The SEC and other financial regulatory bodies have increased transparency demands with regard to cybersecurity in recent years, and as such, registered investment advisers face a long list of requirements to meet on the technology and operational front. In each of its cybersecurity guidance updates, the SEC has called out the need for hedge funds and private equity firms to "indicate whether they conduct periodic risk assessments to identify cybersecurity threats, vulnerabilities and potential business consequences", and if so, who conducts them and how often.
Risk and vulnerability assessments have not only become must-haves for financial firms due to these regulatory initiatives, but also as a result of growing investor calls for transparency. Side note: If you missed the news, Eze Castle Integration has expanded its cybersecurity consulting services to deliver comprehensive vulnerability assessments (as well as penetration testing and third party due diligence audits) across both internal and external networks. Click here to read more about Eze Vulnerability Assessments.
We field a lot of questions about what exactly a security vulnerability assessment is, so we thought it best to review what such a test entails.
Here’s a quick overview.
The type of risk assessment typically associated with information technology/security is an external vulnerability assessment. Essentially, this is the process of identifying and categorizing vulnerabilities related to a system or infrastructure. Typical steps associated with a vulnerability scan or assessment include:
Identifying all appropriate systems, networks and infrastructures;
Scanning networks to assess susceptibility to external hacks and threats;
Classifying vulnerabilities based on severity; and
Making tactical recommendations around how to eliminate or remediate threats at all levels.
Earlier this week Delta Airlines suffered a major system outage that resulted in more than 740 flight cancellations and thousands of flight delays.
Delta’s Chief Operating Officer Gil West explained that “Monday morning a critical power control module at [Delta’s] Technology Command Center malfunctioned, causing a surge to the transformer and a loss of power. The universal power was stabilized and power was restored quickly. But when this happened, critical systems and network equipment didn’t switch over to backups. Other systems did. [As a result, Delta saw] instability in these systems.”
As with any major “uh oh” moment, there are lessons that can be learned. So let’s take a look at what hedge funds can learn from Delta’s IT mishap.
1. Outdated technology can hurt in a big way. Airlines are saddled with legacy IT systems, complicated by mergers and acquisitions requiring complex integrations. Unlike airlines however, most asset management firms are not relying on technology from 80s or 90s. But that doesn’t give firms a pass when it comes to staying current with technology.
Outdated IT systems insert instability into a firm’s operations and provide holes for cyber hackers to exploit. The reality is that outdated systems will only continue to fall behind in the race of technology, trouble shooting will take longer, future applications will fail to run, or crash the server altogether, and the cost to migrate increases concurrently as the pool of experts shrinks.
2. You can’t ignore the IT industry’s transition to cloud computing. As noted in a ZDNet article, “the big question is why in 2016 airlines are being brought down by single points of failure when cloud services offer resiliency zones, backup options, and redundancy to keep critical systems running.”
Enterprise-grade clouds deliver significant resiliency in both the hardware and data centers, with cloud infrastructures spanning geographically diverse facilities. Beyond hardware, top tier cloud providers (Eze!) have teams of senior engineers managing and monitoring the infrastructure. Additionally systems are upgraded on a regular frequency.
In the investment management industry, it is common to hear investors state they are more comfortable with fund managers utilizing a private cloud rather than keeping IT on premise. At larger funds, the prevalence of cloud-based solutions provides Chief Technology Officers (CTOs) the opportunity to execute more strategic technology initiatives and focus on risk mitigation.
There's a lot to learn about business continuity planning for investment managers. To help, you might want to watch our recent webinar highlighting the SEC's June 2016 business continuity guidance update. You can watch the full webinar replay here. The SEC not only highlights the importance of being able to access critical systems and applications during a disruption, but also the importance of effective communication.
It is vital to communicate with your employees about the procedures of your business continuity plan before, during and after an incident. By doing so, you set the wheels in motion by creating the guidelines for the firm’s recovery.
Effective communication should include, but not be limited to:
Accounting for employees;
Setting workload expectations; and
Providing employees with recovery status updates.
Let’s take a deeper look into those strategies.
Last month, the SEC issued a guidance update for registered advisers regarding how funds (and their service providers) plan for potential business disruptions. Eze Castle Integration’s Certified BCP Planners have reviewed the guidance and recently shared their thoughts on how hedge funds and private equity firms can meet the SEC’s growing expectations and standards with regard to business continuity practices.
Read on for five takeaways from the SEC’s business continuity guidance update or scroll down to watch our full, 30-minute webinar replay.
Include all All Key Components of Your Firm
When writing a BCP, firms undoubtedly remember to create plans for their physical office facilities and technology systems, but it is important that you don’t overlook other important components that drive the well-being of your firm. This includes data/colocation centers, employees, activities and dependencies on critical third parties. You could face an array of issues affecting one or more factors within your firm, so it is important to implement a business continuity plan that not only addresses potential risks but also outlines comprehensive protection methods.
A BCP is a Living Document
Internal participation is a fundamental driver for a successful BCP. From senior management executives to representatives from Human Resources and Compliance, internal business continuity contributors need to be informed of and up-to-date on policies and procedures. The BCP should also take into consideration the ideas, recommendations and changes brought forward from other departments within the firm.
Remember: A business continuity plan is dynamic, therefore changes and challenges faced need to be transparent with all parts of the company.
Today’s private equity funds are increasingly being compared to their hedge fund counterparts and, as a result, are also facing more scrutiny. When it comes to managing and mitigating risk, PE fund managers are wrestling with growing threats on the security front and beyond and mounting pressures from the likes of the SEC and other industry best practice standards.
Security and Business Threats for Private Equity
Security threats abound for financial services firms, and private equity firms are not immune. From the inside out, the risks to PE firms grow daily, with savvy and experienced hackers looking to target financial firms – and perhaps more concerning – untrained and unaware employees blindly putting their firm’s operational standing in danger.
Beyond cybersecurity, however, there are also business threats to consider. Non-security incidents – everything from minor, incidental business disruptions to large-scale, regional impact events – can also wreak havoc for private equity firms otherwise unprepared to resume business functions. Downtime may prove to be less concerning for a PE manager than his hedge fund counterpart, but that does little to calm uneasy clients and investors who expect operations to run smoothly at all times.
PE Firms Feeling the Regulatory Pressure
The above security and business threats pose a serious challenge for private equity firms today. But beyond managing those risks to satisfy a fund manager’s own inherent desire to protect his/her firm, private equity firms also face significant and growing pressure from external bodies to meet operational excellence standards that continue to develop and evolve.
As hedge funds, private equity firms and other financial services organizations work diligently to develop and maintain organizational business continuity plans, an item often lost in consideration is employee personal planning. While firms should focus on how their businesses will recover from a disaster scenario or disruption, it’s also helpful to be proactive in addressing how employees can recover from these scenarios if family members/friends are affected or if the employee himself is affected outside of working hours. Here are a few tips for employers:
Plans and resources are helpful in getting employees more organized, but for employers, finding time to develop and gather these materials can be difficult. It might be easier to have employees gather together and discuss emergency preparedness techniques and why they are important. Consider providing some resources such as binders or forms where employees can write down contact information of insurances, utility vendors, neighbors, etc. Encourage employees to research local/regional emergency preparedness information as well. Getting the conversation going and providing some resources or relevant websites can better ensure that planning activities happen prior to a disruption.
Alternate locations are not just for the workplace. Employees' family members and roommates should have established meeting spots if evacuating the residence is necessary. Two locations are recommended: one close to the residence and another perhaps slightly father away (e.g. down the street or at a neighbor’s house or apartment), in the event it’s not safe to be at/near the closer meeting site.
The below information is an excerpt from Eze Castle Integration’s 2016 webinar: The Evolution of Investor IT Due Diligence.
Investors have long been asking questions about firm operations and even technology. But with the way IT has evolved over the last 5-10 years, it’s no wonder investor inquiries have changed in both size and scope. Of course, in addition to technology evolution, we’ve also seen influences on the regulatory side, as the SEC continues to examine and evaluate firms’ security practices, which ties heavily into technology.
In looking back, it’s not unfair to say that 10 years ago, technology was what we’d call a “check the box” category. An investor due diligence questionnaire may have been one or two pages and focus mostly on firm investment history, performance, etc. On the IT side, it may have said “are you using an outsourced IT provider” or even “do you have a disaster recovery system” but beyond that, there was very little inquiry into the types of technologies being used at hedge funds as well as the protections in place to mitigate risk.
Of course, times have changed and now we see investor DDQ documents upwards of 5-10-20 pages in length and asking great levels of detail about technology, cybersecurity and operations. So let’s talk a little bit more about the influences for this due diligence evolution.
Categorized under: Hedge Fund Due Diligence Cloud Computing Security Disaster Recovery Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Outsourcing Business Continuity Planning Trends We're Seeing
In today's Eze Castle Tech Tip: we're discussing myths about Voice over IP -- or hosted voice -- services.
The information below was originally derived from the expert panelists who spoke at a 2010 Eze Castle Integration event. Given how important this topic is we’ve updated the article to reflect today’s market.
The subject of hedge fund operational due diligence is one that has risen to the forefront for both hedge fund managers and investors in recent years. Prior to the economic downfall in 2008 and high-profile investment scandals made infamous by Bernard Madoff and others, hedge fund due diligence was viewed as an unnecessary assignment.
Historically, there has been a general lack of transparency within the hedge fund industry; larger funds, particularly, used to balk at investor inquiries. They figured there would never be a shortage of investors, so there wasn't a need to spend extra time satisfying their needs.
Due diligence, as a process, did not gain significant importance until recently. in the past, the responsibilities associated with it would often fall under the role of a CFO, CCO or other executive – someone who had very little time to devote specifically to due diligence. But as the industry has evolved over the last several years, so has the need and desire for operational due diligence.
So what exactly has changed?
Successfully launching a hedge fund is a complex endeavor. Not only must emerging managers evaluate traditional deployment strategies, but consider current factors influencing the financial landscape.
Last week, Eze Castle Integration presented a webinar, “How to Launch a Hedge Fund,” featuring an expert panel that addressed some critical areas for consideration, notably capital introduction, legal and technology. There was quite a bit of content discussed during the 1-hour event, so we’ve pulled out some key takeaways.
Capital Raising (Paul Schultz, Director of Capital Introduction, Wells Fargo Prime Services)
Examine both content and context, i.e. cash inflows and outflows as well as the “big picture” that accounts for volatility
Be aware of the kinds of investors coming into the hedge fund space. Large and institutional pension plans are currently the largest investor base.
Be prepared when speaking to investors. Target those who have a history of being receptive to founder share class and who may offer lower management and performance fees.
Show investors that you have a 3+ year budget for working capital without any performance fees.
Have a well thought-out blueprint. Clarity and intention make all the difference.
Categorized under: Launching A Hedge Fund Cloud Computing Security Disaster Recovery Hedge Fund Due Diligence Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Outsourcing Business Continuity Planning Trends We're Seeing Videos And Infographics