We were called in because management reports of Cyber Key Risk Indicators (KRIs) were not only so technically dense that senior management couldn’t understand them but were showing “a sea of green” suggesting that there were no issues. So the leadership team were not sure if there was an issue or not.
The reports had been curated by technical IT people who were comfortable with technical language and also stood to be negatively impacted by “poor” scores. As a result the reports and metrics weren’t understood by a non-technical audience.
We worked with the client to select a standard industry framework called SANS, which dictates a prioritised list of controls to be deployed, and specifies the best way to measure their effectiveness. We then helped to design the reporting and governance model so that the KRIs were reported without “interference” from the risk owners.
With the critical nature of the project, rapid deployment was key and we achieved deployment of the ‘top 5’ controls within a year.
At the end of the project we developed reporting dashboards which ensured senior management were able to make quality decisions based upon key and accurate data.
While there is a baseline of consistent security challenge across all types of fund management, there are some areas that are specific to retail fund managers, private equity and venture capital. For smaller funds with extensive intermediation and outsourced supply chain, much of your security focus will be on third party assurance. For larger retail funds, the challenges of regulatory scrutiny are becoming similar to those of larger retail banks.