The increased regulatory demand for operational resilience is reforming how the alternative investment space manages cybersecurity.
Cyber risks are a top concern for fund managers, investors, and regulators due to the immense potential for financial, operational, and reputational impacts that cyber incidents pose. High-profile cyber events like Microsoft’s CrowdStrike outage reiterate the need for firms to invest in comprehensive cyber risk management and mitigation strategies.
Drawbridge recently collaborated with TMF Group and other cybersecurity providers on The Survival of the Fittest playbook, which looks at how asset managers and their investors can best adapt to the changing industry and regulatory environment. Below, we cover some of our top takeaways:
What’s the biggest source of cyber risk for asset managers?
Cyber risks can originate both internally and externally, with both types presenting unique challenges.
Internal vulnerabilities often stem from a lack of cyber hygiene among staff members. A significant source of risk can stem from a lack of awareness among your teams of the most important and critical business functions, whether internal or outsourced. Adequate knowledge of these functions is key to creating a comprehensive play in the event of a cyber incident or outage.
Addressing these risks requires increased cyber awareness training and the implementation of standardized technologies and systems that can enable uniform internal practices. Externally, funds are exposed to a whole new world of risks, including from their own portfolio companies and vendors.
Mitigating both internal and external risks necessitates a dynamic cyber program that can adapt to changing threats. What may be the biggest threat to your firm today can change in the blink of an eye.
The cyber impact of the regulatory environment in 2025
Global regulators have been working diligently for several years to solidify cybersecurity protections and standards into national and international laws.
The EU’s Digital Operational Resilience Act (DORA) is a prominent and relevant example, as covered entities must officially begin applying the legal standard as of January 2025. More recently, the Reg S-P amendment added a new layer of complexity to SEC compliance by taking more precise aim at the cyber risks posed by third-party vendors, as well as published their 2025 examination priorities.
All of these regulations are helping to build a more transparent asset management industry where instances of a cyber attack are addressed and reported quickly.
However, many regulatory rules talk about using proportionate measures, which can be difficult for asset managers to understand without proper benchmarking practices in place.
Continuous risk assessment, documentation, and incident response planning will prove critically important. Beyond foundational training like phishing tests, adopt a cyber solution that can offer cyber program benchmarking. With this capability, you can better measure your systems and practices against your peers and competitors, giving your firm a stronger understanding of current industry standards.
Transform your cyber program into a forward-thinking strategy
Building an effective cyber strategy that can achieve such transparency will depend on two factors—staff engagement and forward planning.
The growing complexity and sophistication of cyber risks has presented a new array of challenges to the asset management space, including managing new liquidity pressures to build greater resilience.
Solving such challenges comes down to adaptability.
Asset managers must prioritize cybersecurity through clearly defined internal processes and rapid incident response to achieve long-term operational resilience.
At Drawbridge, we provide more than 1,000 funds with industry-leading cybersecurity software. Our experts can help you assess your current cyber posture, benchmark against your peers, and develop the testing processes and policies you need to stay safe.
Ready to strengthen your resilience? Download the full Survival of the Fittest playbook below.
References:
- Microsoft article, July 2024 “Helping our customers through the CrowdStrike outage“
- TMF Group publication, January 2025 “Survival of the Fittest – A Playbook for Success”
- Drawbridge article, November 2024 “How to Prepare Your Firm for SEC Compliance in 2025?”
- U.S. Securities and Exchange Commission, October 2024 “Fiscal Year 2025 Examination Priorities: Division of Examinations”
