In the realm of cyber security, 2023 was a journey of epic proportions. This odyssey of risks could have implicit ramifications for family offices and multi-family offices (MFOs).
We have seen governments in both the US and Europe raising the bar in terms of cyber regulations, such as DORA, the Swiss Data Protection Act, and the SEC cyber ruling. Family offices and MFOs should prepare not just to address new regulations, but to protect themselves against the financial and reputational damage of a cyber-attack.
**Facts: Why we cannot afford to overlook the pressing risks**
- A UBS 2023 Global Family Office report shows that less than half (44 per cent) of family offices have cyber security controls in place. Yet, more than one-third (37 per cent) have been the target of attacks.
- According to BDO, the cost of a cyber security breach to a family office averages US$3.86 million.
- The Boston Private _Risk & Threats to Family Offices_ report found that limited staff and an emphasis on cost and convenience are roadblocks to improved risk management. Just under one third (29 per cent) of family offices have a “reactionary, rather than preventative approach” to cyber risk.
**Three regulations/directives to watch**
**1. The US Securities and Exchange Commission (SEC) updated rules**
MFOs are public companies that may be subject to the SEC guidelines, which were updated in September 2023. These updates aim to “enhance and standardize” risk management, strategy, and governance. They also underscore the need for cyber security expertise at a board level.
**2. The EU Digital Operational Resilience Act (DORA)**
DORA comes into effect in January 2025. Key points include incident reporting and rules regarding management responsibilities for information and communication technology (ICT) risks.
Under DORA, the management body will bear responsibility for managing ICT risks, including setting roles and responsibilities and governing effective communication, cooperation, and coordination. Moreover, DORA provides that financial entities must monitor and record ICT-related incidents. This entails early warning indicators, procedures to properly identify and handle incidents, and establishing assigned roles, responsibilities, and plans for communication.
Furthermore, DORA provides for information sharing. This includes tactics, techniques, procedures, and alerts to enhance digital operational resilience across the financial sector.
**3. Swiss Data Protection Act**
The Act came into effect on September 1, 2023. It establishes that:
- Only data of natural persons (previously legal persons) is now covered.
- Genetic and biometric data is processed as sensitive data.
- The principles of “Privacy by Design” and “Privacy by Default” are introduced. As their names imply, they require developers to integrate the protection and respect of users’ privacy into digital products or services. These privacy features must be applied by default.
- Registering processing activities is now mandatory, exempting SMEs whose data processing presents limited risk of harm.
- Prompt notification of security breaches to the Federal Data Protection and Information Commissioner (FDPIC) is required.
- Profiling (i.e. the automated processing of personal data) is now regulated by law.
**Three steps: How family offices and MFOs can prepare**
**1. Conduct annual cyber security maturity assessments**
Regularly assess cyber security risks. Identify the types of data you handle, potential vulnerabilities, and the likelihood and impact of different cyber threats. This information will help prioritize security measures.
**2. Develop cyber security policies and procedures**
Comprehensive cyber security policies should be tailored to an organization’s needs. Policies should include guidelines for data protection, access controls, incident response, and employee training.
**3. Conduct annual crisis management and disaster recovery exercises**
Crisis management exercises are a proactive approach to managing cyber threats. They ensure organizations are well prepared, responsive, and adaptive to cyber-attacks, thereby reducing their potential impact.
In an era of growing cyber threats, family offices and MFOs must prioritize cyber security. This commitment is underscored by the principle of _noblesse oblige_, which holds greater significance than ever in these turbulent times. Prioritizing cyber security ensures financial stability and reputational standing in an increasingly risky digital world. Cyber regulation is not just a compliance necessity; it is an essential component of responsible wealth and asset management.
