Why is cybersecurity important? Effective cybersecurity allows you to:
- Protect confidential and proprietary information
- Mitigate operational and investment risk
- Mitigate the risk of misappropriation of funds
- Protect against reputational damage
- Ensure compliance with fiduciary duties and regulatory requirements
The cybersecurity investment due diligence checklist
Part 2: More specific questions
Here is a skeleton outline of the questions and areas you can use to structure the cybersecurity part of your due diligence questionnaire:
- Information Governance: Are there data inventories? How is data storage managed? Who takes ownership of this?
- Data Privacy: How is sensitive information used? Who can access and how?
- Risk Assessment: Is risk assessed through a structured process, at regular intervals?
- Strategy & Program Design: Are there documented policies and procedures? Is there a formalized governance process?
- Information Security: Are there processes in place to protect, detect, respond and remediate threats?
- Cyber Threat Intelligence: Is there a process in place to proactively understand and manage the threat environment?
- Incident Response: Is there a documented plan in place as to how to respond to an incident? Is there an adequate and tested disaster recovery process?
- Cyber Insurance: Are the policies structured to effectively mitigate all aspects of risk associated with cyber?
- Industry: Is there a process in place to understand the valuable assets and associated threats of that specific industry?
- Business: Is there a process and plan in place to involve all business units in security?
- Cultural: Is there an awareness of the importance of security and do all insiders understand their role in maintaining that security?
- Financial: How is the security program funded and is there a process in place to ensure that investment benefits are maximized?
Part 2: More specific questions
In addition to the basic structure of your due diligence questionnaire, we also provide a list of more specific questions that can be helpful to deploy during on-site visits and where the response to your due diligence questionnaire merits further investigation on your part.
- What third party due diligence do you conduct with regard to cybersecurity?
- How often do you update your policies and procedures?
- Who is your CISO? How is their role seen by the rest of the business?
- Who is on your cybersecurity committee? How often do they meet? What were the actions from their last meeting?
- What experiences have you had with cyber events over the last 6-12 months? What was the severity? What was your response like?
- What third parties have access to your data?
- What encryption processes do you use?
- Do you use multifactor authentication?
- Where is information stored and by what means can it be shared or sent outside the organization by employees? Digitally or physically?
- What are the details of your training programme? What is the frequency?
- Is all your IT internal or do you outsource all/part of it?
- Do you conduct penetration audits and of so how often? What was the result of your most recent one?
- Are USBs permitted for use in your organization?
- Can employees log on off site? Where can/do they use their credentials?
- What are your off site and disaster recovery capabilities?
- What protections do you put around wire transfers? Do you limit them to authenticated accounts or require a specific format for the request?
- What provision does your insurance make for third party coverage?
- What exclusions are there to your cyber insurance policy?
To get more details on how to be a more effective cybersecurity diligence investment manager, listen to the rest of the webinar here: