• German Pension Fund
  • Q1 2022
  • Private Equity, Global
  • EUR 100 million
  • United States
  • Focused assessment of IT/cyber risk for four managers before investment
  • Segregated managed account (SMA)
  • Operational Due Diligence

Our client says:

Technology and cyber security risks have grown exponentially in recent years, and the potential negative impact of related operational failings—whether monetary or reputational—is also greater. It is crucial to undertake a granular evaluation of a manager’s operating environment including all aspects of IT and cyber risk.


Client-Specific Concerns

The investor, a German public pension scheme, was conducting a search for a global private equity manager and was in the process of reviewing four finalists ahead of investment. In order to support Operational Due Diligence, they wished to obtain an additional independent review of each manager’s IT/cyber risk profile.

Following discussions with bfinance, the investor decided to broaden the scope to include thorough assessment of four interrelated areas: information technology, cyber security, physical security and business continuity planning.


Outcome

    Client Concern Portfolio Solution
  • Targeting specific area of client concern: The Operational Risk Solutions (“ORS”) group worked with the client to define a highly customised project scope and Due Diligence Questionnaire (DDQ) based on the investor’s specific needs in this instance.
  • Producing in-depth analysis: Detailed, structured assessments were executed for each manager. The ORS team analysed each manager’s DDQ response, as well as a range of company documentation, and held interviews with key personnel.
  • Identifying deviations from ‘best practice’: The analysis did find several shortcomings, although these were not judged to be significant enough to preclude investment. These included issues relating to: data security (two managers had made a data breach disclosure to a regulator within the past 18 months), penetration testing (one manager conducted external hacking simulation every two years rather than annually), physical security (one manager’s offices lacked CCTV coverage) and business continuity (one firm had not implemented an automated notification system to inform staff of business continuity events). In most cases, the managers have taken action or made plans to address those issues.
  • Providing confidence: The review concluded that all four managers had established control frameworks that were suitable to mitigate risks in the relevant areas. Investment proceeded with one manager.