Digital Assets Report

Newsletter

Like this article?

Sign up to our free newsletter

Cybersecurity a top priority

Related Topics

By Vladimir Rabotka (pictured), Castle Hall Alternatives – Cybersecurity has rapidly become one of the most discussed issues in the alternative asset management industry. Regulators have provided multiple warnings around the need for investment managers to protect their businesses from cybersecurity risks. In response, both industry groups and tech consultants have published advice to help asset managers implement cybersecurity protections.

On the other side of the industry, asset owners are now acutely aware of their governance, risk and compliance obligations to evaluate the cybersecurity preparedness of external asset managers within their operational due diligence programmes. However, investors must bridge the gap between highly technical subject matter and more practical guidance as to how to approach cybersecurity during a real world operational diligence review. Earlier this year, Castle Hall Alternatives published Evaluating an Asset Manager's Cybersecurity Environment – A guide for the operational due diligence practitioner, a white paper discussing cybersecurity in the context of operational due diligence. 

10 key risk categories 

The alternative industry comprises many thousand asset managers, varying enormously by assets under management, headcount, and overall quality of operational infrastructure. To provide a standardised evaluation framework across such a diverse landscape, Castle Hall has identified 10 cybersecurity diligence risk categories to support investor oversight and diligence.

Cybersecurity ownership: The maturity of a manager's cybersecurity programme is directly correlated to the role and seniority of the individuals accountable for it. 

Cybersecurity framework: Effective cybersecurity policies and procedures should follow a tailored framework that articulates a clear cybersecurity vision, based on regulatory and legal requirements, industry standards, the current threat landscape and the manager's risk management strategy. 

Data classification: All data that the manager handles should be assigned a formal sensitivity level and data category. A well-structured cybersecurity framework maps the flow of data through creation, access, processing and destruction points on both internal and third party infrastructure. 

User access: Managers should limit user access to appropriate data, according to least-privilege and need-to-know principles. Access to the manager's data and IT resources should be provided through roles that map job functions to data sensitivity levels and data categories.

Data, network and hardware security: Managers need to follow a "defence in depth", layered approach, where multiple detective, preventive, corrective and recovery security controls are deployed between a potential attacker and the manager's data. Security controls always have to travel with the data.

Change management: Managers must maintain an inventory of all their IT assets, follow standardised processes and procedures, and understand the implications of changes to the IT infrastructure before they are made.

Personnel: Managers should have a dedicated Information Security resource (individual or department) with the authorisation and means to assess, monitor and defend all of the manager's data and information systems.

Vulnerability and patch management: The manager needs to proactively evaluate vulnerabilities and ensure that security patches are applied on a timely basis.

Incident response: Regardless of the nature of the incident, a timely response is essential. Having a tested plan helps ensure efficient and effective responses that limit the damage to a manager's data and reputation.

Security awareness and training: Awareness of the importance of cybersecurity, familiarity with policies and procedures, and reinforcement of proper practices are essential for understanding and avoiding cybersecurity risks.

Like this article? Sign up to our free newsletter

Most Popular

Further Reading

Featured