^{This article is an excerpt from our updated Emerging Managers Resource Guide.}

With well-publicized breaches and ransomware attacks looming large in everyone’s minds, cybersecurity is an area of heightened concern for investment firms, the SEC, the investor base, and other regulatory organizations. Investment funds have become a more common target for cyberattacks, as stolen investor data is highly valuable and can be re-monetized. As cyber threats become more sophisticated with advancements in AI and other technology, many are treating cyber incidents as a question of “when” rather than “if.”

It’s vitally important to have the proper infrastructure in place to promptly detect, address, report, and recover from a cyber incident. In addition to protecting your fund and reputation, you’ll need robust cybersecurity to attract investors, who nearly always include cybersecurity as part of their due diligence questionnaires (DDQs). Likewise, insurance providers will require adequate cybersecurity measures to be implemented as part of their due diligence before they will issue a policy to cover against cybersecurity threats and disruptions.

Remember that cybersecurity should be seen as an investment rather than an expense. The worldwide average cost of a data breach in 2024(Opens a new window) was $4.88 million, while the average cost in the U.S. was $9.36 million. While it may be a sizeable upfront cost, taking the proper measures now will reduce cost and severity in the event of an incident.

Recommended steps for fund cybersecurity

Prioritize being prepared and resilient

• Establish cybersecurity policies and protection at the fund and portfolio level from Day 1. Make sure you know what’s required by the SEC and other regulatory bodies regarding risk, oversight, and disclosure.
• Train your entire workforce on cyber safety. Cybersecurity isn’t simply an IT issue; everyone, from the C-suite to new hires to independent contractors, must understand and follow policy. Cyber attackers only need one mistake to access your systems.
• Beyond prevention measures, you must also have a response plan in place so you can quickly identify, address, and recover in the event of a cyber incident.
• Focus on building a resilient business with the right cybersecurity measures addressing the right cybersecurity risks.
• Just as in other areas, bringing in a third-party cybersecurity provider, assessor, or consultant could be an alternative to hiring an in-house CISO and cybersecurity team.

Identify and quantify your risk

• Using a top-down approach, identify your cybersecurity risks at all levels, taking your people, processes, and technology into account. This will help you decide how best to allocate your cybersecurity budget.
• Regular risk assessments are crucial to strengthening your cybersecurity. Risk management and compliance are never a one-time activity. Conducting regular reviews is imperative.

Maintain cybersecurity vigilance

• The need for strict compliance to cybersecurity policies cannot be overstated. While cybersecurity solutions are more accessible today than ever before, you cannot protect your fund without total commitment to foundational cybersecurity practices.
• Full compliance with policies is not only your first line of defense against cyber threats; it is also required by governing bodies and insurance providers.
• Beyond reviewing your own defenses, you’ll need to confirm that any service providers you’re working with also have the right cybersecurity and privacy policies.

More insights for emerging fund managers

CohnReznick’s Emerging Managers Resource Guide was developed as a jumping-off point for new managers, exploring a wide range of responsibilities in developing infrastructure, negotiating fees, mitigating risk, and more. Access your copy – or contact our team to start building your fund launch roadmap.