Cybersecurity Tips for Operational Due Diligence Practitioners
Cybersecurity considerations are a critical component of operational due diligence reviews, but few operational due diligence (ODD) professionals start out as cybersecurity experts. Performing effective cybersecurity diligence can be a challenge even for the experts, and the best practitioners continually update and improve their programs.
Here are tips that may help you improve your program.
Questionnaires Matter, But Better Questionnaires Matter More
Self-reported questionnaires often get a bad rap, but they are rightfully the cornerstone of most ODD processes. Investment managers, especially smaller ones, often leave a small footprint online and it is impractical to gain access to an ODD target’s internal systems. Questionnaires can yield valuable information, but to get the most value it is important to know not just what to ask, but how:
- Get specific with answer choices. Yes/No/Partial is not enough, even though many cybersecurity frameworks are written this way. The risks associated with allowing employees to use personally owned computers are vastly different for a firm that allows employees to access company data directly vs. a firm that limits connections to tightly restricted virtual desktop connections.
- Get specific with questions. It is not enough to ask if a company uses multifactor authentication, it is important to know what forms of multifactor authentication are used for which systems. It is not enough to know that a firm backs up data, it is important to know which types of data are backed up, using what methods and with what retention policies.
- Probe with questions. Many ODD questions ask if a control is in place, but few get at the quality of those controls. When responding to poorly worded questionnaires my colleagues often used to quip, “they asked us if we had a policy or a procedure for X, but they never asked us if we had a good one.”
Virtue and Vice Signaling
Ask any experienced IT administrator and they will tell you that an IT room with a messy bundle of network cables almost always means that the account and permissions settings on the network are going to be a mess. There can be valuable correlation even in the absence of causation.
- Pay attention to items that may not be important on their face but have a high correlation with broader issues.
- Look for best practices that distinguish best of breed managers from the pack, such as:
- Independent backups of Microsoft 365 to a third-party system.
- Not just enabling multifactor authentication but enforcing it and checking it.
- Single Sign On federation of SaaS applications.
- Look for security controls that indicate continued and thoughtful improvements that reflect recent changes in technology and workforce trends, such as:
- For firms with a hybrid workforce, do security controls such as web content filtering and threat and vulnerability detection function for remote users?
- For firms reliant on public cloud solutions such as Microsoft 365, how are they managing configuration controls and monitoring Microsoft 365 security alerts?
Evaluate not just the elements of a cybersecurity governance program, but who is providing it:
- Does the firm have checks and balances on their IT provider?
- Immature funds have no cybersecurity governance program, moderate funds may contract cybersecurity risk services through their IT service provider, while mature funds engage an independent third party.
- Only a tiny fraction of the most advanced firms has the capacity to manage cybersecurity risk in-house, and nearly all of those firms supplement their internal teams with external consultants.
Trust, But Verify
It is difficult to get independent verification during an ODD process, but that does not mean it is entirely impractical. A “spot check” of even a handful of factors can provide a lot of information about a fund manager’s commitment to cybersecurity or how well their IT systems are being maintained. Some examples of no or low impact verifications include:
- Ask to see policies, or at least the table of contents (with page numbers).
- Check publicly available settings such as SPF, DKIM and DMARC records for email configuration, a dark web scan, or a website vulnerability check. These items may be of relatively low importance in and of themselves but can also be indicators of how seriously a firm approaches IT governance overall.
- Verifying select technical configurations self-reported on questionnaires provides insight into the quality of questionnaire responses and is another virtue or vice signal.
Look for the major red flags:
- No IT service provider, unless there is a large internal team. Look out for:
- Any firm who is managing their IT with internal resources who have other job functions (DIY IT).
- Any firm with an internal IT staff of three dedicated full-time people or fewer (5 or more is ideal) who are not supplemented by an IT service provider.
- Any firm whose outsourced IT provider is a solo practitioner, part time consultant or a very small team.
- Using personal computers for work.
- This is almost always an indicator of extremely high risk unless the firm in question has extremely mature compensating controls (all connections are restricted to tightly controlled virtual desktops, conditional access controls, professional management of the environment by a mature IT team, etc.). Even when firms say they have effective compensating controls, 90+% of the time they are overconfident in these controls.
- If a firm is not willing to invest the money in providing computers and to bear the inconvenience of separating their work and personal activities, there can be no expectation of a responsible approach to cybersecurity.
- Atypical technologies in use.
- Is it theoretically possible to effectively secure an open-source email server? Sure. Have I seen a fund do it in any time in the 21st century? No.
- Even mature technologies that are not common in the investment industry are a risk. For example, Google Workspace is much more difficult to secure than Microsoft 365. Any firm that makes atypical technology choices significantly increases the degree of difficulty in securing their environment and demonstrates a willingness to deviate from industry cybersecurity best practices. Atypical technologies are not necessarily a dealbreaker but should be a prompt for more intensive scrutiny.
- Application developers managing infrastructure.
- Quant firms or others with highly technical strategies will often assert that their application focused technical staff can also safely manage their corporate infrastructure. They are wrong approximately 100% of the time, and even if they were not, the principle of separation of duties prohibits this approach.
Remember What They Really Want – Cash
With the need to evaluate so many risks today, it is easy to lose track of what is the most important crown jewel for most firms – cash. I have worked with many fund managers who are obsessed with protecting their (often underperforming) investment models, but neglect to adequately implement cash management controls. Money is what cybercriminals want most, and attacks resulting in fraudulent fund transfers have been the cause of nearly all financially significant cybersecurity incidents I have seen during my career. Most of these could have been prevented through stronger fund transfer controls. The ODD process should cover not only fund transfer procedures, but associated training and incident response.