Putting together a cybersecurity investment due diligence checklist

Posted by Andrew Borowiec on Apr 26, 2018 9:23:00 AM

putting-together-a-hedge-fund-due-diligence-questionnaire

Why is cybersecurity important? Effective cybersecurity allows you to:

  • Protect confidential and proprietary information
  • Mitigate operational and investment risk
  • Mitigate the risk of misappropriation of funds
  • Protect against reputational damage
  • Ensure compliance with fiduciary duties and regulatory requirements
With these factors in mind, you can see why cybersecurity diligence has become an essential area for any investment manager. IMDDA hosted an on-line workshop featuring expert guidance for a cybersecurity diligence investment manager. We have drawn some of the best practices highlighted in that recording:

The cybersecurity investment due diligence checklist

Part 2: More specific questions

Here is a skeleton outline of the questions and areas you can use to structure the cybersecurity part of your due diligence questionnaire:

  • Information Governance: Are there data inventories? How is data storage managed? Who takes ownership of this?
  • Data Privacy: How is sensitive information used? Who can access and how?
  • Risk Assessment: Is risk assessed through a structured process, at regular intervals?
  • Strategy & Program Design: Are there documented policies and procedures? Is there a formalized governance process?
  • Information Security: Are there processes in place to protect, detect, respond and remediate threats?
  • Cyber Threat Intelligence: Is there a process in place to proactively understand and manage the threat environment?
  • Incident Response: Is there a documented plan in place as to how to respond to an incident? Is there an adequate and tested disaster recovery process?
  • Cyber Insurance: Are the policies structured to effectively mitigate all aspects of risk associated with cyber?
  • Industry: Is there a process in place to understand the valuable assets and associated threats of that specific industry?
  • Business: Is there a process and plan in place to involve all business units in security?
  • Cultural: Is there an awareness of the importance of security and do all insiders understand their role in maintaining that security?
  • Financial: How is the security program funded and is there a process in place to ensure that investment benefits are maximized?

Part 2: More specific questions

In addition to the basic structure of your due diligence questionnaire, we also provide a list of more specific questions that can be helpful to deploy during on-site visits and where the response to your due diligence questionnaire merits further investigation on your part.

  • Who is your CISO? How is their role seen by the rest of the business?
  • Who is on your cybersecurity committee? How often do they meet? What were the actions from their last meeting?
  • What experiences have you had with cyber events over the last 6-12 months? What was the severity? What was your response like?
  • What third parties have access to your data?
  • What encryption processes do you use?
  • Do you use multifactor authentication?
  • Where is information stored and by what means can it be shared or sent outside the organization by employees? Digitally or physically?
  • What are the details of your training programme? What is the frequency?
  • Is all your IT internal or do you outsource all/part of it?
  • Do you conduct penetration audits and of so how often? What was the result of your most recent one?
  • Are USBs permitted for use in your organization?
  • Can employees log on off site? Where can/do they use their credentials?
  • What are your off site and disaster recovery capabilities?
  • What protections do you put around wire transfers? Do you limit them to authenticated accounts or require a specific format for the request?
  • What provision does your insurance make for third party coverage?
  • What exclusions are there to your cyber insurance policy?

To get more details on how to be a more effective cybersecurity diligence investment manager, listen to the rest of the webinar here:

Access our webinar recording and slides on Cyber Due Diligence

Tags: Due Diligence, Cyber Security

Due diligence questions?

ASK AN EXPERT
In-house customized training solutions