Cyber Security: Conducting Vendor Due Diligence
Cyber security has been a growing concern for institutional investors. The World Economic Forum recently identified cyber attacks as the number one threat to doing business in North America, East Asia and the Pacific. Late last year, the Financial Conduct Authority in the U.K. found that asset management firms lack sufficient expertise and preparation to combat cyber threats, with too many relying on third-party experts for knowledge.
Much of that vulnerability stems from the growing number of interconnected devices and systems: 20 billion by 2020, the WEF estimates. The theory goes that more connections mean more opportunities for data to be exploited by cyber criminals.
Institutional investors see this theory play out in the growing number of vendor relationships their investment managers use to run their business. As a result, many are starting to put a bigger emphasis on investment managers’ vendor relationships, and how well they are managed. It is not unusual to see multiple questions on a due diligence questionnaire that ask about vendors’ cyber security policies.
While there is increasing evidence that asset management firms are spending more on cyber security in response to increased scrutiny, there is still a shortage of qualified talent to oversee it, Aite Group notes. At the same time, many of our clients have noted a need to devote even more resources to monitoring cyber security policies and compliance at their vendors.
We’ve put together a few key questions to ask your vendors about their cyber security policies:
- Is cyber security part of your compliance manual? How often is training in these policies conducted?
- Who is responsible in case of a breach, and what are the procedures for informing clients?
- How often is the cyber security policy updated?
For a more detailed review of how to select vendors with solid cyber security policies, download our Cyber Security Guide.