Case Study - Independent advisory for a Fund General Partner
Background
When the Guernsey Financial Services Commission (“GFSC”) introduced the Cybersecurity Rules (“Rules”) in 2021 the Rules also applied to the many Funds’ General Partners that are mainly reliant on material outsourced services. Many of the General Partners (“GP”) are governed by boards consisting of executive directors and non-executive directors.
We were recently approached by a Fund General Partner that had two specific requests:
1. to develop a Vendor Management Framework and independent assessment that they could use with their critical vendors; and
2. to be able to know if the non-executive directors (“NED”) presented a cyber risk to the Fund General Partner through their personal working practices.
CentricalCyber was engaged because we are an independent company who are cyber risk specialists and could approach their requests from a highly objective, non-technical perspective.
The vendor framework & independent assessment
It was encouraging from the outset that the directors of the GP wanted to be able to exercise appropriate oversight, in relation to cyber risk governance, over their two critical vendors who deliver fund administration services and investment advisory services.
We developed an over-arching Vendor Management Framework. The framework informs the directors of the GP on the methodology to follow to perform initial and ongoing vendor assessments, and to evidence their oversight.
To enable the oversight, the directors of the GP wanted to receive a completed vendor assessment on at least an annual basis from their critical vendors. This was achieved through the formulation of a cyber questionnaire which was sent to the critical vendors. The completed questionnaries were returned to us, and using our specialist toolset, we assessed the responses and supporting information to undertake a vendor assessment.
The vendor questionnarire and assessment will now provide the directors of the GP with an ongoing basis to assess the cyber risk maturity of the critical vendors. The assessment was formulated based on the GFSC Cybersecurity Rules, 2021 and the NIST Cybersecurity Framework.
We delivered a detailed report to the directors of the GP which highlighted the key risk exposures, categorised by severity, including recommendations on remediations.
The GP directors now have a clear Vendor Management Framework and working assessment documents to utilise, along with a foundation assessment with recommendations for them to work through with their vendors.
The NED assessment
We developed a NED cyber risk assessment which is straight-forward, risk-based, and includes technical and non-technical questions. The assessment was designed with reference to the Rules and for NEDs to complete individually.
Upon completion of the assessment by each NED we assessed the responses and followed up as necessary on points requiring clarification.
All the individual responses were summarised into a consolidated report for the GP directors. The findings identified areas where the NEDs are operating in a manner that could result in a compromise of the GP, as well as the Fund Administrator and Investment Advisor, of their data, reputation and a potential financial loss.
We provided practical recommendations for the NEDs to adopt to mitigate the risk exposures.
Next Steps
The growing Fund industry continues to boom in Guernsey, but from what we have seen, there is the potential for considerable cyber risk exposure.
The boards of General Partners would benefit from assurance services, particularly where they are reliant on outsourced services, and for those regulated businesses to comply with the Rules.
If you’re reading this case study and are interested in our specialist services for your fund or business, please contact us, as we would be delighted to work with you.
