Cybersecurity due diligence is now an integral part of your fiduciary duties, whether you are subject to ERISA, applicable state law or another similar system. IMDDA hosted an on-line workshop featuring expert guidance on the regulatory requirements, fiduciary duties and best practices for a cybersecurity diligence investment manager. The pointers below are drawn from that recording:
1. Diligence documentation
Whether you are looking at your own organization or that of your partner, your first duty is to diligence the existence of effective, comprehensive documentation around cybersecurity, i.e. the existence of effective and up to date policies and procedures around each of these areas:
- Governance and risk assessment: Who is responsible and what are their duties? How is this measured?
- Access rights and controls: Who has access to what information? When and how? Look particularly at how access is restricted to that which is necessary for each job role and how off-site access is controlled (data storage, two factor verification for remote login, etc.)
- Data loss prevention: How does the organization protect the information it holds? What steps are taken to mitigate the risk of misappropriation of funds? (no USBs, specified formats for wire transfer requests, etc.)
- Vendor management: What data protection measures are employed by these organizations? Has due diligence been carried out to verify they are in place and properly implemented?
- Training: What is the content of the training? How is it given to employees and how often is it refreshed?
- Incident response: When an incident occurs, what is the correct procedure for dealing with it? What documentation must be produced around it? How does it affect the update of policies and procedures?
Action: Ensure you have verified documentation in each of these areas for your own organization and for all partner organizations.
2. Diligence implementation
Once you are sure that the organization has the theoretical framework in place for effective cybersecurity, it’s time to dig into the detail of what really happens in its implementation.
- Roles & responsibilities: Does everyone in the organization know who the CISO is and how to connect with them in the event of an incident? Is there an effective, functioning cybersecurity committee evidenced by meeting agendas and minutes?
- Training: Does everyone in the organization seem to have a good current knowledge of how to look after the organization’s data and that of its partners? How is the effectiveness of the training verifies and how often?
- Audit & reviews: Does the organization conduct penetration audits? If so, how often? What is the process for reacting to the findings of these audits? If audits aren’t a regular part of the cybersecurity procedure, what are the driving forces behind policy updates and reviews?
- Reporting: How does the organization create, manage, store and use the reports it generates on cybersecurity topics? What reporting obligations are shared by third parties?
Action: Structure your cybersecurity diligence to require evidence of each of these points from your investment advisers and their third party vendors.
3. Protect your organization
Lastly, no matter how sure you are of an organization's effectiveness in cybersecurity, you have a duty to ensure your organization is fully protected in case of a breach.
- Insurance: Cybersecurity insurance is becoming very commonplace but not all policies are created equally, so vetting these will be an essential part of your cybersecurity diligence. For your own policy you should focus on what is provided for in first party coverage and when looking at insurance provided by your investment adviser, you look at third party coverage.
- Side letters: These should cover all the expectations you have of a partner around cybersecurity including representations, warranties, covenants, certifications, testing, reporting, indemnifications and confidentiality.
Action: Request copies of the insurance policies taken out by your investment advisers and ensure with your legal team that your side letters cover off all necessary protections around cybersecurity.
To get more details on this area and other critical cybersecurity diligence investment manager processes, listen to the rest of the webinar here: