Asset managers are increasingly focused on cybersecurity best practices not only to stay in line with regulatory expectations but also to be viewed in a positive light by investors.
According to Jason Elmer (pictured), who heads up Duff & Phelps' Cybersecurity practice with fellow Managing Director, Brian Lozada, "When I attend industry conferences, even those not specifically focused on cybersecurity, and the audience votes on what their biggest concern is for 2016, cybersecurity comes out on top; just about even with the challenge of asset raising."
To meet that challenge, Duff & Phelps launched a dedicated cybersecurity services solution to help organisations identify network vulnerabilities and implement best practices to limit the chances of a breach.
The mantra that Elmer and Lozada like to use to summarise the Duff & Phelps offering is "Prepare for, respond to, and recover from".
"From a preparation perspective," says Lozada, "we align ourselves to our clients' business workflow. We want to understand what their business is, what their sensitive assets are, and we then put a lifecycle around those sensitive assets.
"Once we have a good understanding of that we help align our clients' security efforts to that lifecycle so that if and when a breach takes place, they are able to respond properly with regards to protecting that sensitive data."
In addition to providing clients with the Written Information Security Policy (WISP) and Incident Response Plan (IRP), guiding them on how to respond to regulators, and performing due diligence on their third party providers, Duff & Phelps will also go in and train clients on best practices.
"That comes in the form of introducing the policies and procedures to the organisation, as well as talking through the various ways that employees can avoid being compromised both in the office and out of the office," says Elmer.
He continues: "When we track the lifecycle of data, we even track internal users with access to that data, as well as third parties. When we develop the IRP, we take all of those parties into consideration.
"Indeed, we like to include external legal counsel as part of the incident response, the investor relations team – basically anyone that is involved with the data that has been breached we involve in the incident response plan. This is not only about protecting clients' data; it's also about protecting their brand."
The IRP is vital in any recovery effort and surprising as it may sound, there are still plenty of fund managers who don't have one in place.
In the event that a serious breach occurs, Duff & Phelps has its own cybersecurity forensics response team. The team will make a forensic copy of the client's hard drive that was compromised, conduct an investigation on it and then turn it over to relevant bodies such as law enforcement agencies, and the client's litigation team.
"When clients use us to write their WISP and IRP we include Duff & Phelps as the body that will go in there and do a forensic investigation," says Lozada. "And even for those clients that don't subscribe to that service, we are very happy to help them source a forensic partner, vet them, and include them in the client's IRP and tabletop exercises. Our clients increasingly understand that they need to take a proactive stance to dealing with cybersecurity across their firm."
