In an era where digital threats are more sophisticated than ever, cybersecurity has become a pressing concern for family enterprises. With their interconnected structures, valuable assets and sensitive information, these businesses are prime targets for cyberattacks. But how can family enterprises protect themselves while maintaining operational efficiency?
In this episode of Beyond Succession, host Leah Tolton is joined by Bennett Jones associate, Suzie Suliman, as they dive into the cybersecurity challenges unique to family businesses and how to mitigate risk. They discuss why family enterprises are particularly vulnerable to cyber threats, balancing cybersecurity with seamless business operations and practical steps to fortify your defenses like vendor management and incident response planning.
Whether you are navigating leadership transitions, managing complex governance structures or handling day-to-day operations, this episode offers actionable insights to safeguard your enterprise's legacy in the digital age.
Transcript
Suzie Suliman: [00:00:00] With the adoption of technology and technology, you know, improving so quickly, it's led to more instances of cyber attacks. And we've seen that really since the pandemic, where organizations have been going online more and relying on cloud technologies and environments to store their data. And that is kind of one of the main areas where we see cyber attacks is in the cloud environment, because that is, you know, where the most significant data assets will lie. We also see, you know, with generative AI, threat actors are becoming a lot more sophisticated, quicker, more efficient, and that results in, you know, more significant risks for organizations.
Leah Tolton: [00:00:41] Welcome to Beyond Succession, a podcast series within the Bennett Jones Business Law Talks podcast that discusses topics around navigating the complexity of the family enterprise. I'm Leah Tolton, partner at Bennett Jones, LLP, and I'm a family enterprise and corporate lawyer, passionate about helping family enterprise businesses navigate the complexities of governance, succession, and growth.
Before we begin this podcast, please note that anything said or discussed on this podcast does not constitute legal advice. Always seek proper advice from your legal advisor as every situation is different. And outcomes can vary in this episode, we're tackling a topic that's becoming increasingly critical in our digital age, cybersecurity for family enterprises, the stakes are high from phishing scams to ransomware, the risks are real, and the consequences can be devastating financially.
Operationally and even to your reputation. Joining me today is Suzie Suliman, a corporate and intellectual property lawyer at Bennett Jones, who helps clients protect their technology assets. She also assists clients, prepare for, and respond to data security incidents. Welcome, Suzie, to the podcast.
Suzie Suliman: [00:02:10] Thanks so much for having me, Leah, I'm happy to be here.
Leah Tolton: [00:02:13] Before we dive into the topic of cyber security for family enterprises, here's an interesting fact about Suzie that I wanted to bring up. Suzie, prior to your legal career, you actually obtained a bachelor's degree in electrical and biomedical engineering. And I understand that during your time in engineering, you designed and implemented an EEG monitor and artificial intelligence software aimed at detecting seizures.
Can you tell me a little bit about that?
Suzie Suliman: [00:02:40] Sure. Thanks for flagging that fun fact, Leah. Um, yeah, that's right. I did study electrical and biomedical engineering. And, um, in my final year, we had to complete a capstone project where we essentially applied all of the skills that we learned throughout our program.
And we were asked to choose a real-world problem and develop a solution for it. So my team and I were looking at epilepsy and through our research, we learned that epilepsy can impact an individual's independence and can result in higher rates of psychological conditions such as anxiety. And so we set out to develop something that would help individuals gain more independence and lessen the psychological impacts. There were tools available on the market at the time, but they were just either really expensive and not accessible, or they didn't have a high degree of accuracy.
And so what we ended up creating was an EEG monitor. So it was something like a hat that can be worn and it would read the individuals, um, the electrical activity in the individual's brain. And then the software that we developed to go with it would essentially learn what is typical brain activity for that person. And it would detect when there was abnormal activity going on, um, which would be reminiscent of having a seizure. And so what it would do is it would either set off an alarm or call for help.
And we were very proud of that accomplishment because, yeah, it was, it was pretty accurate according to our testing and it was a lot cheaper than what was available on the market at the time.
Leah Tolton: [00:04:07] Well, congratulations on that achievement. I can see that you have a longstanding interest in protection of ideas and intellectual property. So you're perfectly suited to speak to us about things that are related to that today.
Suzie Suliman: [00:04:20] Thank you so much. Yes, I love what I do.
Leah Tolton: [00:04:22] Great. Now, when I talk about a family enterprise, I think of an organization that has you know, maybe a collection of parts. It often has an operating company that would carry out whatever business it is that, uh, the family owns, operates, has, has perhaps run for years.
Often includes some entity that owns some real estate. Includes sometimes, um, a separate company with other investments in it. Maybe some investments that might be deferred and received in the future might include some things that are going to be inherited, uh, might include some philanthropic assets, all the things and the connections that the people in the family have.
So there are a lot of moving parts and pieces in a family enterprise, when I describe it that way. With that in mind, can you start by giving us an overview of the cyber security landscape, and what are the main threats that an organization like I've just described should be aware of?
Suzie Suliman: [00:05:26] For sure, yeah.
I mean, with the adoption of technology, and technology, you know, improving so quickly, it's led to more instability instances of cyber attacks. Um, and we've seen that really since the pandemic, where organizations have been going online more and relying on cloud technologies and environments to store their data. And that is kind of one of the main areas where we see cyber attacks is in the cloud environment, because that is, you know, where the most significant data assets will lie. Generative AI threat actors are becoming a lot more sophisticated, quicker, more efficient, and that results in, you know, more significant risks for organizations.
The big one, and you mentioned it earlier, is ransomware, um, and that's essentially where a threat actor will deploy malware onto somebody's systems, um, and that just means that it becomes inaccessible. And they will offer the company a decryption key in exchange for a ransom. This is often combined with also stealing their data.
And then they use that as a dual extortion technique, essentially. Aside from malware, uh, ransomware, sorry. Uh, phishing and social engineering are big ones and they continue to be issues. And as I mentioned with AI, I think those are becoming even more sophisticated. And one of the big things that I found really interesting is that there's been an increase in advertisements for access brokers. So there are people out there who will just, um, essentially crack how to get into your system, but they don't do anything with it other than they sell that information on the black market to people who will buy it. And then they are the ones to ultimately, um, do the malicious activity in your systems.
So that's been an interesting development in recent years.
Leah Tolton: [00:07:06] I hadn't heard about that one. That's, uh, that's interesting that people are making a business of selling your information to people who are going to abuse your business.
Suzie Suliman: [00:07:13] Exactly. And so the attacks are becoming more sophisticated, um, and so we just have to keep changing our approaches to keep up with that landscape.
Leah Tolton: [00:07:21] Mm hmm. So, you know, given the, the kind of organization I described as a family enterprise, you know, why are those kinds of organizations, family enterprises and family offices, You know, which can organize a lot of things for both the family business and the family. Why are they particularly attractive targets for cyber attacks?
Suzie Suliman: [00:07:41] Yeah, they have become very attractive targets for cyber attacks because of the unique benefits that they provide. So as you mentioned, you know, they may be a collection of different companies that are connected together. So if a threat actor can gain access to a family enterprise, not only are they able to take advantage of one company, they can take advantage of a collection of companies or also the individuals that lie behind that. Um, so that is a quite a unique advantage for threat actors. Unfortunately, there is also an interconnectedness between the people that are operating the fan family enterprises and the companies themselves. And so it's easier given, you know, social media and all of the information out there on the internet for threat actors to conduct social engineering and similar types of attacks because they have more information to use that would look realistic.
And then historically family enterprises and offices have prioritized efficiency over cyber security. And generally, I think from a threat actor's perspective, they tend to go for the organizations that have enough assets or value for them. to, for it to make, you know, their efforts worthwhile, but also that are not the most sophisticated on the cybersecurity front so that they do have a chance of getting in and gaining a benefit, which kind of tends to match, you know, the family enterprise family office dynamic.
Leah Tolton: [00:09:01] So, okay. So that raises an interesting point. You know, you, you talked about the occurrence of prioritizing efficiency over cybersecurity. You know, is that one of the most common gaps that you see in cybersecurity practices or are there other gaps that you see?
Suzie Suliman: [00:09:16] For sure. It's definitely one of the big ones.
I think, um, you know, lots of organizations tend to view cybersecurity as, you know, a challenge as opposed to a benefit to their organization because it adds additional layers or steps that they have to take. Another big one, I think, is just lack of continuous, um, training, understanding the current landscape and staying on top of what's going on in the industry and feeding that knowledge back down to your users. So making sure that your users are aware of what's out there and that they're continuously trained and it's you know top of mind for everyone and then third party risks, I think are becoming a big one where people that you do business with, whether it be your vendors or suppliers or, you know, other people that may connect it to your network, um, they may provide other vulnerabilities for you as well.
So you always have to be aware of that in your contracts and in your due diligence when you're onboarding third parties.
Leah Tolton: [00:10:08] You’ve talked about ongoing training. You've talked about, uh, ensuring that your third party suppliers are committed to ensuring that there is security over data that you provide to them.
It sounds to me like there are some human factors, some human vulnerabilities that play into this. And so, you know, what can, are there other things that businesses can do to mitigate that human vulnerability, that human risk in the system?
Suzie Suliman: [00:10:34] For sure. I think the human factors, um, are one of the biggest factors when it comes to the risks to your organization you may have.
So, um, I'm going to be talking about the training and creating that culture of awareness, where people think twice before they click on a link or check things before they provide information to people they're not expecting information from, things like that. Individuals may have poor cyber hygiene. A big one also is using weak passwords or, you know, using the same password for personal and business accounts, that's very big vulnerability.
So, all that can lead to risks for business and ways to mitigate those risks, as I said, and it's gonna be a recurring theme for sure, is just training your staff on proper cyber hygiene. So, repeating that training regularly and making sure it's not just, you know, when they first get hired, but maybe, you know, at a, regular interval, conducting phishing expeditions and just creating that culture of cybersecurity awareness, making that training appropriate for the person's, you know, role is important as well.
And I think something that makes people more accountable for their own cyber hygiene is incorporating cybersecurity awareness and training into, um, you know, annual reviews and compensation. I think that that tends to be a pretty effective way of mitigating the human aspect of those risks as well as implementing, you know, security policies that require people to, you know, have certain requirements for their passwords or their email hygiene and how they are allowed to use their own devices.
What kinds of, you know, uses are acceptable or not acceptable. All that kind of helps mitigate those human risk factors as well. And another one that I think is really important to note is that limiting access, so not providing everyone with unlimited access to all data. So making sure that only people who need to have access to data have that access helps mitigate risks as well.
Leah Tolton: [00:12:33] Great. So there's a lot to think about and a lot of potential weak points, shall we say, and there are things that you need to think about to cover off each of those points. So, you know, moving on to the legal consequences of this, what, from a legal standpoint, are the key liabilities that family enterprises face if they experience a cyber attack?
Suzie Suliman: [00:12:59] Yeah, I mean, lots of liabilities that they may face, but the big ones really are, you know, financial loss, whether it be from fraud, paying a ransom, having to recover from an incident, you may have to onboard, you know, forensic experts or legal experts and other resources that you may need to hire to help.
Recover from an incident, make sure you're meeting your legal obligations, the business interruption, or even the strain on your business resources, um, can have financial impacts to family enterprises. Other ones tend to be, you know, unauthorized access to sensitive or proprietary business information. If somebody gets access to your trade secrets or your important IP or confidential IP, you may lose business advantages there.
And if people gain access to, you know, personal information, whether it be employee personal information or customer information, you know, you may have regulatory requirements to notify those individuals or the privacy regulator. It could expose you to reputational harm, regulatory investigations, or even class action lawsuits.
Leah Tolton: [00:14:02] Wow. I guess that makes sense when you consider the number of inputs that, you know, provide support to the enterprise as a whole and the number of players that there are and the number of steps that you need to take in order to try to protect against vulnerability from each of those players.
You mentioned earlier in our conversation, ensuring that contracts with anyone that provides services, uh, require them to be, require the subcontractors rather to be employing, uh, cyber protectors.
How do you, how do you negotiate that? Is that a, is that an industry standard now? Are there policies that you develop and point to and say you must comply with this? What does that look like when you're approaching those contracts?
Suzie Suliman: [00:14:47] Yeah, I mean, in Canada, it hasn't become a general, I think other than in the province of Quebec, to have, um, data processing agreements in place, although it is a best practice and it's definitely strongly recommended.
So whenever you onboard vendors that may have access to sensitive information, you'll want to make sure that they are required to comply with, you know, applicable privacy laws that they have appropriate security mechanisms in place that if there is an incident, um, that they experienced that may impact your information, that they will notify you about that and maybe that they'll help you recover that they'll provide appropriate information. You know, you want to impose those obligations on them to make sure that they are taking the same measures to protect your information as you would with your own. And it's important as well in those contracts to look at things like your indemnities, your limitation of liability, insurance requirements, you know, managing that risk and, um, the financial risk as well.
So not only, you know, on the front end is making sure that they are taking the appropriate steps to protect your information. But also, you know, if the worst case scenario happens, you know, what does that risk exposure look like? And how are we sharing that financial burden between us? Um, I think those are all really important things and it's becoming really common, really with vendors to have these discussions and making sure that.
You know, these kinds of terms are incorporated into agreements as appropriate and even previous agreements. Maybe you have long term relationships with vendors, but you know, revisiting those agreements and making sure that you're properly protected is really important.
Leah Tolton: [00:16:18] You've just raised a point I was going to ask you about and that is, you know, when you're in the middle of your day to day business and you need to get the service now or someone has put you under pressure because something needs to be accomplished by a certain time, it would seem to me that people under those kinds of time pressures and deadlines probably would be less likely to read all of these terms closely.
And so I think what you're suggesting here is that either people should have an, uh, a resource in their own world, in their own staff that can, you know, pay attention to the things that you've listed or that they should get some legal advice before they sign these things. Am I on the right track there?
Suzie Suliman: [00:16:58] For sure. I think those are really important things to have on your side, especially when urgency is, is a factor.
Leah Tolton: [00:17:04] So, you know, we've already talked a bit about some of the protection strategies and one of the, that, that you'd recommend, one of them being paying close attention to contractual terms, uh, one of them being paying attention to human factors and creating a culture of training and cyber awareness.
Are there any other examples of strategies that a family enterprise could take to enhance their cybersecurity?
Suzie Suliman: [00:17:25] Uh, yeah, for sure. I mean, we, yes, talked about a lot of the big ones. The training, the, you know, policies and practices, creating that culture of cyber awareness. All of those are very important.
I think another one is to identify, you know, your most important crown jewels. So you say, and like, what are the most important data assets that you have and prioritize those, um, make sure that. You have appropriate cyber security measures in place based on the sensitivity of information, you know, it's that balance between the efficiency and the cyber security.
So, you know, maybe you have more stringent cyber security measures on your more important assets and less so on. less sensitive information. And that might be a way that you, you know, balance those two things.
And back to the kind of having the appropriate policies and practices in place. I think it's really important to make sure you're in a good stand, uh, in a good place from that perspective.
So, you know, having appropriate password policies, backup policies, incident response plans. Lots of employees are working from home these days. So, you know, having a working from home policy, um, what's an acceptable use? Can you bring your own devices? AI is a big one, you know, how can you use AI or, you know, what's the organization's stance on AI is an important one as well.
Leah Tolton: [00:18:40] Mm hmm. So, you raised a point there that I'd like to, to explore a little bit further. Let's assume the worst happens here and we do have an incident. You know, someone breaches, someone, uh, freezes the system, claims a ransom, you know, they've got access to your data, you're finding out it's being misused.
Describe for me what an incident response plan is and how it could respond to that kind of scenario.
Suzie Suliman: [00:19:03] Yeah, for sure. So an incident response fund will essentially set out, you know, different levels of incidents because not all incidents are the same and not all incidents, you know, require the same kind of response.
So it could be as small as sending an email with somebody's personal information to the wrong individual, or it could be as big as a ransomware attack that impacts, you know, you know, all aspects of the business. As you can imagine the way that you respond to those two different scenarios, they require different resources and different things.
So your incident response plan would categorize, you know, what kinds of incidents that your company is likely to experience and, um, you know, how you should respond to each one at what level do you escalate, um, it would set out who's responsible for different things. So you need to think about, you know, who's responsible for making legal decisions, who's responsible for making technical and security decisions who, you know, may communicate internally or externally.
You may want to include your vendors, right? Like, who's your preferred friends and vendors? Who is your cyber insurer if you have one? You know, at what point do you contact these people and get them involved? And what your cyber incident response plan does is essentially it makes sure you're prepared to respond to incidents, that you're doing it in the most efficient way possible.
And that you're minimizing the risk of operational, financial, and reputational damage. Um, so it is a really important tool to have. And the other thing that I will say about those is it's also really important to have not just a digital copy, but a physical copy of that. Because if you do experience some kind of ransomware type attack where you can't access your systems, you want to be able to have it readily accessible to you, you know, if you ever need it.
Leah Tolton: [00:20:42] Right. You haven't mentioned in this conversation, things that we are asked about repeatedly on various platforms, things like, you know, multifactor authentication or claims to or requirements for data encryption. Where do they fit into these strategies? Are they a granular part of it? Are they a separate part of it? How do they fit in?
Suzie Suliman: [00:21:06] Yeah, they're definitely a part of the strategy. I think maybe you know, so family offices or really any business should employ physical, technological and organizational measures to protect their data assets. And those measures need to be consistent. As I said earlier, with how sensitive that information is, MFA and data encryption are kind of the two most common technological measures that organizations employ to protect their data assets.
I think they're, you know, very easy to implement. They provide very strong protection because if a threat actor gains access to your systems or to your email or whatever it is. These things make it more difficult for them to get in so it's a very important defense mechanism. Then you also have to think about your organizational and your physical measures. So your physical measures might be, you know, locking paper documents in a room where only some people have access to it, and your organizational measures, um, you know, will be like your policies and things like that, you know, what kind of information can be communicated by email, and what can't, and things like that.
At what point do we delete information and all of that. So all of it kind of works together to protect you from cyber incidents.
Leah Tolton: [00:22:15] Okay, so there, there's a lot to think about. There's a lot to plan for. Let's move from talking about specific or even broad strategies and talk about next steps. If, if we're, if someone is listening to this episode and they're thinking, wow, this is, there's a lot of moving parts. There's a lot of information. There's a lot to think about. There's a lot to prioritize. And they're just starting to think seriously about this and feeling overwhelmed about that. What are the first questions they should ask either their IT providers, their advisors, whoever it is that they go to for guidance on this. Where should they start?
Suzie Suliman: [00:22:53] Yeah, I think one of the most important things are where they should start is conducting an assessment. You know, what is it that? My enterprise or my organization? What are my greatest risks? What would be really detrimental if it happened to me? I think that's really important is just to start with that lens.
What kind of measures do we have currently in place to protect information? Are we monitoring for threats? Do we comply with privacy laws? What happens if a breach occurs? Do we have any mitigation measures, whether it be insurance, contractual requirements with our vendors, different things like that, understanding, you know, what your financial risk exposure is, and you have experienced or your vendors have experienced any security incidents in the past.
How have they been remediated and what have you learned from those experiences?
Leah Tolton: [00:23:45] I wonder, you know, when we're dealing with the family enterprise, and we're talking about the people, I said that the people form part of the enterprise, and when we're dealing with the family enterprise, we might be dealing with multiple generations of people, right?
We might have more than one generation of owners. We might have more than one generation of family members who may be involved in the business or not. How can the next generation of family members, the people who are coming up behind those who are operating the business or who are leaders in the family now, how can the next generation play a role in advancing Cybersecurity within their family enterprises.
Suzie Suliman: [00:24:23] Yeah, I think the next generation is uniquely positioned to be able to champion the adoption of cybersecurity practices and improve those measures going forward. I think, um, you know, people that grew up within the family, they have a really deep understanding of the business, what its most important data assets are, what the business absolutely cannot operate without, and so they're able to kind of make more educated decisions about, you know, where to dedicate resources and how to adapt to the changing landscape. They can support dedicated cyber budgets and advocating for proper cyber hygiene and just fostering that culture of cybersecurity from the top down.
Leah Tolton: [00:25:03] And so, you know, in your experience, was the level of understanding or involvement with, um, cyber issues different at different generations within the family enterprise?
Suzie Suliman: [00:25:15] I think it can be. I think it's, it's, um, something that is developing more so in recent years. And I think the younger generations tend to be a little bit more aware or familiar with these issues, but it's definitely growing.
Leah Tolton: [00:25:29] Yeah, so, so it's more, there's more general awareness than there might be within my own family where I call on my kids for tech support. You know, you mentioned an emerging challenge earlier on in our conversation about, uh, you know, people who are now scanning the landscape for potential areas of vulnerability and selling that information.
What other emerging challenges should family enterprises start preparing for now?
Suzie Suliman: [00:25:53] Yeah, I think, I mean, the emerging challenges are here already, um, as I mentioned with those access brokers, but they're just getting more sophisticated and, and stronger. So AI is another, what I would call an emerging challenge.
Um, it's helping threat actors become quicker, smarter, more efficient. And it's important to understand how AI can impact things like social engineering and how those kind of, um, clues. Can change with the use of AI. I think it works both ways, though, because it could also be used to improve defensive tools, which is for our better bet.
But the other thing I think is really important is in this digital era that we're in where communicating information on very broad platforms is very easy. The risk I think AI works both ways, though, because it could also be used to improve defensive tools, which is for our better bet. But the other thing I think is really important is in this digital era that we're in where communicating information on very broad platforms is very easy.
The risk of reputational harm and the importance of managing your brand are even more apparent and the risk of reputational harm and the importance of managing your brand are even more apparent and uh, bigger now than they were before. I think, you know, if you suffer a cyber attack, it could be on the front page of the news within hours, as opposed to, you know, what we used to see before, where it kind of go under the radar.
Leah Tolton: [00:27:09] Right. So, you know, given the speed with which the damage could be caused and the extent to which the information may be shared, you know, what resources or tools would you recommend for listeners who want to learn more or take their first steps toward a robust cyber security strategy?
Suzie Suliman: [00:27:29] Yeah, I think a very important resource that you should use is your professional advisors, whether it be, you know, your legal advisors, your IT or other technical expertise and your insurance advisors.
I think. They can all help you position yourself better to be prepared for these incidents to understand your vulnerabilities and to respond to them. And I think another important one is just reading the news or other publications, understanding the present state of the industry. Lots of forensic investigation companies put out reports of, you know, what's happened in the past year.
What are we seeing? I think understanding where the greatest risks are will help you make those decisions, um, and how to respond to those risks. And also, um, security certification programs. Um, they can also be a helpful resource as well. So you understand, you know, where we need to be to have appropriate security measures.
Leah Tolton: [00:28:17] To summarize, I think what you have said here is that it's really important for family enterprises really to start with the big picture. You know, what are the big picture pieces of information we have or ideas we want to protect or personal information we don't want out there, what the real important things are, and then identify what the really appropriate or responsive kind of resources might be that are available that would help.
Respond or protect those particular resources and really make an action plan that starts with the priorities and works out from there. It's probably difficult given all of the pieces that are involved, both business pieces, family pieces, personal pieces, you know, to address all things at once. But really it sounds like you're recommending a priority setting plan, both in terms of assessing what the risks are and deciding which resources to use. Have I got that right?
Suzie Suliman: [00:29:09] Absolutely. I think if you can break it up into digestible chunks, um, it's, it’s definitely, you know, it gets you one step closer and I think, yeah, it's very overwhelming to try to do it all at once for sure.
Leah Tolton: [00:29:20] Yeah. And, you know, and as I often say to people in respect of other aspects of their planning, whether it be succession planning or corporate planning or whatever, I say, you know, don't wait until the timing's perfect.
You know, perfection is the enemy of the good. Really just start, right? Decide what's the most important thing and start working on that and you can always build up from there.
Suzie Suliman: [00:29:40] Absolutely. Yes, that's right.
Leah Tolton: [00:29:42] Great. Well, this has been a really interesting conversation, Suzie. Thank you so much for your time and for sharing your wisdom with our listeners here on Beyond Succession.
Is there one last comment you'd like to make for our audience before we sign off?
Suzie Suliman: [00:29:53] Thank you so much for having me. I think really the takeaway is operational efficiency and security go hand in hand. You can't have one without the other. Um, and so yes, like we said, take it in digestible chunks and, and get started.
Leah Tolton: [00:30:07] Thanks for joining me on this episode of Beyond Succession, a series within the Bennett Jones Business Law Talks podcast. Make sure to hit the follow button on whatever platform you are listening from so you get notified whenever we release new episodes. Also, don't hesitate to reach out if you have any questions about challenges or issues that you are facing in your family enterprise.
Take care. I'll catch you in our next episode.
Please note that this publication presents an overview of notable legal trends and related updates. It is intended for informational purposes and not as a replacement for detailed legal advice. If you need guidance tailored to your specific circumstances, please contact one of the authors to explore how we can help you navigate your legal needs.
For permission to republish this or any other publication, contact Amrita Kochhar at kochhara@bennettjones.com.
Bennett Jones