In the realm of cyber security, 2023 was a journey of epic proportions. This odyssey of risks could have implicit ramifications for family offices and multi-family offices (MFOs).
We have seen governments both in the US and Europe raising the bar in terms of cyber regulations such as DORA, Swiss Data Protection Act, and The SEC cyber ruling. Family offices and MFOs should prepare, not just to address new regulations, but to protect themselves against the financial and reputational damage of a cyber-attack.
Facts: Why we cannot afford to overlook the pressing risks
• A UBS 2023 Global Family Office report shows that less than half (44 per cent) of family offices have cyber security controls in place. Yet, more than one-third (37 per cent) have been the target of attacks.
• According to BDO the cost of a cyber security breach to a family office averages US$3.86 million.
• The Boston Private Risk & Threats to Family Offices report found that limited staff and an emphasis on cost and convenience are roadblocks to improved risk management. Just under one third (29 per cent) of family offices have a “reactionary, rather than preventative approach” to cyber risk.
Three regulations/directives to watch
1\. The US Securities and Exchange
Commission (SEC) updated rules: MFOs are public companies that may be subject to the SEC guidelines which were updated in September 2023. These updates aim to “enhance and standardize” risk management, strategy, and governance. They also underscore the need for cyber security expertise at a board level.
2\. The EU Digital Operational Resilience Act (DORA):
DORA comes into effect in January 2025. Key points include incident reporting and rules regarding management responsibilities for information and communication technology (ICT) risks.
Under DORA, the management body will bear responsibility for managing ICT risks, including setting roles and responsibilities and governing effective communication, cooperation, and coordination. Moreover, DORA provides that financial entities must monitor and record ICT related incidents. This entails early warning indicators, procedures to properly identify and handle incidents, and establishing assigned roles, responsibilities, and plans for communication.
Furthermore, DORA provides for information sharing. This includes tactics, techniques, procedures, and alerts to enhance digital operational resilience across the financial sector.
3\. Swiss Data Protection Act
The Act came into effect on September 1 2023. It establishes that:
• Only data of natural persons, previously legal persons, are now covered.
• Genetic and biometric data is processed as sensitive data.
• The principles of “Privacy by Design” and “Privacy by Default” are introduced. As their names imply, they require developers to integrate the protection and respect
of users’ privacy into digital products or services. These privacy features must be by default.
• Registering processing activities is now mandatory, exempting SMEs whose data processing presents limited risk of harm.
• Prompt notification of security breaches to the Federal Data Protection and Information Commissioner (FDPIC) is required.
• Profiling (i.e. the automated processing of personal data) is now the law.
Three steps: How family offices and MFOs can prepare
1\. Conduct annual cyber security maturity assessments
Regularly assess cyber security risks. Identify the types of data you handle, potential vulnerabilities, and the likelihood and impact of different cyber threats. This information will help you prioritize security measures.
2\. Develop cyber security policies and procedures
Comprehensive cyber security policies should be tailored to an organization’s needs. Policies should include guidelines for data protection, access controls, incident response, and employee training.
3\. Conduct annual crisis management and disaster recovery exercises
Crisis management exercises are a proactive approach to managing cyber threats. They ensure organizations are well-prepared, responsive, and adaptive to cyber-attacks thereby reducing their potential impact.
In an era of growing cyber threats, family offices and MFOs must prioritize cyber security. This commitment is underscored by the principle of noblesse oblige, which holds greater significance than ever in these turbulent times. Prioritizing cyber security ensures MFOs and family offices financial stability and reputational standing in an increasingly risky digital world. Cyber regulation is not just a compliance necessity; it is an essential component of responsible wealth and asset management.
