Regulatory & standards

For a qualifying single-family office, almost none of this is mandatory. That is the exposure.

You've been pitched compliance theatre before. Here's exactly which rules do and don't reach a family office — fewer than you feared, more than you assumed — and what fills the vacuum.

United States — the exclusion at the centre

SEC Family Office Rule — Advisers Act Rule 202(a)(11)(G)-1

The exclusion that defines the SFO: no registration, no examinations, no SEC cyber or safeguards regime. The honest headline — your exemption is why nobody ever made you build controls.

SEC Regulation S-P (as amended 2024)

For registered MFOs/RIAs: safeguards, an incident-response program, and 30-day customer breach notification. The real compliance driver on the MFO side.

State data-breach notification laws

All 50 states plus D.C. Apply to the office as a data holder regardless of SEC status — household employees and vendors are residents too.

FTC Safeguards Rule / GLBA

Reaches some family-office-adjacent structures acting as financial institutions. A check-with-counsel overlay, not a blanket claim.

Corporate Transparency Act / FinCEN beneficial ownership

The structure chart the office guards is increasingly filed somewhere — a data-exposure surface, noted as context.

Canada

No family-office-specific regulator

Same inverted headline; provincial securities registration only where the office strays into advising non-family clients.

PIPEDA + provincial privacy law

The office holds employees' and vendors' personal information. Quebec Law 25 overlay for Québec families.

CAFC / bank fraud-recall mechanics

The Canadian wire-recall path behind the wire-fraud playbook.

United Kingdom / EU

UK GDPR + DPA 2018 / ICO; GDPR for EU-resident family members

The genuinely mandatory layer for global families — household staff and family data count, with 72-hour clocks.

FCA perimeter

Only where the office conducts regulated activities. Check with counsel.

Frameworks the market actually references

CIS Controls v8.1

The demonstrable reasonable-security baseline — we lead with it.

NIST Cybersecurity Framework 2.0

The language the office's institutional counterparties and insurers speak.

SOC 2 / ISO 27001

What the office should be demanding from its wealth platform, bill-pay, and fund administrators — mostly consumed, not produced.

What fills the vacuum

FBI IC3 / Financial Fraud Kill Chain

The wire-recall mechanism behind the signature playbook — the single most operationally important reference on this page.

HNW insurer requirements

Personal-lines cyber riders and crime/fidelity underwriting questions are the closest thing an SFO has to an examiner. Treat them as the de-facto standard.

No regulator will ever ask for your incident-response plan. Your insurer, your bank, and your counterparties already do.