 2018. Click here to read the original article.

Receive our monthly newsletter

About the Author

Magnus Boyd


Magnus protects individual and corporate reputations by helping clients to manage unwanted media attention. He also advises on information security and helps clients manage the risks to reputation that arise in the event of data loss.

+1 646 934 6219
Our 24 hour number
+1 646 934 6219
Legal information

© 2020 Schillings International LLP. SCHILLINGS is a trading name of Schillings International LLP and Schillings International (USA) LLP.

Schillings International LLP is a limited liability partnership registered in England and Wales with registration number OC398731. A list of members of Schillings International LLP is available for inspection at our registered office 12 Arthur Street, London, EC4R 9AB. Schillings International LLP is an Alternative Business Structure regulated and authorised by the Solicitors Regulation Authority.

Schillings International (USA) LLP is a registered limited liability partnership organised and existing under the laws of the State of Delaware, United States of America, whose principal place of business is at One World Trade Center, Suite 8500, New York, NY 10007. Our New York based attorneys are registered as a foreign legal consultant in the State of New York.