2017 is already shaping up to be an interesting year. With a new presidential administration taking office and the hedge fund industry coming off the heels of a challenging year, there’s a lot to keep an eye on. We recently hosted a panel with law firm Morgan Lewis to discuss these and many other topics as part of our “2017 Outlook for Hedge Funds: Risk, Regulation and Technology” event.
Read on for some of our panel’s key takeaways.
2017 Regulatory Outlook
While little is known about how a Trump presidency will operate, there could be potential tax savings for managers depending on how the administration chooses to regulate Wall Street.
Firms should expect to see reforms with the Dodd-Frank Act and the Volcker Rule, which could add more competition into the marketplace if limits on bank investments are adjusted.
SEC Focus Areas
Top six areas of focus for the Securities & Exchange Commission will likely be: (1) expenses and fees, (2) trade allocation, (3) material non-public personal information, (4) valuation processes, (5) operating partners and due diligence, and (6) security, privacy, insider trading and business continuity.
Cybersecurity is not necessarily part of every SEC examination, however, the bar will continue to be raised in terms of preparations firms will need to employ.
In 2016, the SEC provided additional guidance on business continuity and transition plan requirements, highlighting the need for hedge fund and financial firms to maintain their fiduciary responsibility to their clients and investors.
With October being cybersecurity awareness month it is an important time to ensure your firm and employees are aware of and using best practices, and security policies and procedures. Risk mitigation is needed to protect both the firm and its employees from savvy hackers and attacks. Data breaches continue to wreak havoc on businesses, and the cost is continuously rising. According to the Ponemon Institute, the total average cost of a data breach is now $4 million, up from $3.8 million in 2015. Hackers have everything to gain while your firm bears reputational and operational harm.
While companywide policies should reflect long-range expectations and corporate best practices, they should also include tactical recommendations that employees can follow to ensure they are complying with the company’s overall risk strategy. To get started here are just a few pieces of advice we offer our investment firm clients and remember to not only inform employees on what to do, but also what not to do.
As of Wednesday, October 5, 2016, computer models continue to show Hurricane Matthew traveling along the southern eastern states starting in Miami early Friday morning and reaching Norfolk, VA early Monday morning. At this point, it’s too early to determine if Hurricane Matthew will head out to sea once it reaches Virginia or continue up to the Northeastern states.
Whether you’re in the south or north, now is the time to prepare your office and home for a potential impact of the storm. The following is a high level review of continuity steps you should consider:
Communicating with Employees
If you haven’t already, create a communication process to ensure you can notify your employees and/or clients. For internal communications, you can use an employee call tree which can be created in word or excel, create a distribution list in your mobile device or subscribe to an automated notification system. Firms must ensure messages are communicated to employees (or clients) properly and in a timely manner. Using a process will ensure all employees receive the same message immediately via email, phone call and/or text message. Whichever method selected, ensure there is a dedicated employee that is aware of their role and prepared to send the communication when appropriate.
Employees’ Work Locations
If your plan is to have employees work remotely should an incident occur, steps should be taken to ensure that employees will have access to all required resources for performing their daily tasks. This includes checking to see that the company has adequate Citrix licenses and having employees do a test run.
To avoid questions and confusion, work location procedures should be clearly communicated to all employees in advance to ensure that any unexpected challenges are dealt with before any disaster.
Employee Remote Access Test
Before Hurricane Matthew reaches your office or home, validate employees have all of the required resources to work remotely. You can validate this process by having key employees do a remote access test to ensure any issues are addressed before an incident impacts your office. Here are some recommended steps to have your employees follow as part of the testing process:
Validate successful communication to internal and external dependencies
Confirm full functionality of required applications
Perform all critical business functions
Confirm access to vital records (key files and documents)
Ensure employees can receive incoming calls, while working remotely, by activating phone recovery procedures or using phone redirect instructions
Disaster Recovery Activations
Depending on the impact of Hurricane Matthew, some firms may need to activate their disaster recovery systems. We recommend you review the activation procedures now to ensure a smooth transition of the systems, if needed.
The recent explosions that rocked the Chelsea neighborhood of New York City and the town of Seaside Park, New Jersey remind us all that we can never be too prepared for an emergency situation. Following are a few reminders to ensure the safety of your employees and the business continuity of your firm during these types of disaster scenarios.
Assessing the Scenario
Every scenario is different and lends itself to a certain degree of impact, whether it’s confined to an office building or a broader regional impact. Start with ensuring that your employees are accounted for and in a safe location. Then consider: will the events at hand impact their ability to continue with their jobs? Obviously, if the office space is affected, a secondary location may come into play, or firms may opt to allow employees to work remotely. Next, review critical business systems, data and resources. Are your data and assets up and running so employees can continue business functions? Are phone systems or email functioning properly?
Internal and External Communication
Depending on the severity of the situation, you’ll need to determine the level of communication to both internal and external parties. If the event or disruption will impact employees getting to or from the office or if the building is inaccessible, obviously you’ll need to notify personnel. If there may be an impact to the business itself (trading, for instance), you may want to communicate with external parties such as investors, business partners, and/or regulators. It’s helpful to have a communication plan in place to guide this process. And remember: all communications should be reviewed and approved by the individual(s) overseeing the business continuity program and the plans associated with it.
Categorized under: Business Continuity Planning
During Part 2 of our Risk Outlook Webinar Series we spoke with Eze Castle Integration Director Dan Long about how investment firms should address evolving cybersecurity risks, third party service provider oversight and employee training and education. Many of the points Dan addressed highlight questions hedge funds and private equity firms should be asking themselves.
Read on or scroll to the bottom to watch the full, 30-minute replay.
What is our commitment to cybersecurity and what is our outlook on the future?
Regulators and investors continue to ask more questions about cybersecurity because they want to know that firms are effectively mitigating risk. To meet these growing expectations, firms must demonstrate that you take cybersecurity risk seriously and have implemented sound systems, policies and procedures to combat those risks. As the threat landscape and technology continue to evolve, investment management firms need to evolve accordingly and develop better ways to counteract threats. Firms don’t necessarily need to implement every available security technology, but they should be keenly aware of their options and have a plan to effectively mitigate as much risk as possible.
How are we addressing third party risk and oversight?
Investment management firms often rely on third party vendors to obtain functionality or capabilities that they need, want or can’t afford to produce on their own. But moving functions out of the firm's control can present challenges. With any outsourced function, the firm inherently takes on additional risks at the hands of the third party. But it's critical for investment managers to limit those risks through sufficient due diligence. To combat vendor risk, financial firms need to maintain strict oversight of all third party relationships and investigate security practices and protocols, particularly for those vendors who have access to the firm's confidential information. An outsourced vendor should be providing the same level of security (or better!) as your firm would if the function was under in-house control.
What Investment Advisers Need to Know About the SEC Proposed Business Continuity and Transitions Plan Rule
The Securities and Exchange Commission (SEC) recently proposed Rule 206(4)-4, which would require investment advisors to enact business continuity plans (BCPs) and transition or succession plans. This rule would aid advisers in maintaining the continuity of services in the occurrence of a business disruption.
If you missed it, our recent webinar with featuring our Director of BCP Lisa Smith and speakers from Arthur Bell CPAs examines internal, external and transition-related risks to business continuity, mitigation strategy best practices and points highlighted by the SEC within the rule.
Rather watch a video? Scroll down and listen to the full webinar replay.
Potential Risks to Business Operations
The SEC stresses that investment advisers need to assess not only external threats, but also internal threats to accurately ascertain their own risk from a holistic standpoint. This evaluation is critical to identifying the risk impact to specific capabilities and operations, as well as, how they will affect the firm’s employees, clients and third parties. Advisers should take a proactive and organized approach to creating risk mitigation programs for employee activity, as well as, required systems (e.g. email and Internet). Risk mitigation programs should include documentation of processes, segregation of responsibilities, critical tools (think cross-training), etc.
There's a lot to learn about business continuity planning for investment managers. To help, you might want to watch our recent webinar highlighting the SEC's June 2016 business continuity guidance update. You can watch the full webinar replay here. The SEC not only highlights the importance of being able to access critical systems and applications during a disruption, but also the importance of effective communication.
It is vital to communicate with your employees about the procedures of your business continuity plan before, during and after an incident. By doing so, you set the wheels in motion by creating the guidelines for the firm’s recovery.
Effective communication should include, but not be limited to:
Accounting for employees;
Setting workload expectations; and
Providing employees with recovery status updates.
Let’s take a deeper look into those strategies.
Whether it is your summer interns heading back to school or a full-time employee moving on, an investment firm must have a detailed employee termination checklist for information technology (IT) that is diligently followed.
But what are the key items that must be on your employee termination checklist?
Here’s An Employee Termination Checklist Foundation:
Contact IT Department or IT Provider to terminate or change network or application logins
Ensure subscriptions are either cancelled or changed
Collect employee equipment such as laptops, monitors, mobile devices, etc.
Ensure employee has documented transition procedures
Reset user password and disabled account
Last month, the SEC issued a guidance update for registered advisers regarding how funds (and their service providers) plan for potential business disruptions. Eze Castle Integration’s Certified BCP Planners have reviewed the guidance and recently shared their thoughts on how hedge funds and private equity firms can meet the SEC’s growing expectations and standards with regard to business continuity practices.
Read on for five takeaways from the SEC’s business continuity guidance update or scroll down to watch our full, 30-minute webinar replay.
Include all All Key Components of Your Firm
When writing a BCP, firms undoubtedly remember to create plans for their physical office facilities and technology systems, but it is important that you don’t overlook other important components that drive the well-being of your firm. This includes data/colocation centers, employees, activities and dependencies on critical third parties. You could face an array of issues affecting one or more factors within your firm, so it is important to implement a business continuity plan that not only addresses potential risks but also outlines comprehensive protection methods.
A BCP is a Living Document
Internal participation is a fundamental driver for a successful BCP. From senior management executives to representatives from Human Resources and Compliance, internal business continuity contributors need to be informed of and up-to-date on policies and procedures. The BCP should also take into consideration the ideas, recommendations and changes brought forward from other departments within the firm.
Remember: A business continuity plan is dynamic, therefore changes and challenges faced need to be transparent with all parts of the company.
Today’s private equity funds are increasingly being compared to their hedge fund counterparts and, as a result, are also facing more scrutiny. When it comes to managing and mitigating risk, PE fund managers are wrestling with growing threats on the security front and beyond and mounting pressures from the likes of the SEC and other industry best practice standards.
Security and Business Threats for Private Equity
Security threats abound for financial services firms, and private equity firms are not immune. From the inside out, the risks to PE firms grow daily, with savvy and experienced hackers looking to target financial firms – and perhaps more concerning – untrained and unaware employees blindly putting their firm’s operational standing in danger.
Beyond cybersecurity, however, there are also business threats to consider. Non-security incidents – everything from minor, incidental business disruptions to large-scale, regional impact events – can also wreak havoc for private equity firms otherwise unprepared to resume business functions. Downtime may prove to be less concerning for a PE manager than his hedge fund counterpart, but that does little to calm uneasy clients and investors who expect operations to run smoothly at all times.
PE Firms Feeling the Regulatory Pressure
The above security and business threats pose a serious challenge for private equity firms today. But beyond managing those risks to satisfy a fund manager’s own inherent desire to protect his/her firm, private equity firms also face significant and growing pressure from external bodies to meet operational excellence standards that continue to develop and evolve.