Cybersecurity, IT providers (such as a managed service provider), and compliance vendors don’t perform the same functions. But you need to engage all three independently to meet investor and regulator expectations.
What should you know – Regulators and investors are establishing the standard of an independent audit in cybersecurity risk.
Cybersecurity in the Alternative Investment space requires specialist understanding of regulatory requirements, investor expectations, and technology in use within the industry.
You wouldn’t ask your accounting team to audit themselves. Likewise, you should not ask your IT or MSP to review themselves. As for your compliance officer or provider, they struggle to align cyber regulations against the technology and administrative controls in place. Managers need an independent cybersecurity service to solve the problem.
Read: The Importance of Independence
Why you should care – Cybersecurity is a serious problem for the alternative investment industry and damage is almost always financial and reputational in nature.
Not having separate entities for cybersecurity, IT, and compliance can lead to:
- Missing up to 50% of fundamental cybersecurity controls
- Drawbridge Analytics show that outsourced IT providers fail to report significant number of missing cybersecurity controls.
- Identified deficiencies in exams from regulators, such as the SEC.
- Regulators require cybersecurity risk assessments to be performed by knowledgeable and skilled individuals or vendors.
- Because compliance professionals very seldom have the technical and cyber experience, the firm may fail to implement adequate cyber controls and provide appropriate reporting.
A cybersecurity provider specializing in the cyber risk management needs of the firm, investors, and regulators provides a one-stop mediator for your needs across technology and compliance. Drawbridge has the skills to handle written policies, suitable staff training, and understand the most important functions (and related risks) within the fund.
The bigger picture – The management of cybersecurity shares a lot in common with accounting and auditing.
The cyber regulation in the EU (Digital Operational Resilience Act – DORA) and the US (SEC) expect a firm to follow the three lines of defense model, like the audit and accounting standard, and maintain appropriate independence when reviewing the cyber risks of the manager. Other regulators are in the discussion and planning stage of requiring matching controls and large allocators are currently demanding the same requirements.
Read: 2024 SEC Examination Priorities for Cybersecurity in Registered Alternative Investment Funds
Get smart and take action – Use an independent cyber vendor for objective Cyber Risk Assessments, while using compliance and IT vendors as needed.
By establishing a partnership between your compliance firm, IT and Drawbridge – you can establish the regulatory expectations, independent cyber administration, and focused IT requirements.
To learn more about Drawbridge’s solutions tailored to the Alternative Investment and Wealth Management space, contact a Drawbridge representative today.
