This is part of a series of articles in our special report on technology in family offices. To see all the articles, click here.
“Where is my data—really?”
That wasn’t a question many family offices used to ask, because the answer was obvious: their sensitive information was stored on a hard drive tucked under a desk or in a back closet. Today, however, with the rapid adoption of cloud technologies and web-based services, data can seem detached from physical space, existing simultaneously anywhere and nowhere.
But the information does still reside on an actual server in a real data centre—somewhere. And that location, and who manages it, is of critical importance for security and data privacy.
“Every family office today has some footprint in the cloud,” says Mike Krygier, founder and CEO of DeepCove Cybersecurity, a boutique consulting firm based in Toronto. “Whether it’s [Microsoft] Outlook and Office or Google Workspace, some files get stored in the cloud just as a course of business, even if you work hard not to do that. But a foundational area of our work with family office clients is around how we post data and the need to have privacy.”
According to a 2024 global survey of family offices by Deloitte, 87 per cent of family offices use cloud-based applications or services, including storage. The cloud holds obvious appeal: avoid large upfront capital investments for hardware and reduce IT maintenance costs, while only paying for resources used.
But there is growing awareness that entrusting sensitive data to public cloud providers presents additional risks and challenges that can undercut cost benefits. Instead, family offices are increasingly turning to private cloud services—hosting their own dedicated hardware in offsite facilities managed by a third party.
Close to home
One critical requirement: those facilities are Canadian. In light of recent political tensions with the United States, some family offices now have a heightened awareness about data residency and data sovereignty. Due to U.S. tech dominance in cloud services—AWS, Microsoft Azure, Google and others—and the two countries’ deeply intertwined networks, Canadians have previously been unconcerned if data crossed the border or if cloud services operated stateside.
But the new political landscape has shifted perspectives. “The trade issues are certainly prompting discussions,” says Krygier. “More people want to have their data in Canada, and some don’t even trust the cloud providers.”
While the risks may seem remote, concerns centre on U.S. cloud providers with data centres in Canada still being subject to U.S. laws. Major cloud providers provide assurances that Canadian and European operations remain isolated from U.S. data centres—critical to complying with Canadian commercial data residency and privacy laws.
You might be exposing your data in ways that, prior to the trade war, we never thought would become issues.
Mike Krygier
Data sovereignty, however, could be another matter. IT and cybersecurity firm F12 noted in a recent blog that the federal Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018 “empowers U.S. law enforcement to compel U.S.-based cloud providers to hand over data they control, regardless of where that data resides geographically.”
“To what degree can cloud providers guarantee that [Canadian data won’t be handed over]? We haven’t really seen it tested in court,” says Krygier. “You might be exposing your data in ways that, prior to the trade war, we never thought would become issues, but unfortunately are now things to consider.”
New skills
Aside from messy international politics, the buzz around the public cloud has quieted. “It turns out moving things to the cloud is more expensive [and] more complex than previously thought,” says Krygier.
Configuring and securing a cloud environment requires a specialized skill set, distinct from how traditional servers are managed, he explains. “The cloud works very differently,” says Krygier. “You can misconfigure your environment and expose your data. It requires new security solutions and monitoring tools.”
Of course, cloud providers devote extensive resources to cybersecurity, but Krygier notes that it’s a shared responsibility: “There’s an onus on the people operating the environment for the family office to make sure they’re configuring, monitoring and managing it appropriately.”
Finding middle ground
Private clouds, on the other hand, offer a simpler transition to a hosted environment. Family offices contract with a provider that makes it easy to provision and access a dedicated server for core applications like accounting, file sharing and file storage. “The risks are pretty moderate,” says Krygier. “It’s predominantly a very similar type of setup as a server in your office. They are just hosted somewhere else.”
Krygier cautions that family offices need to undertake some due diligence with any cloud provider, especially as it relates to how modern the hardware is, the level of support it receives, and the encryption offered. Physical security is a vital consideration: because many cloud providers typically lease server rack space in an existing data centre, family offices need to ensure their racks will be secured within locked cages, with any technician access logged.
And don’t take the cloud provider’s word for it, says Krygier—site visits are a must. “As part of a routine review, we found that the server cage and cabinets were left unlocked,” he says. “That means other tenants in that space could have gotten physical access and taken copies of data. A thief could really get very far with that.”
Depending on the scope, scale and risk posture of the family office, due diligence could extend to corporate matters—the operating team overseeing the servers, the investment backers, financial health and longevity of the cloud provider, and the lease terms they have with a data centre. Find out what industry verticals they support that could make them a bigger target for cybercriminals. Even the location of the data centres should be considered and what geographical redundancy they offer for business resilience.
“Often this stuff isn’t really thought about,” says Krygier. “It’s more like, ‘Looks good. Let’s punch in the credit card on the website and sign up.’”
With a bit of care, however, private cloud hosting can provide a middle ground between running a server out of your office—which presents its own heightened security risks—and adopting a technically complex public cloud architecture that now apparently brings geopolitical risks. Just be ready to ask the hard questions to ensure you have full confidence that your data is protected.
The Canadian Family Offices newsletter comes out on Sundays and Wednesdays. If you are interested in stories about Canadian enterprising families, family offices and the professionals who work with them, but like your content aggregated, you can sign up for our free newsletter here.
Please visit here to see information about our standards of journalistic excellence.