Castle Hall Diligence, alongside other industry specialists and practitioners, was invited by AIMA to address the importance of cybersecurity preparedness in the alternative asset industry during a panel discussion held in Montreal on April 25, 2017. Contributing to the discussion was Castle Halls’ Max Kimpton – ODD Senior Manager.
Key takeaways were:
Technologists tend to emphasize the complexity of cybersecurity. This can overwhelm investors, who receive, every day, numerous emails from tech firms discussing (apparently never ending and ever more alarming!) technical issues. Asset owners do not need to be technical experts; they should, however be able to demonstrate reasonable, risk focused oversight over their external asset managers around cyber issues. How can investors ensure that their due diligence is effective to identify managers who may not be adequately protected against cyber attacks?
Cybersecurity is not one size fits all. Investors should be practical and recognize that managers will implement different policies based on their headcount, assets under management (and hence revenue), location and strategy.
Investors have to diligence very different types of asset manager organizations. Emerging managers may have more limited cyber resources, but may have more straightforward businesses which are, in the aggregate, easier to secure against cyber intrusion. Institutions may have highly developed (and impenetrably technical) cyber security structures, but can equally present a much larger target for determined cybersecurity criminals.
Long before cyber becomes “technical”, the first question at an asset manager is leadership:proper ownership must be taken by senior individuals within a firm who have political capital to mobilize all staff towards cybersecurity preparedness.
Status quo is not good enough:investment managers should continuously improve defence mechanisms rather than relying on a one-time implementation.
Cybersecurity due diligence is not just about the asset manager:the AIMA discussion highlighted the importance of subjecting counterparties and vendors to similar levels of cybersecurity diligence as undertaken by the asset owner themselves.
Mr. Kimpton’s comments echoed the DUE DILIGENCE UNIVERSITY™ (“DDU”) white paper, “Evaluating an Asset Manager’s Cybersecurity Environment – A guide for the operational due diligence practitioner.” The DDU white paper provides operational due diligence practitioners with practical guidance on how to approach the review of an asset manager’s cybersecurity preparedness within the context of a comprehensive operational due diligence review. The paper highlights ten categories of cybersecurity questions to ask asset managers and helps investors evaluate manager responses.