Process and operations within many financial firms are becoming more reliant on digital solutions. As technology continues to evolve, it’s essential to realize that the potential for efficiency gains and improvements are becoming larger. However, more powerful technology also paves the way for more sophisticated ways for hackers to get access to sensitive company information.
One way to both measure potential opportunities and cybersecurity risks lies with a process called the due diligence questionnaire (DDQ). At the core, due diligence questionnaires can be powerful tools to dive deep into nitty gritty processes within a firm so that any potential attack vectors, inefficiencies, or vulnerabilities can be exposed. In 2019, cybersecurity risks are growing which makes it critical for a firm to vet their operations with a DDQ at some point.
While it is possible to construct a solid DDQ of your own, doing so can be a long and expensive process. Agio, an IT and cybersecurity firm, can provide an alternative solution. Agio offers comprehensive mock audits that simulate a governmental agency conducting the real thing. To help jump start the creation of your own DDQ, Agio offers a few key tips:
1. Employee Cybersecurity Training
On April 16th 2019, the SEC’s Office of Compliance Inspections and Examinations (OCIE) raised the flag on the poor state of digital security among financial firms. OCIE raised a Risk Alert, which was accompanied by a report that outlined common deficiencies in financial firms, such as transferring sensitive data onto unsecured devices.
Half of the battle to digitally secure working environment is based on employees education. It is essential for employees to identify common cybersecurity threats and know best practices. In a DDQ, it is important to create an up-to-date curriculum that exposes employees to what common phishing attempts look like, how to avoid them, and where to report those attempts.
2. Keep Questions Manageable
While due diligence questionnaires are a critical tool for understanding a firm and it’s third-party partners, it is essential to not ask too much. The people answering DDQ questions have jobs of their own.
Some questionnaires ask questions such as “has any employee has been convicted of a misdemeanor,” which is an example of a gross overreach. First of all, some companies may have thousands of employees, which makes this question incredibly challenging to answer. Secondly, if an employee were convicted of shoplifted twenty years ago, would that be valuable information? Would that change your company’s relationship with that vendor? Don’t ask questions that may result in unactionable answers.
3. Consider Certifications and Vendor Reports
Remember that your due diligence questionnaire does not have to discover 100% of the information. Financial firms typically work with dozens or hundreds of vendors, and many of these vendors have a bevy of certifications or release annual reports of their own. Consider these certifications and skim company reports. More often than not, many DDQ questions are covered already so some parts of the DDQ can be skipped.
4. Don’t Make All Vendors Undergo the Same Level of Scrutiny
Not all vendors need to go through the same level of scrutiny. An US-based IT and cybersecurity firm, such as Agio, is far likelier to have stronger security practices than a small 20-person outsourced firm based abroad. Create an internal risk-ranking methodology that categorizes your vendors, so that you don’t have to force your most trusted vendors to jump through the same hoops as a small, international company.
