Family Office Security with EDWARD MARSHALL, CEO of PRESAGE GLOBAL https://youtu.be/uLbbZg52ABg In this conversation, Frazer Rice and Edward Marshall delve into the complexities of security within family offices, emphasizing the importance of understanding risk as a multifaceted concept. They discuss the vulnerabilities unique to family offices, the interconnected nature of various risks, and the necessity of a comprehensive approach to security that encompasses governance, internal threats, and physical safety. The dialogue highlights the need for families to engage with security experts who prioritize diagnosis over fear-based marketing, ultimately aiming to enhance the quality of life for families through effective risk management. Transcript Frazer Rice (00:01.173)Welcome aboard, Eddie. Edward Marshall (00:03.074)Hey Fraser, how are you? Frazer Rice (00:04.375)Great. Thanks. You are now a member of the two episode club. We've got a few of them out there. We one of my favorite ones was with you talking about there is no such thing as the family office, which I thought was a terrific bromide that I bring out every once in a while. It can be controversial depending on who you're talking to. Edward Marshall (00:23.15)So some people like that and some people hate when I say that, but it's all good. I mean, it speaks to the whole issues around family offices and I think some of the things that we'll probably talk about today around security is if you're defining it so many different ways, we've to look at it more as a process than some actual thing that we can put our finger up. Frazer Rice (00:46.421)Well, so security and whether it's family office or regular high net worth or people generally is foremost in the headlines these days. We had the United Health Care executive who got shot. We've got different scenarios of global conflict out there. The theft around financial assets is everywhere. The urgency in the family office space, though, it seems like it's really taken on a new thing. What is your experience with it? Edward Marshall (01:17.612)Well, mean, I think we could take a look at it from the perspective and start out with this, is risk is really what we deem it and how families and companies… offices and investors are looking at risk, they can perceive it in a lot of different ways. But I think one of the things that are important for high net-worth individuals or family offices is that some parts of their just organizational DNA create these engineered vulnerabilities. So what they are makes them more susceptible. And if you think of it just from the Willie Sutton effect, right? Why do you rob banks? Because that's where the money is. It's kind of myopic. Because you have to look at the other factors. What does the family office typically have as characteristics? You tend to have a very lean operation. There tend to be sources of time, line, agnostic capital. They have a lot of trusted relationships. Their customer is the family. And they're pretty agile. So a lot of those factors come together and make them attractive for bad actors in a lot of different aspects. They could also be politically outspoken, which attracts a different kind of attention to them. And so it is… It's really an ability to understand the nature of family offices and what makes them attractive for them because they have enterprise level wealth and oftentimes amateur or retail level security and risk management practices and processes in place. Frazer Rice (03:08.009)So how do you get your arms around it? When I hear risk, think, my gosh, you've got physical risk, you've got technological risk, you've got all sorts of other things. One of the frameworks you have is really these 10 domains of risk. And we may not list all 10, but how do you get your arms around it when you're helping a client think through what their vulnerabilities are? Edward Marshall (03:30.873)Yeah, think the 10 domains of risk that we have put together as kind of an organizational philosophy for Presage Global really harkens to the fact that traditional security, traditional risk management is very siloed. I've got my cybersecurity thing that I'm focused on, then I'm focusing on physical security. Unfortunately, risks and threats don't really respect your self-constructed silos. And that old school mentality tends to lead to lot of whack-a-mole behavior and reactive behavior to these types of risks that come out. So we came up with this framework. The risks range from privacy, technological, reputational, legal, operational, financial, and so forth. And the reason we came up with that is that we were seeing the interconnected nature of risks in this space, whether it's for family offices, companies, or investors. there's a lot of interconnectivity between these risks and they can cascade. So something that starts out as a privacy risk, exposed information, a bad tweet, an Instagram post that puts out some information around you can lead, cascade into reputational issues or financial… fraud types of issues or even legal fights depending on kind of the situation that's there. And if you're not looking at risk across these different domains, how they interact and really taking a deep dive to assess it, you don't look at the entire picture. And I think that combined with not just focusing on the shiny object of a technology driven Edward Marshall (05:31.617)approach to solving risk in these issues is important as well. Oftentimes you'll see folks that work in the security space or people that have purchased something to support them on security or risk management. They'll say, you know what, we're doing great because we have X, X software, X tool or whatever it may be. But they haven't even evaluated if they even need X tool that's out there or even if X tool is properly configured so you could be spending thousands of dollars hundreds of thousands of dollars or millions of dollars if you're a company on these tools, but if they're not properly configured then all that money is for nothing and it's and And it becomes like security jewelry. We've got all this stuff that's in place. We have cameras that are of X brand and they're doing all these things. We have firewall that is of Y brand and it's doing all these things. But if you haven't properly configured it or the people that are supporting you internally and externally… some of the externally creating supply chain risk there, then it's all for naught. it comes down, and it's similar in the work that you do. If you're not looking at somebody's entire trust and estate picture just beyond the documents that they're trying to draft, how do you figure things out? It has to be not just a black and white, here's a legal document for your trust and estate. It's part… archaeology, part anthropology, part psychology, multiple other science disciplines and other disciplines that come into it to develop a document, to develop a plan, to have an execution that actually keeps the family safe. Frazer Rice (07:30.315)So when, part of this seems like a real governance issue at the family level or at the family office level. When you see it done well, who owns this task, the security task at the family level? Because I could imagine the Generation One, the matriarch or patriarch, they wanna deal with it, but I'm not sure they're the best ones to be driving it. What is a good practice there? Edward Marshall (07:58.189)Well, listen, think risk management and security, oftentimes, whether you're talking about a Fortune 100 company or a family office, is looked upon as a cost center. And I think that's an unfortunate aspect to it, instead of an enablement factor for you to go and do the things that you want, right? Good security, good risk management for a family should enable the quality and improve the quality of life for that family. If you're constantly thinking of it, we have to spend X amount of dollars on our cybersecurity or planning for our travel or purchasing this trying to reduce my privacy footprint by buying some security tool that does that and says that I'll get all of your information off the web news flash. Not possible. You know, there's thousands of data brokers that are in this country. There's legislation that is going on in different states and at the national level to try to limit the aspects of the data broker stuff. But you know what? At the end of the day… Edward Marshall (09:14.178)that information is out there to nation states and to bad actors and try telling a hostile foreign country or a hostile hacker whether they're in Brooklyn or Belarus to remove your private information from their data sources. It's not going to happen. you have to, putting it in the perspective of governance is shifting the mindset away from Frazer Rice (09:31.318)Right. Edward Marshall (09:41.467)Just being a cost center and to how does this help? All of the family office operations that are there and the family improve their quality of life by keeping them more secure. And that's a critical step to it. Then having a robust plan and really looking at the plan and testing it. This may say simple, but if you're not, if you don't have a plan and you're just trying to patch things together and you're not testing that plan, then you're spending a lot of time and not of getting a lot of good results. If you're not thinking of security governance and risk management governance through a maturity model, understanding what good looks like, where we are today, where we want to go into the future, here's my gaps, here's the things that a good family office that's focused on this issue or a good company that's focused on this issue looks like, then I think you're missing out on a lot of things for these families to really keep them