As technology and digital solutions become
ever-more sophisticated, cybersecurity requires becomes more complex too.
Traditional methods of securing and handling sensitive data fail to address new
vulnerabilities or attack vectors that hackers may employ. In addition, an
effective digital security approach needs to be both preventative and
reactionary. There may come an inevitable day where a firm experiences a data
breach, which makes data containment procedures essential to minimize leakage.
For alternative investment firms, the threat of a data breach is more than just
lost data – it can mean legal investigations, loss of investor confidence, and
Adopting a modern cybersecurity mindset can
be a daunting task for both new and old alternative investment funds. This
challenge is so pervasive within financial services that the SEC Office of
Compliance Inspections and Examinations (OCIE) issued a formal Risk Alert that
warned the industry on its overall digital security deficiency.
So how can an alternative investment firm
take the first step towards digital safety? A Due diligence questionnaire (DDQ)
can help gauge the health of a firm’s cybersecurity solutions and procedures.
However, it’s important to realize that a DDQ is not a one-size-fits-all
An effective DDQ is comprised of customized
questions that can provide a detailed way to assess and monitor potential
security gaps, lax procedures, or lack of training for all parts of your
organization. In addition, the DDQ should also be able to assess risks and
vulnerabilities of your vendors too, which is especially important since vendor
vulnerabilities are the second most common cause of a security breach.
If the process of creating a DDQ from
scratch sounds complicated, don’t worry. Modern problems now have modern solutions.
You can rely on a managed IT and cybersecurity expert, such as Agio, to help
you create and vet your DDQ.
Agio is uniquely positioned to address the specific requirements of alternative
investment firms due to its expertise in the space. In fact, Agio offers a comprehensive
SEC cybersecurity mock audit service to assess situations and processes that
are pressured during a real test.
To help your DDQ creation process, here are
some common categories and questions that Agio assesses:
- What sensitive data does the
vendor receive today?
- When did the firm last perform
due diligence on its current IT vendors?
Policies and Procedures
- Are there any information
security functions outsourced?
- What procedures are in place to
secure data in the event of a breach?
- What verification and/or
identification is needed to physically access your data centers?
- How is access to the data
center monitored and logged?
- Are visitors escorted through
areas that handle sensitive data?
- Do you keep visitor logs for
longer than 30 days?
- Do you have a business
- What is your disaster recovery
plan, and when did you last test it?