What is operational due diligence (ODD)?

Operational due diligence is an independent assessment of an investment manager's non-investment operations — covering areas such as governance, cybersecurity, risk management, compliance, and business continuity. Allocators use ODD to validate that a manager's operational infrastructure is robust enough to support their investment activities safely.

Why is cybersecurity included in an ODD review?

Cybersecurity directly affects an investment manager's ability to protect client assets and data, maintain regulatory compliance, and sustain operations following an incident. A cyber breach can cause financial loss, regulatory censure, and reputational damage — all of which are material concerns for allocators. Cybersecurity controls are therefore a standard component of any thorough operational due diligence engagement.

How often should an investment manager commission an ODD review?

Best practice is to conduct a full ODD review at least every two to three years, with interim updates following any material operational change — such as a significant cybersecurity incident, key personnel departure, technology migration, or regulatory development.

What makes perfORM's ODD review different from an in-house assessment?

perfORM is a fully independent, standalone ODD provider — we have no affiliated products, funds, or advisory relationships. This independence means our findings are free from commercial conflicts, giving both investment managers and their allocators genuine confidence in the conclusions.

Operational Due Diligence and Cybersecurity in Financial Services

Back To Insights

Due Diligence Matters - April 2026 Bulletin

A robust approach to operational due diligence and cybersecurity enables financial institutions to assess operational resilience, protect sensitive data, and safeguard long-term value.

About perfORM: Operational Due Diligence Specialists for Investment Managers and Allocators

perfORM is an award-winning, internationally operating due diligence firm, with presence across the UK, Switzerland, USA, and UAE. We are a standalone ODD solutions provider with 150+ years of collective ODD experience.

The ‘ORM’ in perfORM stands for Operational Risk Mitigation.

We serve a global and diverse client base, including:

Investment managers seeking validation of their operational controls
Allocators – family offices, multi-family offices, private banks, wealth managers, funds of funds, asset managers, pension funds, endowments, and foundations – requiring robust third-party operational due diligence on their manager relationships
Third-party service providers and, sports teams

Cybersecurity in Financial Services: Key Considerations for Operational Due Diligence

The increasing severity and frequency of cyber threats facing financial services firms emphases the need for enhanced cybersecurity measures. Cybersecurity in financial services is critical to protect sensitive data, prevent financial losses, and maintain trust amid increasingly sophisticated cyber threats and this makes them prime targets for cybercriminals.

The various types of cybersecurity in financial services are crucial for organisations in the sector and each type will serve a different purpose to ensure that weaknesses are addressed.

The following six domains of cybersecurity are assessed as part of a comprehensive operational due diligence review.

Cybersecurity Controls: Six Key Domains Assessed in an ODD Review

Cybersecurity domain	What it covers	Why it matters for ODD
Network security	Firewalls, intrusion detection systems, VPNs	They prevent unauthorised access to sensitive investor and fund data.
Application security	Security controls across operational applications	This is critical for managers reliant on trading, portfolio, and reporting platforms.
Information security	Data encryption, masking, and access controls	This protects data integrity and confidentiality both in motion and at rest.
Operational security	User permissions, data sharing and placement policies	This governs how staff interact with sensitive data on a day-to-day basis.
Disaster recovery and business continuity	Recovery plans, RTO/RPO targets, failover systems	This ensures operational resilience and minimal disruption should an incident occur.
Employee education and awareness	Phishing simulations, cyber security training	This addresses the human element which is frequently the weakest link in cyber defence.

Furthermore, as threats and attempts to breach security measures are increasing and evolving, it is vital that financial services institutions maintain a proactive security posture. Regular security audits and penetration testing as part of their operational risk mitigation strategy. These help to uncover vulnerabilities through simulating attacks before cybercriminals can exploit them. Generally, cybercriminals exploit known vulnerabilities found in outdated software; thus, regular updates are key to maintaining an up-to-date and strong security environment.

Real-World Cyber Incidents: Insights from Recent ODD Engagements

During recent operational due diligence engagements, perfORM has continued to observe an increase in both the frequency and impact of cybersecurity incidents across asset managers.

In one recent review, an investment manager experienced a cyber attack that prompted an external forensic investigation. The analysis concluded that the incident was not targeted and resulted in no data loss, but the threat remains real.

We have also observed incidents where employee phishing attacks led to cybersecurity breaches. In one example, an employee inadvertently compromised credentials following a phishing email. While the incident was assessed as minor, it reinforced the importance of regular staff training, escalation protocols, and incident response readiness as phishing techniques continue to evolve.

perfORM’s ODD Report Solution: Operational Due diligence for Investment Managers and Allocators

perfORM’s ODD Report Solution is not just another tick in a box, it is a fast growing and innovative approach to operational due diligence. A pragmatic solution for investment managers and service providers which engage us to complete an ODD review.

“We believe in operational excellence, doing things ‘the right way’ and holding ourselves accountable for delivering institutional-grade asset management. Working with perfORM to review our processes thoroughly is key to ensuring our investors have independent insight, understanding, and confidence in how we manage their assets. We appreciate the perfORM team’s forensic review of our documentation and processes and look forward to collaborating again” – Investment Manager ODD Report Solution client

Contact perfORM to discuss ODD support or to receive a sample ODD report.

You can also read our March bulletin edition and watch our new video which introduces perfORM and each of our of core ODD services.

View previous ODD reports

Investment Manager: Fasanara Capital Limited – Contact us to request access to our January 2026 dated report
Investment Manager: MARK Capital Management LP – Contact us to request access to our January 2026 dated report
Investment Manager: 24 Capital Management Ltd – Contact us to request access to our January 2026 dated report
Investment Manager: Temple Capital Management, Ltd – Contact us to request access to our December 2025 dated report
Investment Manager: Noble Capital Management (NCM) SA – Contact us to request access to our December 2025 dated report
Investment Manager: Edge Capital Investment Management, LLC – Contact us to request access to our December 2025 dated report
Digital Asset Service Provider: Liquidity Technologies Inc – Contact us to request access to our November 2025 dated report
Investment Manager: Redhedge Asset Management, LLP – Contact us to request access to our July 2025 dated report
Digital Asset Service Provider: Copper Technologies (Switzerland) AG – Contact us to request access to our June 2025 dated report
Investment Manager: Hyperion Decimus, LLC – Contact us to request access to our June 2025 dated report
Investment Manager: MNNC Advisors (Cayman) SEZC – Contact us to request access to our June 2025 dated report – UNDERGOING RENEWAL PROCESS
Investment Manager: GrandLine Investment Management Ltd – Contact us to request access to our March 2025 dated report
Investment Manager: Spectra Capital, LLC – Contact us to request access to our March 2025 dated report
Investment Manager: Gemcorp Capital Management Limited – Contact us to request access to our dated reports
Investment Manager: Hivemind Capital Partners UK LLP – Contact us to request access to our dated reports – UNDERGOING RENEWAL PROCESS
Investment Manager: Eltican Asset Management SAS – Contact us to request access to our July 2024 dated report
Investment Manager: Coral Cove Capital Ltd – Contact us to request access to our January 2024 dated report