The Duff & Phelps’ cybersecurity services practice takes a leading role in helping financial services companies implement best practices to prepare for, respond to and, if necessary, recover from a cybersecurity attack.
The practice is growing rapidly as Investors and regulatory concerns are top of mind for alternative investment managers. Jason Elmer, Managing Director, comments: “We are helping clients to identify their risks, and put in place cybersecurity controls and practices to help them achieve compliance with regulation, and to address the heightened scrutiny they are subject to from investors. Investors are very much making cybersecurity a top priority.
“At the moment three key areas of focus for our client base, include: third party oversight; incident response planning – investors want to know that managers are prepared for such a compromise and can recover – and, more broadly, helping our clients with documentation and understanding regulatory developments; in particular GDPR.”
Although European in nature, the General Data Protection Regulation, which comes into effect on 25 May 2018, will have implications to US managers in terms of how they protect sensitive information on EU investors. To that end, Duff & Phelps has put together a product around GDPR readiness.
“It’s a self assessment tool. If a firm has nothing in place they can use our solution to build a roadmap. For those who have processes in place, they can use it as a health check,” explains Elmer. “Most clients we speak with fall into the former category and are looking for a way to get prepared. We’ll go through a series of interviews, a document review, and then provide the client with a gap analysis, highlighting what areas could be enhanced.
With managers increasingly outsourcing non-core functions to third parties, having effective oversight in place is vital. Elmer says that the team is constantly getting documentation and verification requests from investors, stating that what they are looking for “is evidence of proper controls in place. They like the fact there is an independent party looking at the manager.”
On the outsourcing point, Elmer comments: “In my opinion, effective oversight is key given how much of a manager’s data is at risk if it is sitting with a number of different external third parties. You’ve got to have some idea of what roles and responsibilities those third parties have to govern your data; as a general rule of thumb it should meet or exceed what you are doing internally as a firm.”
He confirms that the cybersecurity practice is starting to look at different verticals, such as how to service LPs in the PE space. Supporting LPs is definitely a big growth area for us,” asserts Elmer. “On winning this year’s award, Elmer concludes: “It is an honour to be recognised by our clients as a leading provider of cybersecurity services.”
