Managing Cyber Resiliency While Switching MSPs: A Case Study

Switching MSPs had the potential to destabilize their cyber program and introduce unwanted risks – this Hedge Fund worked closely with Drawbridge to make sure that didn’t happen.

Using a Managed Service Provider (MSP) to oversee IT infrastructure is common amongst Alternative Investment Managers. We at Drawbridge understand that working closely with an MSP is central to building a robust cyber program, both to translate the cyber plan into IT controls that protect the Manager, but also to validate the effectiveness of those controls day to day.

For one Drawbridge client, the transition of MSPs was viewed as fraught with risk, and a central goal of the migration plan was to ensure that the well-structured cyber defenses were maintained and strengthened as the new MSP stood up a new technical environment with enhanced IT, data and user controls aligned with their business goals.

Business challenge

For this $1.5B AUM Hedge Fund client, cybersecurity was a top board and C-suite priority. As the firm began building and optimizing their cyber program with Drawbridge, the Hedge Fund realized their MSP was not satisfying their needs as a firm. To have the robust cybersecurity program they had envisioned, they needed to find a new MSP.

Switching an IT provider leaves a firm’s cyber environment more vulnerable to a cyber attack as the transition takes place. Knowing that, the firm asked Drawbridge to help identify a reliable, new MSP and smoothly transition IT providers. Over a nine-month period spanning planning, MSP selection, transition and project completion, the Manager realized the goal of avoiding any increased cyber risks while in the end raising the bar on their overall program. With the help of Drawbridge, the firm was able to find a top-tier MSP, swiftly execute a carefully-orchestrated migration, and get back to normal operations.

Key program components

The Fund implemented the Drawbridge solutions listed below to help protect the firm as they switched MSPs.

  1. Cyber Risk Assessment
    Before and after the MSP switch, Drawbridge asked the client to complete a Cyber Risk Assessment (CRA). The CRA is a comprehensive questionnaire-based assessment that evaluates all aspects of the client’s security program including data security, security policies, account security and access control, training and awareness, and employee onboarding and offboarding procedures. Completion of the CRA provided a detailed ‘before and after’ view of the firm’s cyber program and an actionable framework of controls to implement when onboarding their new MSP.
  2. Vulnerability Scanning
    Drawbridge implemented Vulnerability Scanning which continuously scans the firm’s systems to deliver up-to-date information on the system’s vulnerabilities and give an accurate, unbiased, and near real-time window into risks and severity of vulnerabilities.
  1. Internal and External Penetration Tests
    The client completed both Internal and External Penetration Tests. Often called Pen Tests, they are a cyber attack simulation that mimic an attacker’s behavior in order to evaluate the strength of the firm’s IT environment. The External Penetration test focuses on publicly facing systems (i.e. applications, servers, gateways, etc.), which can be reached from the public Internet, while the Internal Penetration Test focuses on the client’s internal security posture. Like the CRA, Internal and External Penetration Tests were completed before and after the switch. Doing so provided a detailed roadmap to the new MSP and a complete scope of the firm’s cyber posture before and after the transition.
  2. Incident Response Tabletop Exercise
    Drawbridge conducted an Incident Response Tabletop Exercise with key Manager stakeholders and cyber program owners. In a Tabletop Exercise, Drawbridge leads key persons at the firm in a roundtable discussion and presents cybersecurity scenarios to prompt responses. This practice identifies and addresses procedural gaps in the firm’s Incident Response Plan and evidences to investors, regulators, and other stakeholders that the firm is prepared in the event of a cyber incident.

Results

With the help of Drawbridge, this Hedge Fund found a new MSP and smoothly transitioned without delay or setbacks. Most importantly, the firm was able to establish an in-depth and all-encompassing cyber program.

To help protect your firm from cyber threats, and meet investor and regulatory requirements, contact a Drawbridge team member.