Operational due diligence (ODD) has traditionally focused on evaluating a fund's operational infrastructure, governance, and controls. However, a significant shift is underway as cyber threats increasingly dominate the risk landscape, forcing institutional investors to respond and to adapt their ODD approach accordingly.
The Cyber Risk Surge and Its Impact on ODD
The financial sector has witnessed an unprecedented rise in cyber attacks, with global cyber crime set to cost companies a staggering $27 trillion by 2027 according insurance company Emrboker. This surge has profound implications for operational due diligence professionals who must now evaluate not just traditional operational risks but also sophisticated cyber threats that can compromise investor assets, expose sensitive data, and disrupt critical services.
Today's ODD frameworks are expanding to incorporate comprehensive cyber security assessments that evaluate a fund manager's security posture, incident response capabilities, and resilience against evolving threats. What was once a peripheral concern has moved to center stage, with cyber security now representing a primary risk factor in manager selection and ongoing monitoring.
The Evolving Landscape: Cyber Threats as a Critical Operational Risk
The nature of cyber threats facing investment managers has fundamentally changed. According to the Alternative Investment Management Association (AIMA), sophisticated threat actors are increasingly targeting alternative investment firms, companies with less than 1,000 employees account for 75% of all attacks. Unlike some of the large banks, many asset management firms operate with lean teams and smaller IT infrastructures, which can make them attractive targets for cybercriminals. When they do happen, these attacks are no longer merely technical disruptions but can represent existential threats to business continuity and investor confidence.
Regulatory bodies worldwide have recognised this shift, with the SEC emphasising cyber security as a key examination priority. The agency's 2023 guidance specifically highlights the need for robust cyber security measures in investment management firms, signaling that cyber risk is now considered as fundamental as market or credit risk.
Cyber Security as a Core Component of ODD: Why It Matters Now More Than Ever
- Reputation and Compliance: A single successful cyber attack can devastate a fund's reputation. Investment managers who fall victim to breaches face not only immediate financial losses but long-term reputational damage and potential regulatory penalties. The SEC's enforcement actions against firms with inadequate cyber security measures underscore the serious compliance implications of cyber vulnerabilities. This trend is global and in March of this year, ASIC in Australia sued FIIG for alleged inadequate cyber security systems after FIIG was the victim of an attack which culminated in the theft of data and confidential client information.
- Investor Protection: Institutional investors are increasingly demanding robust cyber security measures as a prerequisite for capital allocation. A 2023 survey by EY found that 82% of institutional investors consider cyber security protocols a critical factor in their due diligence process. This reflects the growing understanding that cyber incidents directly threaten investor assets and returns.
- Third-Party Risk Management: Modern investment operations rely heavily on an ecosystem of third-party service providers, each representing a potential vector for attack. The 2020 SolarWinds breach demonstrated how attackers can compromise organisations through their supply chain. ODD professionals must now map and evaluate their entire network of service providers, whether that be fund administrators or cloud services, and identify potential vulnerabilities - something that is becoming increasingly supported by regulatory bodies like those in Canada and Australia who are enacting mandatory frameworks to help enhance third-party risk management and cyber security oversight within the financial services space.
- Continuous Monitoring: Unlike traditional operational risks that can be assessed periodically, cyber threats evolve daily. This dynamic nature requires continuous monitoring rather than point-in-time assessments. Forward-thinking institutional investors are implementing ongoing surveillance of their managers' cyber security posture, moving away from the annual review model toward real-time risk evaluation. Good cyber security is constantly evolving, as the techniques used by cyber criminals become ever more sophisticated. In addition to continuous monitoring, it is therefore really important for investors to maintain a contemporary view of the expectations of its fund managers and direct investments.
Concentration Risk Within Portfolio
The investment community's increasing reliance on a limited number of technology providers creates significant concentration risk. The February 2024 CrowdStrike incident, which caused widespread system outages affecting millions of Windows devices globally, offers a stark illustration of this vulnerability.
In the investment space, similar concentration risks exist. The widespread adoption of Microsoft Azure and AWS among fund managers creates potential systemic vulnerabilities. If a significant proportion of a portfolio's managers rely on the same cloud provider, a single outage could disrupt operations across multiple investments simultaneously.
Consider a scenario where 70% of a pension fund's external managers utilise the same order management system or market data provider. An outage or security breach at that provider could simultaneously impact a majority of the portfolio, magnifying what would otherwise be an isolated incident into a systemic crisis.
Thomas Murray’s Solution: Risk Identification
Addressing these evolving challenges requires specialised tools and approaches. Thomas Murray's ODD and Cyber Risk Co-Sourcing solutions offer institutional investors a systematic method to identify and mitigate cyber risks across their investment portfolios. Our team of Cyber experts can complement in-house information security teams in helping to monitor and manage third parties.
A key component of this solution involves mapping critical service providers used by external fund managers to uncover potential indirect concentration risks. By identifying commonalities in technology infrastructure across managers, institutional investors can better understand their exposure to systemic cyber events.
This approach enables investors to:
- Identify previously hidden dependencies across their portfolio
- Evaluate the cyber security practices of critical service providers
- Assess the resilience of fund managers to third-party outages
- Develop contingency plans for potential concentration-related disruptions
As cyber threats continue to evolve in sophistication and impact, operational due diligence must adapt accordingly. Tomorrow's successful institutional investors will be those who effectively integrate cyber security assessment into their core ODD processes, continuously monitor emerging threats, and proactively manage concentration risk across their portfolios.
The message is clear: in today's investment landscape, cyber risk is operational risk, and addressing it effectively has become a fundamental requirement for prudent portfolio management.