What investors are concerned about in an operational due diligence review

What’s worse than having to address cybersecurity in your Operational Due Diligence (ODD) review? Getting caught with a dismal cyber program riddled with unaddressed vulnerabilities.

Consider this unassailable fact: your investors care about strong cybersecurity.

During initial ODD, your investors want to identify risks.  During periodic, likely annual, reviews, investors want to see whether or not you remediated previous risks.   Stagnation or lack of improvement in itself is viewed as a material risk. They want to see receipts in the form of reporting. And not only do they want you to evidence reporting, they want to gauge your familiarity within findings and data.  Not just your IT provider’s familiarity, but yours.

With insight gathered from 1,000+ clients, here are our preparation tips for a successful ODD meeting.

Demonstrate a high-level understanding of your cybersecurity environment
This is easier than it seems. You can show this knowledge by:

  • Filling out due diligence questionnaires with high level information about your cybersecurity program.
  • Compiling a list of internal functions or third-party services related to cybersecurity (e.g., Vulnerability Scanning, Training and Awareness).
  • Getting more granular detail on certain systems configuration, like password controls, mobile device management, incident response, and vendor management.

Prepare documents ahead of time
ODD teams typically run reviews on an annual or rolling 18-month basis. Prepare these documents for the period of review:

  • A historical roadmap as to what has been done during the period of review.
  • A due diligence packet of relevant information.

Evidence accordingly
This is a big one. Evidence progress of remediation. In other words, spell out to your investors what you have done to address cybersecurity risk, which would include:

  • A completed Cyber Risk Assessment.
  • Highlighted individual risks and the steps you’ve taken to remediate them.

Building and maintaining a cybersecurity program is a pain for most alternative investment managers. Believe us, we know you have other things to do. Drawbridge works with 1,000+ AIMs to make cybersecurity as painless as possible. We have the expertise and connections to help you build a cybersecurity program that stands up to any ODD and help make you look good in front of your investors and allocators.



Note: This blog post was originally published on August 22, 2023 and updated January 24, 2024.
Contact us today