If your head has been in the sand about the FTC Safeguards Rule that went into effect on June 9, 2023—you need to pull your head out now. Make no mistake, your alternative investment firm is required to adopt cybersecurity best practices immediately.
If you fail to comply with the new ruling and fall victim to a data breach, you’ll experience dire consequences. LPs and allocators can pull out of your funds. Your firm forms a reputation of being negligent with protecting assets. At worst, your fund collapses.
Below are the main tenets of the FTC Safeguards Rule, also known as the ‘Standards for Safeguarding Customer Information’.
1. Oversight of Program
If you have an in-house or outsourced security team, your firm’s leadership must maintain oversight of their cybersecurity program report on its strength to your board.
2. Risk Assessment
Identify the risks in how you protect sensitive personal information, proprietary and confidential data, and digital assets such as cryptocurrency.
3. Information Security Protocols
Implement the appropriate controls including:
- Administrative controls (such as policies and training)
- Technical controls (like anti-malware and intrusion detection)
- Physical controls like building security, multifactor (fingerprint, tokens, access cards)
4. Monitor and Test the Effectiveness of Your Controls
Selecting the most appropriate testing is just as important as identifying the highest risks for the business and will correlate back to those in a pattern of identifying to mitigation to testing to evaluating.
5. Training Staff
Implement awareness training programs that keep cyber at the forefront of every employee’s mind, while retaining efficiency and ease of their primary role for the business.
6. Assess your Vendors
FTC requires your firm to assess and monitor, ensuring your vendors fulfill critical cyber measures. There’s no passing the buck to vendors. It’s you who must perform this assessment.
7. Incident Response Plan
The FTC expects that every firm has a documented incident response plan in place. A documented incident response plan keeps on you on track during a high-pressure incident where incorrect decisions could be disastrous.
Cybersecurity is Not A Thing We Do, It’s THE Thing We Do
We understand that you have priorities outside of cybersecurity. Fortunately for you and other alternative investment professionals, Drawbridge does the heavy lifting for you when it comes to building or strengthening your security posture. Between our expertise in cybersecurity for AIMs and in-depth knowledge regarding current regulation requirements, we can help you do what you need to do—grow and protect your investors’ assets. Contact us to get started.