Cybersecurity risk is now considered a business and operational risk. This is especially relevant when it comes to ODD reviews. Evaluations of your cybersecurity program should be an ongoing activity to help prove to your board that you are taking incremental progress in protecting your firm and investments.
This segues perfectly to mistake #1: Treating cybersecurity assessments as an annual box checking activity.
You should formally evaluate the health of your cyber program more than you go to your doctor for your annual checkup. Why? Cyber criminals find new and ingenious ways to steal data and money all the time, which means you need to constantly keep your security as up to date as possible. Multiple cyber check-ins also evidence to investors that you are continually evolving your cyber practice.
Mistake #2: Confusing processes.
For example, vulnerability scanning and penetration testing are not the same. It sounds like they should be, but they’re not. Vulnerability scanning is a continuous, proactive process to identify of cyber risks in your tech. Penetration testing involves a human who actively exploits vulnerabilities to help inform a game plan in plugging in those security gaps. Having a basic understanding of processes can help you explain why you chose these components in your program in your next ODD review.
Mistake #3: Making assumptions about compliance.
Understanding, with assistance from your compliance resources, which regulatory bodies you are subject to/registered with is key. In some cases, it’s easy to figure out. In other cases, you might need input from organizations and peer groups, including AIMA and AITEC or your IT provider or cybersecurity consultant.
Mistake #4: Not updating your policies to match your internal controls.
Investors are scrutinizing reviews more closely. Any difference between your written policy and actual controls will likely result in a mark against you. Or worse, a regulator may view these differences as misrepresentation, further impacting reputation and bottom line in the event of deficiencies or an enforcement action.
The buck stops at the top
Your team, including your cybersecurity and ODD resources, are responsible for executing the day-to-day tasks. However, it’s the alternative investment managers left holding the bag if an ODD review goes awry. Drawbridge is here to help. We’ve seen what happens after an ODD review has gone badly. We know how alternative investment firms can avoid cybersecurity mistakes. Need a guiding light to navigate cybersecurity best practices for your next ODD review?
