Data security is an important issue for Canadian family offices, which largely rely on cloud and web-based services from the United States such as Amazon Web Services (AWS), Microsoft Azure and Google for their data storage.
With many of these “hyperscalers” owned by tech titans who have ties to the U.S. presidential administration—and governed by legislation that could allow authorities access to the data—the situation could present risks for family offices in Canada, tech experts say. Getting on top of the options for cloud storage is critical given questions about data residency and sovereignty, as is greater awareness in family offices about cybersecurity in general.
“Family offices and average Canadians should pause for a moment and think about where they want their data to live,” says Bruce Watson, chief exploration officer at Qorsa Corp. and president of Qorsa Labs in Waterloo, Ont.
Watson, a professor of computer science at the University of Waterloo, notes that everyone should worry about their data storage and privacy-related issues, “and it takes on an entirely new meaning for family offices.”
He notes that data storage includes “data at rest,” where it’s simply stored, as well as “data in flight,” where it is transported from one place to another, as well as “data under computation,” where it is on a laptop, say, that is performing editing functions, simulations or financial forecasts.
“All of those have unique issues,” Watson says. “Mostly people think about their data at rest and protect that, but then they don’t adequately protect it while it’s in flight or while it’s on a laptop.”
Chris Nicola, CEO of Nicola Wealth in Vancouver, who has a background in tech and oversaw the migration of his firm’s data to a cloud-based service, Microsoft Azure, notes that such systems bring “top-tier redundancy, disaster recovery and security.”
Nicola Wealth has a virtual private cloud within Azure that is domiciled in Canada, he says, noting that most hyperscalers have infrastructure all over the world, “so Canadian data centres are generally an option.”
Watson says, however, that having a Canadian domicile for your data “is a beginning but it’s not a complete solution,” given the possibility of legislation in other countries forcing data to be divulged even if it “nominally resides” in Canada. “There’s some extreme examples where that has occurred.”
U.S.-based cloud providers with data centres in Canada are subject to the U.S. federal Clarifying Lawful Overseas Use of Data (CLOUD) Act, which could force them to hand over data they control regardless of where it resides geographically. For example, a Microsoft official in France recently told that country’s senate that the company can’t keep data that resides in its systems there out of the hands of the U.S. government.
The U.S. has long had legislation and surveillance programs that can impact the privacy of international citizens, Nicola notes. He suggests that family offices consider working with lawyers and cybersecurity specialists “to assess their risk of various breaches, including potentially those by state actors, and then also the countermeasures that are appropriate.”
He says the CLOUD Act shouldn’t be a major concern for most family offices. “I don’t think these laws change as much as people would imagine, and I also think this is an ever-evolving issue.”
Nicola suggests that firms seek legal advice for specific situations. They also should consider using encryption and encryption keys that are not controlled by the cloud provider directly, setting up a private cloud that they control, or working with a Canada-only cloud provider.
“Using a partner that services our federal government would make the most sense in terms of having strong cybersecurity standards,” he says.
Alvin Madar, a cybersecurity and privacy partner at PwC Canada in Vancouver, says that implementing controls in family offices, such as encrypting the data they store in cloud services, can be effective.
Madar encourages firms without an information technology (IT) skillset in-house to find an outside partner to discuss questions and ideas with. “Establish a relationship and actually treat them like a partner and not just a service provider,” he says.
Family offices in the past typically thought they would not be a target of attacks given their size, “but the difference now is a lot of threat actors target everybody. Especially with the introduction of AI, attacks have become a lot simpler and a lot cheaper, and you don’t need any technical skills.”
The two main threats in data security are “data disruption,” where an attacker comes in and encrypts information so the family office doesn’t have access to it, he says, and “data exfiltration,” where the information is leaked, often with a threat to release it to the public.
Setting up a private cloud or private data centre can give a family office “total control of their environment,” he says, although that can be a complex undertaking, and the company is still required to implement stringent security controls.
Watson notes that private cloud technology “has advanced to the point where these things are often canned solutions,” which look like a series of pizza boxes that fit into something the size of a refrigerator.
“The trick to actually using them properly is less about buying the physical hardware and more about managing the risks surrounding them,” he notes. That means ensuring the system is either backed up to some other location or ideally is put in a location away from your office.
“There are companies that will host it for you in their data centre,” Watson says, noting that such facilities come with fire suppression, a reliable power supply and reliable fibre in and out. “The chances of the system crashing are remarkably low.”
The data should also be backed up in a separate data centre, which “sounds more painful than it is. These things are highly automatable,” Watson says. “It behaves and looks like you’re using one of the big cloud service providers, but you’re using your own facility.”
Private clouds are relatively cost-effective, he says, with a capital outlay of about $10,000, an operational cost of about $2,000 per month and another $2,000 per month to manage related issues. Among those might be: “Do we monitor the accounts that are on there? Who can log in? Has anything unusual happened? Have the passwords been updated? Do we have the latest security and the latest encryption?”
Family offices don’t need an in-house IT person to run such a system continuously, Watson says. But having a tech-minded person within the company is helpful to “keep an eye on the latest developments” and to watch for things such as whether someone who’s left the firm has their access shut off in a timely fashion, or whether system backups are continuing.
Watson says the biggest risks regarding data storage include confidentiality, whether someone else can see or manipulate your data, identity management, the integrity and accessibility of data as well as agility, with the expectation that quantum computing will pose even more of a threat down the road.
“That will be a new ballgame,” he says.
Nicola says family offices need a strong understanding of data security, especially as attacks can happen through malicious actors in any number of ways.
“Security-awareness training is inexpensive, it’s available online, it’s high quality and it’s updated,” he says, noting that such exercises should be done at least every year.
Companies with an elevated threat level can hire an expert to give them advice specific to their risks and needs, Nicola adds, and they can also get cybersecurity insurance to cover ransomware attacks and other threats.
Mary Gooderham is a writer, editor and communication advisor based in Ottawa. She leads Cohen Gooderham Communications and has worked as a journalist for more than 40 years at The Globe and Mail, as a recording officer at the International Monetary Fund and as a custom content creator for online and print media. She’s been a contributing writer at Canadian Family Offices for four years, focusing on investment strategy, trusts, philanthropy, women in finance and estate planning.
The Canadian Family Offices newsletter comes out on Sundays and Wednesdays. If you are interested in stories about Canadian enterprising families, family offices and the professionals who work with them, but like your content aggregated, you can sign up for our free newsletter here.
Please visit here to see information about our standards of journalistic excellence.