Sponsors of alternative investments are increasingly turning to technology to assist with investor data collection, processing, and more. However, these process improvements come with an increased need for cybersecurity protocols to ensure the privacy and protection of investor data. While there are innumerable ways to structure a cybersecurity program, one well-recognized framework can help set the foundations for impactful improvements in your security system.
The “CIA triad” is a model that stresses the Confidentiality, Integrity, and Availability of data. We've taken one example from each of these categories and explored at a high level how a sponsor might address them.
As it relates to investor data in particular, confidentiality means not allowing data access to those without an immediate need for it. This involves sponsors protecting their data against inadvertent disclosures and outsider threats. An encrypted portal or email encryption product is a more secure way to collect information than unencrypted methods, such as standard email or instant message. Remember, emails are generally stored for a period of time (or sometimes indefinitely if settings are not changed), so the security within the email system at rest matters as well as in transit. Investor information is generally transferred from email into a separate system—a CRM system, for example—or stored physically as paper files. A review of the security of those storage locations may be in order, including an assessment of the accessibility and security of office space.
Employee training can address many risks. A properly documented and communicated process for employee data entry and storage can help remedy issues with your information’s integrity. Integrity is ensuring the information is accurate and stays that way. If employees are entering information, sponsors need to have systems in place to guarantee that process is being done correctly. Administrators should have the ability to audit changes within a system to ensure there is no accidental or purposeful harm caused. If a sponsor is processing hundreds or thousands of investors, a single omission on a required communication, for example, may prove costly and expensive.
Availability is the ability to access information when it is needed. Third-party service providers, and an organization’s diligence on those providers, are important in a comprehensive security program.
A sponsor should understand what steps a service provider takes to protect the information it gives the provider. Remember, sponsors are literally outsourcing the storage and accessibility of their investors’ information. If the provider goes down and a sponsor is not able to access information, how does it affect their business? What if the provider goes out of business? Sponsors should not only consider how available their information will be while engaged with a third-party provider, but also about how available (and how expensive it may be to retrieve) their information will be after that engagement ends.
Additionally, data not only needs to be accessible to the sponsor themselves, but also to any other applicable service providers and applications used by the organization. Thinking about how data moves through these systems and what integrations need to be in place (API or otherwise) is essential to ensuring that data flows smoothly. Sometimes data may need to be located in multiple places via backups, cloud-based or physical, that can be restored with minimal interruptions.
A third-party can add efficiency to your process, reduce costs and risks, and may ultimately be better for a sponsor than creating a bespoke solution. However, thinking through the ramifications of outsourcing is key from a data security and availability standpoint.
These are just three of many examples that fit within the CIA Triad. A comprehensive cybersecurity plan will address many facets of each tenet. As the alternative investment industry becomes more automated and technology-enabled, sponsors who keep this framework in mind can prepare themselves, mitigate risk, and drive investor trust.
Altigo is a subscription automation platform that helps reduce errors
resulting in time and cost savings for both sponsors and advisors.