Cybersecurity Remains the Critical Differentiator in Data and Tech

Published on: October 22, 2025

By Randy Siegel, Chief Information Security Officer

Originally published in Private Funds CFO.

When it comes to fund administrators and technology partners, private investment firms are spoiled for choice. AI-powered market data aggregators, virtual data rooms, monitoring & reporting platforms, and valuation tools are rapidly transforming the industry. This wave of new solutions promises sharper data analysis, greater LP data access, and fresh opportunities for firms to leverage technology and stand out from the competition.

These new features should not overshadow the work tech firms must do in cybersecurity to ensure the safety of their and their clients’ data. As the volume of global threats proliferate, the more important a strong multi-layered capability and continued investment in cybersecurity becomes. A stark risk remains for firms who omit or minimize security concerns – as seen by historical security breaches.

Leading firms are setting a new bar in terms of cybersecurity preparedness, investing significant time and resources to build rigorous processes and defense in depth at the data, application, OS, network, and equipment levels. At Gen II, our cybersecurity approach centers on five interconnected pillars. These aren’t static checkboxes but evolving capabilities that we believe every fund administrator you consider should meet.

Secure Web Based Cloud First Infrastructure

Cloud computing exploded during the COVID pandemic, when hundreds of thousands of workers worked from home. Forward-looking companies saw this evolution before the crisis hit, and had a head start developing a cloud environment that could be secured more easily than on-premise hardware. Cloud-native infrastructure is now a foundational element of a strong cybersecurity program and enables improvements like thin clients, wherein a user’s device is simply a portal to programs and data in the cloud that can be protected by multiple security methods.

Powered by systems like Microsoft Azure, thin clients hold no confidential data on local devices, removing the security risk of a lost or misplaced device. User access can easily be granted or revoked, and important data can be locked down in a single, secure cloud environment instead of across hundreds or even thousands of physical devices. Extensive physical security controls at these Tier 4 data centers further safeguard information assets, as does a zero-trust architecture, where every request is verified regardless of location or device. Compare this to a traditional laptop with software applications running directly on the device – if the device is misplaced or stolen, sensitive data could be compromised.

In-House Expertise

Leading technology partners don’t just implement security measures, they orchestrate an integrated defense strategy. Some functions can still be outsourced, but for true 24/7 security an in-house team must be adequately staffed to address evolving cyber threats, organizational change, and support “on the go” work activity. In-house teams typically have a deeper understanding of the company’s systems, internal processes, and compliance environment, allowing them to spot small issues and respond faster to potential incidents than outsourced partners. In-house teams can directly embed best practices across departments, contributing and reinforcing a stronger cybersecurity culture.

Some vendors don’t consider having an in-house team as a real requirement and may try to save budget by outsourcing, leading to potential security gaps and risks.

Frequent Training, Validation, and Application Testing

A company only running vulnerability scans once a month or once a quarter is not taking cybersecurity seriously. An effective testing philosophy recognizes that security is only as strong as its weakest link at any given moment and must be tested frequently.

Penetration testing needs to simulate real threats and identify vulnerabilities across the tech stack. Similarly, backup testing and site recovery testing are critical to verify that the systems in place are in fact working, and that data can be backed up, stored, and restored when needed. Leading firms monitor security 24/7, with real-time alerting, automated threat detection, and incident response.

Firms must also test the weak link in cybersecurity – the human on the other side of the screen. Annual trainings, monthly tests, follow-ups with employees who fail tests, and constant vigilance in daily operations should be the standard. Frequency is key, and phishing exercises using 3^rd party platforms can help train and test employees on emerging threats. If a company only tests employees quarterly, they could have a situation where a new employee starts in June, and doesn’t get tested until October, leaving a huge gap. A minimum of monthly testing and personalized follow-up training solves this problem.

Independent Third-Party Validation and Gold Standard Global Certifications   

A strong cybersecurity culture welcomes scrutiny. External validation doesn’t just verify a security posture, it drives continuous refinement and ensures internal expertise stays sharp through outside perspectives and evolving industry standards. At Gen II, we undergo 100-200 client security audits annually – including many third-party assessments – which have helped identify and close minor gaps and strengthen controls.

Companies should be certified as complying with ISO 27001, the international standard for an information security management system, and SOC 2 Type 2, an audit report focused on design and effectiveness of internal controls over a period of time. ISO 27001 is a comprehensive framework that covers secure development, business continuity planning, vulnerability management, data classification, and governance. SOC 2 Type 2 compliance shows a company is serious about process monitoring, encryption control, intrusion detection, user access authentication, and disaster recovery.

Continuous Learning

A commitment to staying at the forefront of cybersecurity intelligence directly enhances every other aspect of a security program. This could include monitoring hacker forums, attending cybersecurity events to track current and emerging threats, or monitoring incubator-stage solutions as vendors race to address new challenges.

AI is a perfect example. The biggest security challenge we all face today is securing our environment while letting employees leverage AI tools. Engagement and research with the tech community is essential to understanding the new threats and solutions that are out there. It’s also where industry leaders share best practices for proactive breach preparedness, novel tabletop exercise scenarios, and proven recovery procedures.

The Orchestrated Approach: How It All Works Together

In today’s high-threat environment, effective cybersecurity needs to be understood not merely as a back-office function, but as a multi-layer strategy and critical component of technology providers’ value proposition. What distinguishes a world-class cybersecurity program from a simple compliance checklist is how these five pillars reinforce and strengthen each other.

Cloud infrastructure provides the foundation that makes comprehensive testing possible. In-house expertise interprets test results to drive infrastructure improvements. Frequent training, validation, and application testing creates a feedback loop that strengthens both human defenses and technical controls. External validation confirms the effectiveness of the approach while identifying areas for enhancement and continuous learning ensures firms are preparing for tomorrow’s threats, not just defending against yesterday’s.

This can’t be a set-and-forget system, it needs to be a living, breathing security ecosystem that adapts and evolves daily. Leaders in cybersecurity understand the field is an ongoing investment in people, processes, software and systems year after year.

Choosing a technology partner who doesn’t have world-class cybersecurity is a sure path to unacceptable risk. But choosing one whose security approach is orchestrated by experts, validated continuously, and designed to evolve with emerging threats, is how you stay ahead of tomorrow’s challenges today.