Last month, the SEC issued a guidance update for registered advisers regarding how funds (and their service providers) plan for potential business disruptions. Eze Castle Integration’s Certified BCP Planners have reviewed the guidance and recently shared their thoughts on how hedge funds and private equity firms can meet the SEC’s growing expectations and standards with regard to business continuity practices.
Read on for five takeaways from the SEC’s business continuity guidance update or scroll down to watch our full, 30-minute webinar replay.
Include all All Key Components of Your Firm
When writing a BCP, firms undoubtedly remember to create plans for their physical office facilities and technology systems, but it is important that you don’t overlook other important components that drive the well-being of your firm. This includes data/colocation centers, employees, activities and dependencies on critical third parties. You could face an array of issues affecting one or more factors within your firm, so it is important to implement a business continuity plan that not only addresses potential risks but also outlines comprehensive protection methods.
A BCP is a Living Document
Internal participation is a fundamental driver for a successful BCP. From senior management executives to representatives from Human Resources and Compliance, internal business continuity contributors need to be informed of and up-to-date on policies and procedures. The BCP should also take into consideration the ideas, recommendations and changes brought forward from other departments within the firm.
Remember: A business continuity plan is dynamic, therefore changes and challenges faced need to be transparent with all parts of the company.
Today’s private equity funds are increasingly being compared to their hedge fund counterparts and, as a result, are also facing more scrutiny. When it comes to managing and mitigating risk, PE fund managers are wrestling with growing threats on the security front and beyond and mounting pressures from the likes of the SEC and other industry best practice standards.
Security and Business Threats for Private Equity
Security threats abound for financial services firms, and private equity firms are not immune. From the inside out, the risks to PE firms grow daily, with savvy and experienced hackers looking to target financial firms – and perhaps more concerning – untrained and unaware employees blindly putting their firm’s operational standing in danger.
Beyond cybersecurity, however, there are also business threats to consider. Non-security incidents – everything from minor, incidental business disruptions to large-scale, regional impact events – can also wreak havoc for private equity firms otherwise unprepared to resume business functions. Downtime may prove to be less concerning for a PE manager than his hedge fund counterpart, but that does little to calm uneasy clients and investors who expect operations to run smoothly at all times.
PE Firms Feeling the Regulatory Pressure
The above security and business threats pose a serious challenge for private equity firms today. But beyond managing those risks to satisfy a fund manager’s own inherent desire to protect his/her firm, private equity firms also face significant and growing pressure from external bodies to meet operational excellence standards that continue to develop and evolve.
As hedge funds, private equity firms and other financial services organizations work diligently to develop and maintain organizational business continuity plans, an item often lost in consideration is employee personal planning. While firms should focus on how their businesses will recover from a disaster scenario or disruption, it’s also helpful to be proactive in addressing how employees can recover from these scenarios if family members/friends are affected or if the employee himself is affected outside of working hours. Here are a few tips for employers:
Plans and resources are helpful in getting employees more organized, but for employers, finding time to develop and gather these materials can be difficult. It might be easier to have employees gather together and discuss emergency preparedness techniques and why they are important. Consider providing some resources such as binders or forms where employees can write down contact information of insurances, utility vendors, neighbors, etc. Encourage employees to research local/regional emergency preparedness information as well. Getting the conversation going and providing some resources or relevant websites can better ensure that planning activities happen prior to a disruption.
Alternate locations are not just for the workplace. Employees' family members and roommates should have established meeting spots if evacuating the residence is necessary. Two locations are recommended: one close to the residence and another perhaps slightly father away (e.g. down the street or at a neighbor’s house or apartment), in the event it’s not safe to be at/near the closer meeting site.
The below information is an excerpt from Eze Castle Integration’s 2016 webinar: The Evolution of Investor IT Due Diligence.
Investors have long been asking questions about firm operations and even technology. But with the way IT has evolved over the last 5-10 years, it’s no wonder investor inquiries have changed in both size and scope. Of course, in addition to technology evolution, we’ve also seen influences on the regulatory side, as the SEC continues to examine and evaluate firms’ security practices, which ties heavily into technology.
In looking back, it’s not unfair to say that 10 years ago, technology was what we’d call a “check the box” category. An investor due diligence questionnaire may have been one or two pages and focus mostly on firm investment history, performance, etc. On the IT side, it may have said “are you using an outsourced IT provider” or even “do you have a disaster recovery system” but beyond that, there was very little inquiry into the types of technologies being used at hedge funds as well as the protections in place to mitigate risk.
Of course, times have changed and now we see investor DDQ documents upwards of 5-10-20 pages in length and asking great levels of detail about technology, cybersecurity and operations. So let’s talk a little bit more about the influences for this due diligence evolution.
Categorized under: Hedge Fund Due Diligence Cloud Computing Security Disaster Recovery Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Outsourcing Business Continuity Planning Trends We're Seeing
In today's Eze Castle Tech Tip: we're discussing myths about Voice over IP -- or hosted voice -- services.
The information below was originally derived from the expert panelists who spoke at a 2010 Eze Castle Integration event. Given how important this topic is we’ve updated the article to reflect today’s market.
The subject of hedge fund operational due diligence is one that has risen to the forefront for both hedge fund managers and investors in recent years. Prior to the economic downfall in 2008 and high-profile investment scandals made infamous by Bernard Madoff and others, hedge fund due diligence was viewed as an unnecessary assignment.
Historically, there has been a general lack of transparency within the hedge fund industry; larger funds, particularly, used to balk at investor inquiries. They figured there would never be a shortage of investors, so there wasn't a need to spend extra time satisfying their needs.
Due diligence, as a process, did not gain significant importance until recently. in the past, the responsibilities associated with it would often fall under the role of a CFO, CCO or other executive – someone who had very little time to devote specifically to due diligence. But as the industry has evolved over the last several years, so has the need and desire for operational due diligence.
So what exactly has changed?
Successfully launching a hedge fund is a complex endeavor. Not only must emerging managers evaluate traditional deployment strategies, but consider current factors influencing the financial landscape.
Last week, Eze Castle Integration presented a webinar, “How to Launch a Hedge Fund,” featuring an expert panel that addressed some critical areas for consideration, notably capital introduction, legal and technology. There was quite a bit of content discussed during the 1-hour event, so we’ve pulled out some key takeaways.
Capital Raising (Paul Schultz, Director of Capital Introduction, Wells Fargo Prime Services)
Examine both content and context, i.e. cash inflows and outflows as well as the “big picture” that accounts for volatility
Be aware of the kinds of investors coming into the hedge fund space. Large and institutional pension plans are currently the largest investor base.
Be prepared when speaking to investors. Target those who have a history of being receptive to founder share class and who may offer lower management and performance fees.
Show investors that you have a 3+ year budget for working capital without any performance fees.
Have a well thought-out blueprint. Clarity and intention make all the difference.
Categorized under: Launching A Hedge Fund Cloud Computing Security Disaster Recovery Hedge Fund Due Diligence Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Outsourcing Business Continuity Planning Trends We're Seeing Videos And Infographics
Today’s the day.
The National Futures Association ("NFA") Interpretive Notice Regarding Information Systems Security Programs goes into effect. The NFA's Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2-49 entitled Information Systems Security Programs requires Member firms to adopt and enforce written policies and procedures to secure customer data and access to their electronic systems.
The Cybersecurity Interpretive Notice applies to all membership categories--futures commission merchants, swap dealers, major swap participants, introducing brokers, forex dealer members, commodity pool operators and commodity trading advisors.
Rather than taking a ‘one-size-fits-all approach,’ the Cybersecurity Interpretive Notice adopts a principles-based risk approach to allow Member firms some degree of flexibility in determining what constitutes "diligent supervision," given the differences in Members' size and complexity of operations, customer types and counterparties.
But whatever approach is taken, the Cybersecurity Interpretive Notice requires Members to adopt and enforce an information systems security program (ISSP) appropriate to its circumstances.
Information Systems Security Program Key Areas
Similar to the SEC’s expectations, the Cybersecurity Interpretive Notice requires a written information security program to contain:
A security and risk analysis;
A description of the safeguards against identified system threats and vulnerabilities;
The process used to evaluate a security incident, including impact and incident response; and
Description of ongoing education and training related to information systems security for employees.Executive-level participation and annual review of the information security program is expected. Additionally, firms must provide employees training during the onboarding processes as well as periodically during employment.
Categorized under: Security Launching A Hedge Fund Hedge Fund Insiders Disaster Recovery Hedge Fund Due Diligence Hedge Fund Operations Hedge Fund Regulation Business Continuity Planning Trends We're Seeing
The following is the second excerpt from our new whitepaper, Launching a Hedge Fund: 10 Keys to Success. To read part one, click here.
Develop an IT budget for your first 2-3 years.
Operating capital may be limited in the first few years after your launch, so careful budgeting and long range planning will serve your firm well. Your information technology budget should include priorities and figures for at least two to three years, including infrastructure/hardware and software requirements. Some questions you’ll want to consider:
How many offices are you launching with? Do you plan to open additional offices in the near future?
How many users do you have on day one? How many can you expect to have in years 2 and 3?
Where are your offices located? Are there cost differences between domestic and international offices?
What are your trading practices and how does this impact your budget?
What kinds of systems do you need? (Order Management, Portfolio Accounting, Risk Management, CRM, etc.)
Ensure your technology budget coincides with your firm’s growth plan. Do you expect to grow quickly? Open new offices? Expand internationally? You will need to account for these changes.
Understand hedge fund regulations and how they affect your firm.
Governmental oversight of the financial industry has evolved dramatically in the last decade. Hedge funds, private equity firms and registered investment advisers now operate in a world where they are beholden to regulatory bodies with growing expectations and requirements. When launching your hedge fund, you’ll need to be clear up front with any responsibilities you may have to any applicable agencies – in the United States, that means the Securities and Exchange Commission (SEC). Are you required to register? If so, represent your firm accurately and be descriptive of your operations. If not forthcoming, you may open up your firm to serious regulatory and criminal prosecution.
Categorized under: Launching A Hedge Fund Cloud Computing Security Disaster Recovery Hedge Fund Due Diligence Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Outsourcing Business Continuity Planning Software Trends We're Seeing
Today's hedge funds are facing an environment defined by regulatory pressure, investor demands and fierce competition. For hedge fund startups, the challenges are even greater, so too are the demands. Successfully operating a new startup beyond the first year is a feat many managers struggle to accomplish, therefore it's critical for emerging managers to gain a full understanding of the industry that awaits them and the hurdles they should expect to face.
While the list of considerations is surely long for new managers, we've whittled it down to 10 Keys to Launching a Hedge Fund Successfully - a guide for new startups to use when setting off on their new journey.
Take a look at our latest video for a quick look at our 10 Keys to Success. And be sure to come back to Hedge IT later this week when we'll be sharing an excerpt from our brand new whitepaper on the same topic!
Categorized under: Launching A Hedge Fund Cloud Computing Security Disaster Recovery Hedge Fund Due Diligence Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Outsourcing Business Continuity Planning Trends We're Seeing