What’s worse than having to address cybersecurity in your ODD review? Getting caught with a dismal cyber program riddled with unaddressed vulnerabilities.
Consider this unassailable fact: your investors care about strong cybersecurity.
During initial ODD, your investors want to identify risks. During periodic, likely annual, reviews, investors want to see whether or not you remediated previous risks. Stagnation or lack of improvement in itself is viewed as a material risk. They want to see receipts in the form of reporting. And not only do they want you to evidence reporting, they want to gauge your familiarity within findings and data. Not just your IT provider’s familiarity, but yours.
In my time here as Head of Client Success at Drawbridge, as well as my history as an ODD professional, we’ve contributed to hundreds of ODD reviews. Here are our preparation tips for a successful ODD meeting.
Demonstrate a high-level understanding of your cybersecurity environment
This is easier than it seems. You can show this knowledge by:
- Filling out due diligence questionnaires with high level information about your cybersecurity program.
- Compiling a list of internal functions or third-party services related to cybersecurity (e.g., Vulnerability Scanning, Training and Awareness).
- Getting more granular detail on certain systems configuration, like password controls, mobile device management, incident response, and vendor management.
Prepare documents ahead of time
ODD teams typically run reviews on an annual or rolling 18-month basis. Prepare these documents for the period of review:
- A historical roadmap as to what has been done during the period of review.
- A due diligence packet of relevant information.
This is a big one. Evidence progress of remediation. In other words, spell out to your investors what you have done to address cybersecurity risk, which would include:
- A completed Cyber Risk Assessment.
- Highlighted individual risks and the steps you’ve taken to remediate them.
Building and maintaining a cybersecurity program is a pain for most alternative investment managers. Believe us, we know you have other things to do. Drawbridge works with 1,000+ AIMs to make cybersecurity as painless as possible. We have the expertise and connections to help you build a cybersecurity program that stands up to any ODD and help make you look good in front of your investors and allocators.