2024 NIST changes and their impact on Family Office security and governance

Those of us involved in the protection of the data and systems of the family office community have been watching with keen interest how the heralded changes to the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) due in 2024 might affect how the industry steps up to protect Family Offices and their diverse business interests.

The reality is this is a difficult task, as the family office structures include a significant personal risk to wealthy business owners as cyber criminals target the behaviors and lifestyle of the Family Office members themselves as a means to penetrate their defences. Their lifestyles, personal assets, significant businesses, and multiple outsourced providers provide multiple points of attack by the criminal world and the potential rewards are significant.

We have been well used to developing a defence framework built around the NIST five functions of Identify, Protect, Detect, Respond and Recover, but there were always key weaknesses when the framework was applied to complex business networks.

These weaknesses are now being addressed by the evolving NIST CSF.

The first of these is the need to enhance the focus on implementation, alongside analysis of the risks. It is the standards of implementing a resilient framework which will make a difference, and this has been recognised in the new proposed framework.

The second major issue is the new focus on supply chain security. The typical Family Office has an incredibly varied range of providers, including personal security groups, trustees, business associated partners, wealth managers, service providers and trusted personal advisors. Those providing support to enhance cyber and data resilience should now also examine this network and include them in their risk assessments, due diligence and support activities, though this is a complex task and requires excellent systems to achieve this.

And finally, the suggested changes to the NIST CSR include a new sixth dimension crucial to Family Offices which is a focus on the governance of risk management. By this NIST means how organisations ‘enhance and monitor their cybersecurity risk management strategy, expectations, and policies.’

As the rest of the business world, particularly in the regulated space, has become obsessed with creating good governance (monitoring and reporting systems appropriate to the type of business) the NIST CSR has now caught up, ensuring that the risk management activity has clear objectives, standards and links to the risk appetite of the business. The role of senior management is recognised, requiring them to be accountable for cybersecurity management and to foster a culture that is ‘risk-aware, ethical and continually improving’. They will be required to ensure that there are policies, processes and procedures in place, including assigning cybersecurity roles and responsibilities. There will also be a requirement that strategies and performance is reviewed and adjusted as needed.

Once finalised, this will be a much-needed piece in the jigsaw of Family Office cyber protection, as it embraces the role of leaders to protect from cyber attack and monitor success. Providers that help create Family Office data resilience can now use this framework to develop a wider net of protection and involve leaders who will have a personal responsibility.