With October being cybersecurity awareness month it is an important time to ensure your firm and employees are aware of and using best practices, and security policies and procedures. Risk mitigation is needed to protect both the firm and its employees from savvy hackers and attacks. Data breaches continue to wreak havoc on businesses, and the cost is continuously rising. According to the Ponemon Institute, the total average cost of a data breach is now $4 million, up from $3.8 million in 2015. Hackers have everything to gain while your firm bears reputational and operational harm.
While companywide policies should reflect long-range expectations and corporate best practices, they should also include tactical recommendations that employees can follow to ensure they are complying with the company’s overall risk strategy. To get started here are just a few pieces of advice we offer our investment firm clients and remember to not only inform employees on what to do, but also what not to do.
Private equity firms have been slow to embrace outsourcing, but managing data and technology is more complex than ever. With increasing regulatory requirements and a growing urge to focus on core competencies, PE firms are shifting their views of the back office. In case you missed our recent webinar on 'The Transformation of Private Equity Operations', speakers from Citco Fund Services and Eze Castle Integration examined the changing tide for private equity operations and how CFOs, CTOs and fund managers alike can control operating costs, maximize efficiency and better perfect operational workflows.
Drivers for change.
The number one reason for managers to make the switch to an outsourced solution is the desire for managers to get back to their roots. The idea of back office transformation is really founded in that managers have found themselves spending much more time doing everything but raising money and investing money.
Beneath this layer, back office transformation is also driven by regulation, investor transparency, the lifecycle of a private equity firm, and global reach. Slow adoption, fast results. The private equity sector has been slow on the uptake when it comes to outsourcing, and we contribute this lag due to lack of education on the process and benefits of outsourcing. In the past three to five years, adoption in the PE space has increased because it is cost effective, secure and feature rich. Private equity firms that have made the switch wonder why others are not doing the same. The idea of leveraging an experienced managed service provider is one that private equity firms have really embraced because there is no burden for firms to hire and attract talent, which can be challenging and expensive.
As we work with clients on completing due diligence questionnaires (DDQs), one increasingly common question is, “does your firm block access to data sharing sites such as DropBox or Google Drive?”
Generally the answer to this question should be ‘Yes,’ but that isn’t always the case because public file sharing services such as these are very convenient, and firms may overlook the security risk they pose. Additionally, employees accustomed to using Dropbox for personal use may be tempted to go for convenience over security when they need to share a large file or data set.
However, with security threats multiplying exponentially, hedge funds and alternative investment firms need to be proactive in protecting data and personally identifiable information (PII) from accidental and malicious insider risks. That’s why for secure file sharing Eze Castle Integration includes Varonis' DatAnywhere product as a standard feature within our Eze Managed Suite. Varonis' DatAnywhere offers users seamless and secure collaboration and file sharing across devices.
Beyond security, Varonis' DatAnywhere is easy to use. Users receive the same drag-n-drop experience as shared network drives or a cloud sync folder, which means no need for training on complex user interfaces and collaboration workflows. Additionally, data is automatically backed up and version controlled.
The SEC and other financial regulatory bodies have increased transparency demands with regard to cybersecurity in recent years, and as such, registered investment advisers face a long list of requirements to meet on the technology and operational front. In each of its cybersecurity guidance updates, the SEC has called out the need for hedge funds and private equity firms to "indicate whether they conduct periodic risk assessments to identify cybersecurity threats, vulnerabilities and potential business consequences", and if so, who conducts them and how often.
Risk and vulnerability assessments have not only become must-haves for financial firms due to these regulatory initiatives, but also as a result of growing investor calls for transparency. Side note: If you missed the news, Eze Castle Integration has expanded its cybersecurity consulting services to deliver comprehensive vulnerability assessments (as well as penetration testing and third party due diligence audits) across both internal and external networks. Click here to read more about Eze Vulnerability Assessments.
We field a lot of questions about what exactly a security vulnerability assessment is, so we thought it best to review what such a test entails.
Here’s a quick overview.
The type of risk assessment typically associated with information technology/security is an external vulnerability assessment. Essentially, this is the process of identifying and categorizing vulnerabilities related to a system or infrastructure. Typical steps associated with a vulnerability scan or assessment include:
Identifying all appropriate systems, networks and infrastructures;
Scanning networks to assess susceptibility to external hacks and threats;
Classifying vulnerabilities based on severity; and
Making tactical recommendations around how to eliminate or remediate threats at all levels.
Earlier this week Delta Airlines suffered a major system outage that resulted in more than 740 flight cancellations and thousands of flight delays.
Delta’s Chief Operating Officer Gil West explained that “Monday morning a critical power control module at [Delta’s] Technology Command Center malfunctioned, causing a surge to the transformer and a loss of power. The universal power was stabilized and power was restored quickly. But when this happened, critical systems and network equipment didn’t switch over to backups. Other systems did. [As a result, Delta saw] instability in these systems.”
As with any major “uh oh” moment, there are lessons that can be learned. So let’s take a look at what hedge funds can learn from Delta’s IT mishap.
1. Outdated technology can hurt in a big way. Airlines are saddled with legacy IT systems, complicated by mergers and acquisitions requiring complex integrations. Unlike airlines however, most asset management firms are not relying on technology from 80s or 90s. But that doesn’t give firms a pass when it comes to staying current with technology.
Outdated IT systems insert instability into a firm’s operations and provide holes for cyber hackers to exploit. The reality is that outdated systems will only continue to fall behind in the race of technology, trouble shooting will take longer, future applications will fail to run, or crash the server altogether, and the cost to migrate increases concurrently as the pool of experts shrinks.
2. You can’t ignore the IT industry’s transition to cloud computing. As noted in a ZDNet article, “the big question is why in 2016 airlines are being brought down by single points of failure when cloud services offer resiliency zones, backup options, and redundancy to keep critical systems running.”
Enterprise-grade clouds deliver significant resiliency in both the hardware and data centers, with cloud infrastructures spanning geographically diverse facilities. Beyond hardware, top tier cloud providers (Eze!) have teams of senior engineers managing and monitoring the infrastructure. Additionally systems are upgraded on a regular frequency.
In the investment management industry, it is common to hear investors state they are more comfortable with fund managers utilizing a private cloud rather than keeping IT on premise. At larger funds, the prevalence of cloud-based solutions provides Chief Technology Officers (CTOs) the opportunity to execute more strategic technology initiatives and focus on risk mitigation.
Cloud, Cyber Security and Managed Services: Putting Eze Castle Over the Top in Waters Rankings (Video)
We're thrilled to share that Eze Castle Integration has won the coveted awards for Best Cloud Infrastructure Provider and Best Cyber-Security Provider in the 2016 Waters Rankings. Vinod Paul, Managing Director of Eze Castle Integration, spoke with Dan DeFrancesco, Deputy Editor of Sell-Side Technology and Waters Technology about how Eze Castle Integration differentiates itself from other cloud and security providers.
Watch Vinod's video interview below or scroll down for some quick takeaways.
As a hedge fund or investment management firm, you’re juggling a lot. Hedging bets, pitching investors, running day-to-day operations – there’s a lot on your plate. That’s why working with an experienced cloud services provider can offer benefits beyond just infrastructure.
Let’s take a look at three different ways your cloud services provider can de-stress your busy life and provide you with much needed value.
1. Free up your space.
One of the beauties of a cloud computing environment is the near elimination of physical hardware and equipment on-site at your office. When managing your own server room or Communications (Comm.) room, you are responsible for housing a variety of equipment such as servers, UPS units, networking equipment and cables, spare parts, etc. Not to mention you need the real estate for it all. And don’t forget – much of this equipment runs on a three-year refresh cycle, which means you’ll have to upgrade everything in the near future.
At Eze Castle Integration we often reference data center tiers (i.e. Tier II and Tier III) in our written materials and assume readers will automatically understand the value of these distinctions. In some cases this might be a safe assumption, but you know what they say about assuming so we’ll do a refresher in this blog post.
Data center tiers – Tier I to IV – represent a standardized method to define the uptime of a data center. The tiers are useful in measuring:
Data center performance
Return on investment (ROI)
Categorized under: Cloud Computing
When assessing technology options and evaluating outsourced IT providers, there are a number of questions hedge fund managers should be asking in order to make the best decision for their firms.
As we talk with investment managers – especially those whose firms are considering a move to the cloud – we’re hearing many of these great questions on an increasingly regular basis. One particular area where there tends to be some confusion, however, is the topic of audit standards which govern service organizations and the data centers they manage on behalf of client firms. To help you navigate through the evaluation process, we’ve pulled together a guide to understanding audit terminology and industry standards.
The below information is an excerpt from Eze Castle Integration’s 2016 webinar: The Evolution of Investor IT Due Diligence.
Investors have long been asking questions about firm operations and even technology. But with the way IT has evolved over the last 5-10 years, it’s no wonder investor inquiries have changed in both size and scope. Of course, in addition to technology evolution, we’ve also seen influences on the regulatory side, as the SEC continues to examine and evaluate firms’ security practices, which ties heavily into technology.
In looking back, it’s not unfair to say that 10 years ago, technology was what we’d call a “check the box” category. An investor due diligence questionnaire may have been one or two pages and focus mostly on firm investment history, performance, etc. On the IT side, it may have said “are you using an outsourced IT provider” or even “do you have a disaster recovery system” but beyond that, there was very little inquiry into the types of technologies being used at hedge funds as well as the protections in place to mitigate risk.
Of course, times have changed and now we see investor DDQ documents upwards of 5-10-20 pages in length and asking great levels of detail about technology, cybersecurity and operations. So let’s talk a little bit more about the influences for this due diligence evolution.
Categorized under: Hedge Fund Due Diligence Cloud Computing Security Disaster Recovery Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Outsourcing Business Continuity Planning Trends We're Seeing