Eze Castle Integration Eze Castle Integration

Hedge IT Blog

> Subscribe to Blog Entries about Hedge Fund Due Diligence RSS

Regulatory Risk for Investment Advisors: Guidance, Enforcement and Compliance

By Katelyn Orrok,
Tuesday, October 18th, 2016

As our Risk Outlook Series continues, we recently spoke with John Araneo, Partner at Cole-Frieman & Mallon LLP in New York, about many of the regulatory risks facing hedge funds today, including compliance, expense allocations and cybersecurity. Continue reading for a brief synopsis or scroll down to watch our webinar replay below. 

How would you describe the current regulatory climate for fund managers and investment advisers?

For hedge fund managers and investment advisers, the regulatory expectations have never been higher. Looking ahead to 2017, managers and advisers should expect the challenge of having to navigate potentially seismic regulatory changes - each of which has the potential to complicate business practices and add to the cost and complexity of compliance.

How should clients prepare to react to these changes?

It’s a top-down approach that all comes down to compliance. A culture of compliance is no longer a lofty goal or a cliché; it is now a regulatory expectation. There needs to be a robust compliance program, actual implementation, and accountability. Clients should be prepared and able to effectively manage the SEC examinations. Managers need to take time to understand regulatory priorities and expectations before an exam.

What is the current regulatory regime's appetite for outsourcing the compliance function?

There is no requirement for firms to employ a full-time person to service compliance. However, the worries about outsourcing certain functions, particularly the compliance officer function, may lead to weakened compliance culture. The opportunity of outsourcing creates a gap between the compliance function and the operations, decision makers and day-to-day activities. Outsourcing can be effective and sufficient, but management needs to resist setting it and forgetting it.

Categorized under: Hedge Fund Regulation  Security  Hedge Fund Due Diligence  Hedge Fund Operations  Trends We're Seeing  Videos And Infographics 

Addressing Hedge Fund Audit Risk: Insights from KPMG

By Katelyn Orrok,
Thursday, October 13th, 2016

Categorized under: Hedge Fund Operations  Hedge Fund Due Diligence  Hedge Fund Regulation  Outsourcing 

Six Questions to Ask About Your Investment Firm's Cybersecurity Risk

By Katelyn Orrok,
Tuesday, September 27th, 2016

During Part 2 of our Risk Outlook Webinar Series we spoke with Eze Castle Integration Director Dan Long about how investment firms should address evolving cybersecurity risks, third party service provider oversight and employee training and education. Many of the points Dan addressed highlight questions hedge funds and private equity firms should be asking themselves.

Read on or scroll to the bottom to watch the full, 30-minute replay.

What is our commitment to cybersecurity and what is our outlook on the future?

Regulators and investors continue to ask more questions about cybersecurity because they want to know that firms are effectively mitigating risk. To meet these growing expectations, firms must demonstrate that you take cybersecurity risk seriously and have implemented sound systems, policies and procedures to combat those risks. As the threat landscape and technology continue to evolve, investment management firms need to evolve accordingly and develop better ways to counteract threats. Firms don’t necessarily need to implement every available security technology, but they should be keenly aware of their options and have a plan to effectively mitigate as much risk as possible.

How are we addressing third party risk and oversight?

Investment management firms often rely on third party vendors to obtain functionality or capabilities that they need, want or can’t afford to produce on their own. But moving functions out of the firm's control can present challenges. With any outsourced function, the firm inherently takes on additional risks at the hands of the third party. But it's critical for investment managers to limit those risks through sufficient due diligence. To combat vendor risk, financial firms need to maintain strict oversight of all third party relationships and investigate security practices and protocols, particularly for those vendors who have access to the firm's confidential information. An outsourced vendor should be providing the same level of security (or better!) as your firm would if the function was under in-house control.

Categorized under: Security  Private Equity  Hedge Fund Due Diligence  Hedge Fund Operations  Hedge Fund Regulation  Outsourcing  Business Continuity Planning  Videos And Infographics 

The Hedge Fund COO’s Perspective on Risk

By Kaleigh Alessandro,
Tuesday, September 20th, 2016

Risk. Across the financial services industry, it’s a buzzword right now, and rightfully so. Perpetuated by mounting regulatory change, growing cybersecurity threats and a challenging market climate, the focus on risk is one that grows with each passing day.
As such, we are hosting a 6-week webinar series, Risk Outlook, wherein we’re interviewing industry experts on a host of risk-related topics. To kick off the series, last week we interviewed Mark Strachan, chief operating officer and compliance officer for BBL Commodities, a New York hedge fund. Read on for a recap of my conversation with Mark or scroll to the bottom to watch the webinar replay.
Question (Q): The last 5-10 years have been challenging for the investment management industry, looking back to the 2008 financial crisis as well as with increasing regulatory initiatives and changes across the investor due diligence process. How have your views on risk and the risk landscape evolved during this time? Or have they evolved?
Mark Strachan (MS): I think they’ve certainly evolved. The core features of non-investment risk – such as operational, counterparty, regulatory, security and business risk – have been constant, but they have evolved in terms of their complexity, our experiences with them, the tools available to help mitigate exposure and the focus by investors through their due diligence process.

Categorized under: Trends We're Seeing  Security  Hedge Fund Due Diligence  Hedge Fund Operations  Hedge Fund Regulation  Outsourcing  Videos And Infographics 

What Investment Advisers Need to Know About the SEC Proposed Business Continuity and Transitions Plan Rule

By Katie Sloane,
Thursday, September 15th, 2016

The Securities and Exchange Commission (SEC) recently proposed Rule 206(4)-4, which would require investment advisors to enact business continuity plans (BCPs) and transition or succession plans. This rule would aid advisers in maintaining the continuity of services in the occurrence of a business disruption.

If you missed it, our recent webinar with featuring our Director of BCP Lisa Smith and speakers from Arthur Bell CPAs examines internal, external and transition-related risks to business continuity, mitigation strategy best practices and points highlighted by the SEC within the rule.

Rather watch a video? Scroll down and listen to the full webinar replay.

Potential Risks to Business Operations

The SEC stresses that investment advisers need to assess not only external threats, but also internal threats to accurately ascertain their own risk from a holistic standpoint. This evaluation is critical to identifying the risk impact to specific capabilities and operations, as well as, how they will affect the firm’s employees, clients and third parties. Advisers should take a proactive and organized approach to creating risk mitigation programs for employee activity, as well as, required systems (e.g. email and Internet). Risk mitigation programs should include documentation of processes, segregation of responsibilities, critical tools (think cross-training), etc.

Categorized under: Hedge Fund Regulation  Hedge Fund Due Diligence  Hedge Fund Operations  Business Continuity Planning 

Thriving in the Hedge Fund Startup Market: Three Considerations for Emerging Managers

By Katie Sloane,
Tuesday, August 23rd, 2016

It’s no surprise that starting a hedge fund is no easy feat. In an increasingly competitive landscape challenged with evolving investor and regulatory demands, progressive technology and mounting cyber threats, emerging managers can become overwhelmed at the winding path that lay before them. Still, hundreds of emerging managers attempt launching every year due to the prospective monetary and fundamental rewards.

What sets apart successful startups from those that fail? In today’s post we will cover a few essential areas startupreneurs should consider during their launch journey.

Invest in People

Your greatest assets walk out of the door every day: Your team. Every hedge fund startup is backed by people, and the more dynamic and versatile this team is, the greater chance the firm has of achieving and sustaining a successful future. Why? Since capital is limited during the development phase, selecting people with skill sets in multiple arears is essential. Additionally, employees are ambassadors for your firm, and thus, critical to attracting investors.

Categorized under: Launching A Hedge Fund  Hedge Fund Due Diligence  Hedge Fund Operations  Hedge Fund Regulation  Outsourcing 

How Cyber Security Vulnerability Assessments Work for Investment Advisers

By Kaleigh Alessandro,
Tuesday, August 16th, 2016

The SEC and other financial regulatory bodies have increased transparency demands with regard to cybersecurity in recent years, and as such, registered investment advisers face a long list of requirements to meet on the technology and operational front. In each of its cybersecurity guidance updates, the SEC has called out the need for hedge funds and private equity firms to "indicate whether they conduct periodic risk assessments to identify cybersecurity threats, vulnerabilities and potential business consequences", and if so, who conducts them and how often. 

Risk and vulnerability assessments have not only become must-haves for financial firms due to these regulatory initiatives, but also as a result of growing investor calls for transparency. Side note: If you missed the news, Eze Castle Integration has expanded its cybersecurity consulting services to deliver comprehensive vulnerability assessments (as well as penetration testing and third party due diligence audits) across both internal and external networks. Click here to read more about Eze Vulnerability Assessments

We field a lot of questions about what exactly a security vulnerability assessment is, so we thought it best to review what such a test entails.
Here’s a quick overview.
The type of risk assessment typically associated with information technology/security is an external vulnerability assessment. Essentially, this is the process of identifying and categorizing vulnerabilities related to a system or infrastructure. Typical steps associated with a vulnerability scan or assessment include:

  • Identifying all appropriate systems, networks and infrastructures;

  • Scanning networks to assess susceptibility to external hacks and threats;

  • Classifying vulnerabilities based on severity; and

  • Making tactical recommendations around how to eliminate or remediate threats at all levels.

Categorized under: Security  Cloud Computing  Disaster Recovery  Private Equity  Hedge Fund Due Diligence  Hedge Fund Operations  Hedge Fund Regulation  Outsourcing  Infrastructure  Trends We're Seeing 

The Threat Within: Mitigating insider risk

By Katie Sloane,
Thursday, July 28th, 2016

The following article first appeared in Hedgeweek's special report: Cybersecurity for Fund Managers 2016.

Mitigating insider risk is one of the biggest challenges that organisations face when it comes to remaining cyber secure.

One thing we've seen a lot of with clients is their need for consulting support," says Mark Coriaty (pictured), Senior Vice President Strategy & Partnerships, Eze Castle Integration. "They don't necessarily have the biggest IT teams and/or might have been more focused on the engineering side than the cyber side. Consequently, they are spending more time learning about the business, as opposed to just putting a solution in place.Mark Coriaty Headshot

"Cybersecurity comes down to operational and procedural policies as well as employee training, which is by far one of the biggest threats to any firm."

Many of the reasons for internal breaches come down purely to human error, but on occasion it may be the actions of a rogue employee that lead to data misappropriation. To limit the impact, fund managers can put in place permission controls as a way to manage their policies and procedures, this might allow them to shut off a USB drive, protect different file sets on the back-end etc.

"It is important for whomever is managing the overall IT infrastructure to ensure that people only have access to data that they need for their day-to-day responsibilities, and block them from accessing data in other parts of the organisation," says Coriaty, adding that employee training has to be an ongoing process. "For larger firms who hire new employees regularly, managing the process of training them is crucial to maintaining good security. Most hackers target smaller investment managers not to collect credit card numbers, or investor details, but for extortion purposes using the likes of CryptoLocker to pay ransoms.

Categorized under: Security  Hedge Fund Due Diligence  Hedge Fund Operations  Hedge Fund Regulation 

Five Takeaways from the SEC’s 2016 Business Continuity Guidance Update

By Katelyn Orrok,
Thursday, July 21st, 2016

Last month, the SEC issued a guidance update for registered advisers regarding how funds (and their service providers) plan for potential business disruptions. Eze Castle Integration’s Certified BCP Planners have reviewed the guidance and recently shared their thoughts on how hedge funds and private equity firms can meet the SEC’s growing expectations and standards with regard to business continuity practices.

Read on for five takeaways from the SEC’s business continuity guidance update or scroll down to watch our full, 30-minute webinar replay.

Include all All Key Components of Your Firm

When writing a BCP, firms undoubtedly remember to create plans for their physical office facilities and technology systems, but it is important that you don’t overlook other important components that drive the well-being of your firm. This includes data/colocation centers, employees, activities and dependencies on critical third parties. You could face an array of issues affecting one or more factors within your firm, so it is important to implement a business continuity plan that not only addresses potential risks but also outlines comprehensive protection methods. 

A BCP is a Living Document

Internal participation is a fundamental driver for a successful BCP. From senior management executives to representatives from Human Resources and Compliance, internal business continuity contributors need to be informed of and up-to-date on policies and procedures. The BCP should also take into consideration the ideas, recommendations and changes brought forward from other departments within the firm.

Remember: A business continuity plan is dynamic, therefore changes and challenges faced need to be transparent with all parts of the company. 

Categorized under: Business Continuity Planning  Disaster Recovery  Hedge Fund Due Diligence  Hedge Fund Operations  Hedge Fund Regulation  Outsourcing  Trends We're Seeing 

SSAE 16, SOC1, SOC2: Understanding Audit Terminology

By Eze Castle Integration,
Tuesday, July 5th, 2016

SOC AuditWhen assessing technology options and evaluating outsourced IT providers, there are a number of questions hedge fund managers should be asking in order to make the best decision for their firms.
As we talk with investment managers – especially those whose firms are considering a move to the cloud – we’re hearing many of these great questions on an increasingly regular basis. One particular area where there tends to be some confusion, however, is the topic of audit standards which govern service organizations and the data centers they manage on behalf of client firms. To help you navigate through the evaluation process, we’ve pulled together a guide to understanding audit terminology and industry standards.

Categorized under: Trends We're Seeing  Cloud Computing  Hedge Fund Due Diligence  Hedge Fund Operations  Hedge Fund Regulation  Outsourcing 

View earlier posts in the archive

Recent Posts / All Posts