Multi-Family Offices (MFOs) should proactively consider new cyber security compliance laws and regulations, both here and in foreign jurisdictions, that have been enacted or soon will be. The California Consumer Privacy Act (CCPA), the New York Department of Financial Services Cybersecurity Regulation, and the European Union’s General Data Protection Regulation (GDPR) are some examples of recent changes in the cyber security regulatory environment. MFOs need to understand how these changes will impact their operations—a failure to address the issues potentially created by these regulations could negatively impact their businesses and the cyber security health of their clientele.
For example, MFOs that are public companies might be subject to new Securities and Exchange Commission (SEC) guidelines currently under review. The SEC has recently requested comment on a proposed new rule (17 CFR 229, 232, 239, 240, and 249) to “enhance and standardize” risk management, strategy, and governance around cyber disclosures. This rule is a deliberate and well-considered next step intended to inform investors about a company’s efforts to manage cyber risk, establish a strategy that protects its interests, and establish governance around providing timely notification of “material cybersecurity incidents.” It also highlights and underscores the need to have cybersecurity expertise on a company’s Board of Directors.
Considering their clientele—and their hyper-mobile, hyper-connected lifestyles—MFOs should already have well-documented and transparent cyber security practices in place, specifically with regard to risk management, incident response, and governance.
MFOs frequently outsource or virtualize many of their services to improve efficiency and cut costs. Because an MFO relies on maintaining its reputation and the trust of its clientele, its leadership cannot abdicate its responsibility to maintain strong cyber security—a thorough review of the virtualized service provider’s security protocols is critical. The last thing an MFO wants is to suffer a breach of personally identifiable information (PII) because of poor security provided by the third-party service, exposing the MFO to any litigation that might follow.
In this developing cybersecurity and governance environment, MFOs should:
- Consider the immediate addition of a cyber security expert to their Board of Directors;
- Have a third-party organization conduct a holistic security assessment, including cyber security, to inform and author a Cyber Security Risk Management Strategy;
- Begin or continue providing cyber security education and training to all of their personnel;
- Review their existing cyber incident response plan, including disclosure procedures;
- Review their current cyber insurance policies and make themselves aware of any exclusions; and
- Hire a company to assist in filling any existing gaps in talent, technology, or policies & procedures.
Red Five has provided risk management services to family offices, executives, and enterprises for the past 18 years. We remain the “go-to company” for our clients’ unique needs, bespoke projects, and subscription-based privacy and security services.