Operational Due Diligence: Assessing IT Controls
In the latest in our Operational Due Diligence (“ODD”) series, Managing Director of ODD George Wood sets out some of the recent changes in IT controls that have become necessary as a result of innovation and external pressures such as the growth in hybrid working arrangements following on from the COVID-19 pandemic.
Posted on 2 Dec 2021
Twenty years ago, IT infrastructure was mostly home made by firms, building their protections to safeguard data primarily hosted on file servers often stored on-premises. The emergence of cloud and software as a service (“SaaS”) solutions (and permanent remote working becoming more accepted) means that operational due diligence reviews have had to adapt to assess in new ways, data protection & data storage controls often distributed across multiple hosts and data processors.
By 2020 management firms’ data was already distributed and stored across multiple locations, utilizing more SaaS applications and more portable devices than perhaps ever before. This was providing incredible benefits to investment managers because they found a way to adopt solutions to their operational needs faster, at a lower cost, and without significant development timelines. COVID-19 and remote workforces provided even more momentum and accelerated an already existing trend to migrate to hosted email solutions (Office 365 and Google Mail) and document storage solutions (Sharepoint, Google Drive, Box, Dropbox, etc.). Yet, the migration to cloud and SaaS solutions do not absolve or change the fundamental requirement that investment managers must ensure their non-public client and firm data is secure. From a due diligence perspective, distributed data storage simply heightens several areas of focus that should be covered in every operational due diligence review.
The cataloguing and documenting of where the sensitive and non-public client and firm data is stored has become more important than ever. Data classification reviews to assess permissions and access to sensitive and confidential data needs to be conducted on an ongoing basis since many data breaches are a result of the misconfiguration of permissions. Remote workforces mean that multi-factor authentication and device management solutions to wipe mobile and other devices remotely are quickly becoming requirements. Solutions that provide firms monitoring tools to generate alerts for unusually large data transfers and unusual activity are also gaining in importance. Employee offboarding and single sign-on processes remain important to ensure that accounts across all SaaS and hosted applications are properly disabled.
The challenge from a due diligence perspective is to develop a process that allows investors to receive verifications from investment managers that provide confidence that risks associated with a changing IT infrastructure are being addressed. This is not straightforward, after all, we are talking about permissions and access to some of the most privileged and sensitive information an investment manager has on file. Simply emailing or electronically distributing this information might be a concern in itself, depending on methods and recipients.
At Laven, we always seek to be detailed but pragmatic in our reviews of management firms but this still requires some expectations about the operating approach that a firm will take. This as any practitioner will know may sometimes give rise to disagreements on the approach to follow.
We believe that due diligence is just one step in investors and investment managers creating a relationship with one another and even though we are not investors or directly involved in the decision to invest, we also believe in creating a relationship with each investment manager we review. To accomplish this, and build trust, we staff our team with IT expertise and work with each investment manager to help them understand why we are asking for certain specific pieces of technical information.
Traditionally, if we’ve had to go onsite to receive the information we do. Conversely, as a compromise during the pandemic we have often been on calls with managers had to put our hands up in a zoom call to demonstrate that we aren’t taking screenshots of their sensitive data whilst looking at their processes and controls.
When it comes to IT controls, the scope of an IT review can be limitless. Our advice is to concentrate on the area(s) most important to your organization and to determine what information and evidence you require. By doing so, you can explain your thought process and work with investment managers to gain comfort that the security controls are adequate and following today’s ever-evolving standards.