For alternative investment fund managers, digital trust isn’t just a best practice, it’s a business imperative. With investors, regulators, and counterparties demanding greater transparency around data safeguards, securing sensitive information through a robust cybersecurity program is essential.
This Cybersecurity Awareness Month, the Richey May Cyber experts are sharing quick, high impact actions you can take to strengthen your security posture and prepare for evolving risks.
Be Strategic About Access
Service accounts are a crucial part of your company’s IT ecosystem, however, when not managed properly, they pose a significant cybersecurity risk. Review who has access to what, and why. Role-based access control minimizes damage if an account is compromised. Tie every user’s privilege to their job function and remove access immediately when contracts end or roles change.
Pro tip: Audit admin and service accounts quarterly and have a defined process to remove access when someone leaves the company.
Secure Your Communication Channels and Train Your Front Line
Fund managers exchange vast amounts of sensitive investor and portfolio data through email and shared drives. Those are prime phishing targets.
- Enable multifactor authentication (MFA) everywhere, especially for email and VPNs.
- Train your teams to spot social engineering attempts disguised as LP requests.
- Use encrypted tools for sharing investor data, deal documents, or wire instructions.
Pro tip: Regular and frequent micro trainings are proven to be the most successful way to train your teams to spot attacks. We recommend using a platform, such as Arctic Wolf, to best train your teams.
Strengthen Vendor Oversight
Third parties often become the weak link in otherwise strong programs. Ensure your vendors have the appropriate controls and safeguards in place, so they don’t introduce unwanted risk into your environment.
- Request and review SOC 1 or SOC 2 reports from service providers. For more information on which type is the best fit for your needs, watch our video series here.
- Confirm they meet regulations and common frameworks such as ISO 27001 or NIST CSF.
- Include cybersecurity and incident reporting requirements in vendor contracts.
Pro-tip: Assess the security posture of new vendors prior to engaging with them to ensure you set up systems and processes securely for your environment’s needs.
Test and Refine Your Defense Strategy
Regular penetration testing and tabletop exercises help ensure that your controls work effectively under pressure. Many states require annual penetration testing, and simulating attacks reveals vulnerabilities in your system, so you can fix them before attackers find them. Running tabletop exercises, or practice sessions, helps train key people in your organization to more quickly detect, respond, and recover from an incident. From legal and communications to the incident response team, your detection, response and recovery time can make or break your ability to continue operations and withstand an attack.
Read our blogs to learn more about penetration testing and tabletop exercises.
Pro tip: Have an incident response plan in place through a qualified provider who can act quickly on your behalf.
Build a Resilient Culture
Technology alone doesn’t protect your fund—people do. Creating a security-first culture starts with a fundamental shift in perspective: everyone in your organization is on the cybersecurity team. Make cybersecurity part of your firm’s daily activities and culture:
- Leadership sets the tone: when executives model vigilant behavior (taking time to verify unexpected requests, discussing security considerations in business decisions, celebrating employees who catch potential threats), it signals that cybersecurity isn’t just IT’s responsibility.
- Make it personal and meaningful: The most powerful cybersecurity awareness initiatives don’t focus on technical threats. They focus on human impact.
- Extend the perimeter: Cybersecurity culture must extend beyond employees to contractors, vendors, partners, and anyone who touches your systems. Security awareness becomes part of employee and vendor onboarding, contractor agreements include cybersecurity expectations, and partner relationships include shared responsibility for customer protection.
- Engage and Train Your Allies: Your most powerful advocates aren’t your security team … they’re the employees who understand that their vigilance protects your customers (and their families).
- Know the Next Steps: Equip team members, vendors and partners with clear reporting paths when they suspect a threat. Never shame a victim of a cyber attack as this leads to a culture that will fear reporting.
Cybersecurity Awareness Month is a reminder that the best strategy isn’t just to defend—it’s to implement a robust program that enables you to thrive securely.
If you’d like an assessment of your fund’s current program or guidance on where to focus next, contact Steve Vlasak today. We’ll help you prioritize actions to safeguard your business so your investors, partners, and stakeholders can trust that you’re managing cyber risk as strategically as your portfolios.
