When most people envision Business Continuity Planning (BCP) and testing, they conjure up images of conference rooms, hardcopy documents, projectors and key personnel. But the real world is a different reality.
In recent memory, there have been many situations that have disrupted businesses - be it by natural disaster or as a result of human interference. In either event, people need to be able to reestablish essential business functions, communicate, and make decisions as quickly and easily as possible.
Although many organizations do an annual BCP review, the big question is whether they truly test the process, ease of accessibility, and the time it takes an organization/leadership group to go from unsure about the situation to confidently executing a thoughtful game plan.
What can make a considerable difference in terms of functionality and familiarity with the plans and recovery procedures is to practice -- not only verbally in the conference room setting, but also by taking time to troubleshoot and brainstorm to determine what works and what may need a second look. There is a lot that can be learned from being unplugged and “kicked” out of the conference room and asked to assume a role outside of the comfort zone. This can be done simply by taking away some of the accepted norms during a test. The following scenario illustrates issues that arise when the accepted norms are chipped away.
We spend a lot of time educating our clients about security best practices and encouraging them to implement comprehensive security policies and procedures to mitigate risk and protect both the firm and its employees. And for good reason. Just today, New York Attorney General Eric Schneiderman released a report stating data breaches across the state more than tripled from 2006 to 2013 and cost businesses more than $1.37 billion last year alone.
While companywide policies should reflect long-range expectations and corporate best practices, they should also include tactical recommendations that employees can follow to ensure they are complying with the company’s overall risk strategy. In addition to providing employees with security best practices they should follow, don’t forget to also include a list of actions they should not. Here are just a few pieces of advice we regularly offer our investment firm clients:
Lock your computer and mobile phone(s) when you leave your desk and/or office
Use care when entering passwords in front of others
Create and maintain strong passwords and change them every 60-90 days (We recommend a combination of lowercase & uppercase letters and special characters)
We continue to speak with clients and prospects on a regular basis on the topic of cybersecurity, and with the expectation that the SEC will start security exams sometime around September, it’s evident that firms are working diligently to answer the questionnaire and shore up internal practices.
To continue fostering education around this topic, we hosted two events last week dedicated to cybersecurity for hedge funds and investment firms. For your convenience, you can read a brief recap of some of the key topics discussed or scroll down to watch our full webinar replay.
Cybersecurity a Hot Topic on State & Federal Level
By now, we all know the SEC has taken steps to assure that hedge funds and investment advisers put security mechanisms and practices in place to protect against cyber threats. SEC Commissioner Luis Aguilar said there is “substantial risk that a cyber-attack could cause significant and wide-ranging market disruptions and investor harm.” Even beyond the federal level, some states are chiming in on the cybersecurity front. Earlier this month, Massachusetts and Illinois acknowledged that they were polling investment advisers about their security practices, and that based on responses, state regulations could be impacted.
Categorized under: Launching A Hedge Fund Security Hedge Fund Due Diligence Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Outsourcing Business Continuity Planning Trends We're Seeing Videos And Infographics
Hedge funds have known for some time the importance of effective cybersecurity, and regulation increasingly enforces this as a requirement. For any practice to be effective, however, there are a number of factors which need to be considered prior to implementation. Eze Castle’s Lisa Smith recently sat down with HFMWeek Magazine to talk about how to meet and understand the new cybersecurity guidelines advised by the SEC. Following is an excerpt of the article.
The SEC's cybersecurity questionnaire sets the framework and best practices for the financial industry. When you consider the type of information that hedge funds are handling on a day-to-day basis, it's really important that they have security controls in place. The questionnaire is a way for the SEC to ensure that hedge funds, private equity and investment management companies are taking security controls seriously and are aware of what's in place for their company.
HFMWeek (HFM): Within the sample SEC cybersecurity request document, questions were divided into five categories. What is the SEC looking for in these categories?
Lisa Smith (LS): Identification of risk in cybersecurity governance - this involves an analysis of what's in place. So for instance - when I conduct a business assesment I'll focus on what's currently in place versus what should be in place in accordance with the recommendations from the SEC. Anything that is not in place that should be goes into our risk assesssment summary and is categorized as low, medium or high. It's about ensuring that hedge funds have certain controls and security policies in place to protect their environment and data.
Cybersecurity is a hot topic these days, so I thought it was important to touch on the importance of including cybersecurity in your firm’s Business Continuity Planning (BCP). Ideally, firms should have two separate plans: a Written Information Security Plan (WISP) and a Business Continuity Plan, keeping in mind there will be some high-level overlap.
Let’s start with the basics, such as access controls and permissions required for accessing data that is considered confidential. Access controls focus on preventing unauthorized use of an application, service, website, etc., to gain access to confidential data. Only specific users will have a business need to access confidential data. During the Business Impact Analysis (BIA) phase of business continuity planning, be sure to identify applications, services or websites that require at least one level of authentication (e.g. password protection, PC certificate, or security tokens).
Feeling lucky that your business has never been impacted by a disaster? If so, now is the time to evaluate everything from your call tree to your disaster recovery solutions. Most studies show that up to 40 percent of businesses fail after a disaster. That means that almost half of firms reading this article will not recover if not fully prepared.
So what do you do to ensure that you will be more than just lucky to successfully recover from a disaster?
Start with your documentation. What do you have? You should have a current Business Continuity Plan (BCP) and Employee Quick Reference Cards (QRCs). If you have those two items, be sure to review them and make sure any recent changes to your business have been captured. Once you’ve validated the information is current, it’s time to test the documentation.
Managing technology at a hedge fund can be complex and time consuming, but not when you’re on the Eze Private Cloud. Adding new investment applications is a cinch, IT costs are predictable and security is robust.
Watch our new video to see what it feels like to be on the Eze Private Cloud:
Investment risk plays an important role in the life of a hedge fund manager, but technology risk should not. When it comes to your firm’s technology systems and operations, you want things to run efficiently, not add more stress to your already crowded plate.
Mitigating technology risk is a critical step to ensuring your hedge fund operates smoothly and successfully. Following are a few areas to keep in mind as you evaluate your firm’s technology risk:
Layers of Redundancy
One way to reduce your firm’s technology risk is to add layers of redundancy throughout your infrastructure. Whether you’re utilizing a cloud infrastructure or an on-premise environment, your servers, networking and telecomm lines should feature N+1 availability, a configuration in which multiple components have at least one independent backup component to ensure system functionality continues in the event of a failure.
Planning is valuable in preparation for any form of event, but is essential in more common situations such as severe winter weather. Depending on where you are located, frequent weather events may not appear dangerous since you have been through them before; but what if this next storm shuts down your power for a week?
Do you know what to do or where to go? Do you have the proper supplies on hand? Weather can be a common disruption that arises quickly and without warning and affects many.
First and foremost, Happy New Year everyone!
2014 has officially begun, and as with every New Year, it is important to reflect on the previous year and set goals for the future. Many of the resolutions that we made last year are still prevalent this year because they are foundational for a hedge fund’s success. This year we are offering a few more critical recommendations to ensure that your company and IT operations run efficiently and effectively.