No matter what your industry, business practices have been through a period of significant change over recent months. For the alternative investment industry this has been twofold. While we have adopted new working practices, which look likely to settle as a hybrid of both remote and office based working, we have also seen significant developments around the specific working practices for managers focussing on data, ESG and cyber policies.
The advent of the hybrid working model is in some way the catalyst for this; the old model for cybersecurity has become redundant and the move to cloud based business IT solutions has opened up many more possibilities for digitisation, data and our approach to cybersecurity. Alongside the ever stronger ESG narrative, we are seeing an acceleration in business transformation which can be difficult to navigate.
Cyber risk has traditionally been viewed as a technology issue, but we have seen increased attention from investors and regulators around the part it plays as a matter for governance too. If a cyber breach occurs client data and capital could be at risk, but beyond that managers are also aware of the reputational risk a cyber attack would incur. Once data has been breached the impact is difficult to measure, both financially and in terms of reputation.
Defining what ESG actually means for a firm and what metrics and elements to measure can start to shape the narrative. Operationally, ESG can develop from core policies and procedures that are already in place. This isn’t necessarily a project that will need to start from scratch. Assessing current operational scope to review how data is being used to drive investment analysis, data modelling and portfolio construction can help define next steps. How that data is stored, accessed, delivered and reviewed can help shape compliance and cyber policies. Market vendors are also key to the ESG conversation for any firm, as customised applications or platforms can support a well developed ESG initiative.
In a non contact working environment, a strong ESG policy will also help define how firms manage and support their teams day to day. Behavioural analysis, as part of an overall cybersecurity policy, is really about protecting a firm and its data, but it is also about data behaviour. Data can provide KPI’s on the individual, and being able to monitor user performance and use of data can help a firm look for anomalies in individuals behaviour, driving recognition for success stories and protection against internal bad actors, again strengthening cyber policies.
The best defence against threat is prevention but getting the balance right between protecting data and staff and still allowing for unhindered deal flow can be difficult. Threats are always assumed to be most likely from an external actor, but insider threat is also heightened in the current environment where teams are scattered. Behavioural analysis is really about protecting the company and its data, but it is also about data behaviour. This starts with looking at how staff are ingesting the data, and then monitoring whether the data is being used for better decision making. But data can also be used to carry out KPI’s on the user; if performance levels or behaviours change, then it could be that the firm is at risk of a cyber breach.
Investor due diligence now has a strong focus around how data is secured so that a firm can assure a single source of truth. Firms can put polices and procedures in place to restrict printing, stop attachments being forwarded by email and provide read only dashboards and reports where necessary. There are no fixed parameters in place to measure cybersecurity as an ESG metric, but how a firm manages its data and the security of that data is paramount. Due diligence will also evaluate competence and training, risk, change management, 3rd party vendor management and breach communication polices. Data can also be evaluated to measure staff work life balance thorough monitoring working hours for example, and this is becoming a more common point of interest for investors too.
If a firm does suffer a breach, successful or not, working with an outsourced technology partner can help. The platforms available can provide monitoring and reporting on the usage of data, the access to the data, the source of manipulation and the transfer of data. All of this information is vital if there is an information request from the regulator. If the source of the breach can’t be found, it is impossible to shut down the breach. Training can be of paramount importance too. One of the best ways to protect against cyber risk is to make risk management part of day to day of business activity.
When looking for a technology partner to work with, assess options through an ESG lens. Look for partners who have developed their own ESG policies, who are already working with firms with similar strategies and start to build out your goals. Work with your chosen partner to create a proof of concept for your digitisation journey and set up training along the way so once the platform is in place you are able to understand your data journey and respond in an assured way when talking to investors about your cyber governance.