Q&A: Cybersecurity questions posed to ODD professionals

In case you missed it, Drawbridge broadcasted a webinar entitled, Expert Insights on Cybersecurity in ODD on November 15, 2023.

We were joined by Christopher Vella, Technical Due Diligence Analyst from Albourne Partners, and Lauri Martin Haas, Managing Director at Prism Alternatives. They are both deeply experienced operational due diligence professionals who shared their insights on how best to manage your cybersecurity program for optimized ODD processes.

After the session, our guest presenters received several questions from the webinar attendees regarding specific cybersecurity-related recommendations. Given the level of interest, we thought it would be helpful to share some of the audience questions here.

Q: Should you do due diligence on software/systems providers similar to Microsoft and Google?

A: To the degree that it can be done, yes. Large service providers won’t always answer due diligence questionnaires (DDQs) but this doesn’t mean that managers have nothing to do.

Managers can ensure that:

  • The third-party audits/certifications are documented (SOC, ISO, etc.) and managers should periodically ensure that those third-party audits/certifications are updated.
  • The firm takes measures to reduce risk when using third parties. For example, even if Amazon Web Service (AWS) is considered safe to dump periodic backups, perhaps the backups can be encrypted before upload. That’s an easy way to protect against potential compromise of that provider or compromise of user-accounts.


Q: How do you reconcile the tradeoff between managing a conflict of interest with a single cyber provider handling IT providers/managed service providers (MSPs) and cyber against the potentially prohibitive cost of hiring two providers for the smaller firms?

A: Smaller firms have historically been given some leeway if they have very simple systems and are rather nascent. In such cases, the IT providers are given a deeper look on what they are doing, cloud configuration and all-around culture of cyber readiness/awareness. However, we think with the new SEC rules, having a separate IT provider and cyber vendors becomes a cost of doing business.


Q: What is the view on needing a pen test if we have daily internal and external vulnerability scans?

A: These are two different things.
Here’s the easiest way to delineate between the two:

  1. Vulnerability scans are processes that make sure that all software is up to date and patched, protecting the system from the most obvious attacks. When we hear that a manager is carrying out vulnerability scans, I think that their software is up-to-date.
  2. Penetration tests are processes that poke at the controls/protections that have been put in place to safeguard resources. A platform can pass a vulnerability scan and still be totally misconfigured, allowing users to access resources that they shouldn’t or have insecure legacy authentication methods that should be removed. A penetration test can help you find those misconfigurations. So, when we hear that a penetration test was used, we think that their configuration has been tested by professionals and should be considered secure up to at least a certain baseline standard.

Want to watch the entire recording from the webinar? Click here to watch now.