As the cyber threats continue to target the investment fund industry and AI lends greater complexity to those threats, vigilant preparation and meticulous compliance remain top priorities in cybersecurity. 

CohnReznick recently gathered industry leaders and advisors for our annual Alternative Investment Fund Summit to discuss current trends, key questions, and recommendations for moving forward in private equity, private credit, hedge funds, and more. 

Our “Hot Topics Impacting Private Funds” panel brought together Align’s Vinod Paul and CohnReznick’s Bhavesh Vadhani and Stacey Schell to discuss cyber threats, compliance, and cybersecurity practices for alternative investment funds.

Our top takeaways here offer crucial insights into the growing complexity of cybersecurity threats, the importance of compliance, and tips for strengthening cybersecurity practices.

The need for cybersecurity

The discussion highlighted the increasing sophistication of cybersecurity threats and urgent need for firms to take cybersecurity preparation and compliance seriously. 

• Cyber threats to funds: Cybercriminals, including those acting for adversarial states, are increasingly targeting investment funds and firms to access valuable data on wealthy individuals. This data is now more valuable than cash, as it can be monetized repeatedly. Cybercriminals are leveraging AI to enhance their attacks, making phishing emails and other malicious activities more convincing and harder to detect.

Panelist noted investment funds must enhance their cybersecurity measures, including monitoring the dark web for leaked data and securing sensitive information. The complexity and frequency of cyber breaches are rising, necessitating robust defenses to protect investor data and organizational integrity.

• Cybersecurity compliance: Firms must prioritize cybersecurity from the outset, avoiding shortcuts. Emerging managers and established firms alike should implement basic security measures, such as multi-factor authentication, avoiding the use of home computers for corporate work, and not sharing passwords. Successful firms have adopted comprehensive strategies to minimize the impact of inevitable cyber events. As the discussion highlighted, firms should assume a breach has already occurred and focus on resilience and recovery.

Panelists likened cybersecurity to managing the health of a business, requiring proactive measures and investments in appropriate technologies and processes. 

• Quantifying risk and managing compliance: The cost of cybersecurity measures has decreased, making it more accessible for emerging managers to implement necessary protections. However, firms must actively manage and monitor their cybersecurity posture, ensuring employees are trained and accountable.

o Cyber insurance: The landscape has evolved, as insurers are now able to quantify risks more accurately. Firms seeking cyber insurance must carefully comply with the controls they claim to have in place. Insurers are holding firms to higher standards, requiring firms to demonstrate robust cybersecurity practices, and failure to meet these standards can result in higher premiums and reduced coverage.

o Quantifying risk: Cyber risk quantification helps firms understand their vulnerabilities and the financial impact of those vulnerabilities and associated risks, enabling informed decisions on risk mitigation. By leveraging loss data from actuarial models and cybersecurity insurance u markets, they can now correlate events with their financial impacts. This allows firms to understand their financial exposure if cybersecurity gaps are not addressed. 

o Risk assessment and management: Panelists stressed that regular risk assessments are crucial. In addition to reviewing risk reports and confirming compliance with cybersecurity policies, firms must hold managed service providers (MSPs) and managed security service providers (MSSPs) accountable for their services. 

Basic cybersecurity controls, such as using corporate-provided devices, multi-factor authentication, and complex passwords, are essential. Firms should also invest in extended detection and response (XDR) and managed detection and response (MDR) services to monitor their networks and IT assets.

• The human factor and process improvements: While sophisticated cyberattacks and the use of AI has changed the cyber landscape, humans remain the weakest link in cybersecurity. Training employees to recognize and respond to threats is vital, especially with the rise of AI and deepfake technologies. Firms should prioritize process improvements and policy enforcement over convenience. Limiting access to sensitive data and facilitating proper data management are critical steps.

• Incident response plans: Having a robust incident response plan in place is non-negotiable for investment firms. These plans should be tested and trained regularly to confirm employees know their roles during an incident. In the current cyber insurance landscape, having a tested and trained incident response plan is essential for maintaining coverage. Firms should adopt a "trust but verify" approach, regularly testing their procedures for effectiveness.

Looking to the future

The discussion of current trends and issues facing alternative investment funds highlighted again and again the need for strict compliance and future preparation. Rapid advancements in the cyber field offer significant risks alongside new possibilities, and while cybersecurity measures are more accessible today than ever before, strict commitment to foundational cybersecurity practices are still the most important.