Regulatory & standards
For a qualifying single-family office, almost none of this is mandatory. That is the exposure.
You've been pitched compliance theatre before. Here's exactly which rules do and don't reach a family office — fewer than you feared, more than you assumed — and what fills the vacuum.
United States — the exclusion at the centre
SEC Family Office Rule — Advisers Act Rule 202(a)(11)(G)-1
The exclusion that defines the SFO: no registration, no examinations, no SEC cyber or safeguards regime. The honest headline — your exemption is why nobody ever made you build controls.
SEC Regulation S-P (as amended 2024)
For registered MFOs/RIAs: safeguards, an incident-response program, and 30-day customer breach notification. The real compliance driver on the MFO side.
State data-breach notification laws
All 50 states plus D.C. Apply to the office as a data holder regardless of SEC status — household employees and vendors are residents too.
FTC Safeguards Rule / GLBA
Reaches some family-office-adjacent structures acting as financial institutions. A check-with-counsel overlay, not a blanket claim.
Corporate Transparency Act / FinCEN beneficial ownership
The structure chart the office guards is increasingly filed somewhere — a data-exposure surface, noted as context.
Canada
No family-office-specific regulator
Same inverted headline; provincial securities registration only where the office strays into advising non-family clients.
PIPEDA + provincial privacy law
The office holds employees' and vendors' personal information. Quebec Law 25 overlay for Québec families.
CAFC / bank fraud-recall mechanics
The Canadian wire-recall path behind the wire-fraud playbook.
United Kingdom / EU
UK GDPR + DPA 2018 / ICO; GDPR for EU-resident family members
The genuinely mandatory layer for global families — household staff and family data count, with 72-hour clocks.
FCA perimeter
Only where the office conducts regulated activities. Check with counsel.
Frameworks the market actually references
CIS Controls v8.1
The demonstrable reasonable-security baseline — we lead with it.
NIST Cybersecurity Framework 2.0
The language the office's institutional counterparties and insurers speak.
SOC 2 / ISO 27001
What the office should be demanding from its wealth platform, bill-pay, and fund administrators — mostly consumed, not produced.
What fills the vacuum
FBI IC3 / Financial Fraud Kill Chain
The wire-recall mechanism behind the signature playbook — the single most operationally important reference on this page.
HNW insurer requirements
Personal-lines cyber riders and crime/fidelity underwriting questions are the closest thing an SFO has to an examiner. Treat them as the de-facto standard.