Cyber breaches continue to be a reputational and operational risk for all businesses. Private fund managers, small and large, are equally at risk. Here are some key questions:
- Who is responsible for cyber risk management?
- Where are files backed up and where are emails backed up?
- Does the firm manage their own file server or use a cloud product for file backup?
- If the manager uses a file server, do they have sufficient resources to protect that server (staff, firewalls, threat monitoring)?
- If the manager uses a cloud service, does that cloud vendor have sufficient cyber risk management practices in place?
- Is email backed up to multiple servers, if so, are these servers adequately protected against breaches?
- Has the manager done formal cyber due diligence on its vendors (administrator, bank, consultants, software providers)?
- Has the manager had a formal cyber risk diagnostic performed on its overall network by an independent firm?
- Has the manager’s staff undergone formal cyber risk management training?
- Has the manager undergone phishing testing and penetration testing, and how often are these tests performed?
- Is the manager’s hardware encrypted?
- If the manager requires staff to use their own personal PCs for DR, are they vetted and protected by the firm’s IT team?
- Who manages the firm’s software and hardware accounts and software vendor approvals, and what is their account management policy?
- What is the manager’s password management policy (complexity, length, frequency, enforcement, automation)?
- How do staff obtain remote access (VPN, 2 factor authentication)?
- Does the firm use anti-virus and malware software, and if so which vendor?
- Has there ever been a data breach or actual threat of a hack?
- Does the firm have a written information security policy?