It’s a question that many folks in the financial services industry have been asking for a few years now. Are potential investors comfortable with the idea of hedge funds leveraging cloud services? In Part 1 of our cloud webinar series, The Investor Perspective on Cloud and Security, we asked Ashley Gimbel, Senior Vice President at Dyal Capital Partners, to share her thoughts on evaluating the operational and infrastructure decisions of hedge funds and alternative investment firms and if investors are truly comfortable with the cloud. Click here or scroll down to watch the full replay of our conversation with Gimbel.
The simple answer is ‘yes.’ According to Gimbel, investors are and should be at ease with hedge fund clients using cloud infrastructures to support their daily operations. In fact, she says, hosted infrastructures often make more sense for firms with little to no IT resources in-house.
With a few caveats, of course. Firms should ensure outsourced cloud providers have proper Service Level Agreements (SLA) in place and are conducting appropriate oversight of their provider(s). A few other technology must-haves:
Well integrated data and systems
Established policies and procedures
Comprehensive disaster recovery
At Eze Castle Integration we see thousands of due diligence questions about hedge fund technology and operations each year. The questions around security are getting more specific with investors wanting details about each layer of a firm’s security stack.
A new question we’ve seen pop up one or twice centers around whether a firm’s online systems have undergone an ethical hack. So what is ethical hacking and how is it different from penetration testing?
What is Ethical Hacking?
Going back to our trusty security dictionary, SearchSecurity defines ethical hacker (aka white hat hacker) as a “computer and networking expert who systematically attempts to penetrate a computer system or network on behalf of its owners for the purpose of finding security vulnerabilities that a malicious hacker [aka black hat hacker] could potentially exploit.”
The increased focus on all things cybersecurity related – cyber-attacks, cyber warfare and cyber terror – has even led to the creation of a Certified Ethical Hacker (CEH) designation, which hacking pros can earn by completing online courses offered by the EC-Council.
In its 2015 priorities, the SEC’s Office of Compliance Inspections and Examinations (OCIE) listed cybersecurity as a key focus area in its risk-based assessments. Then on February 3, 2015, OCIE released summary findings from its Cybersecurity Examination Sweep.
OCIE’s sweep focused on written documentation for their assessment and conducted "limited testing" of the accuracy of the responses. They did not review the technical sufficiency of the firms’ programs either. OCIE’s reliance on documentation highlights the importance of complete Written Information Security Policies.
Following are noteworthy items Eze Castle Integration observed in reviewing the findings.
Most firms adopted written information security policies, but 43% of advisers did not conduct periodic audits to determine compliance with these information security policies and procedures.
49% of advisers did not discuss mitigating the effects of a cybersecurity incident and/or outline the plan to recover from such an incident in their written business continuity plans.
The vast majority of examined firms conduct periodic risk assessments, on a firm-wide basis, to identify cybersecurity threats, vulnerabilities, and potential business consequences. However, only 32% of advisers require cybersecurity risk assessments of vendors with access to their firms’ networks.
In the Written Information Security Plans (WISP) Eze Castle Integration creates for clients, we include service provider risk assessments as a standard element.
HFMWeek Catches Up with Eze Castle Integration’s Managing Director, Vinod Paul, To Discuss How Technology Can Help Tackle the Challenges Facing Hedge Fund Start-up Firms.
HFMWeek (HFM): Are you seeing a healthy market for new hedge fund launches in the US?
Vinod Paul (VP): 2013 and 2014 were very strong years for start-ups in the US. Our US pipeline is also quite healthy for 2015 in terms of start-ups, which is a little different to Europe, where there aren’t as many launches. In terms of overall US business, 50% of the clients we brought on in 2014 were start-ups; this is up from 40% in 2013. There are several factors that have contributed to this, some that we cannot control, such as how the wider market performs. Institutional money coming back into the market is causing some of the start-up activity. Many of the start-ups we have been able to bring on were funded by larger institutions. HFM: How are today’s start-up funds different than those from five years ago?
This article originally appeared on TABBforum and was contributed by Steve Schoener, senior vice president of client technology at Eze Castle Integration.
Cybersecurity certainly made its mark on the hedge fund and alternative investment industry in 2014. Threats consistently increased in frequency, sophistication and form. With the release of the SEC’s Cybersecurity Risk Alert this past April, firms were forced to react swiftly and leave their outdated security practices behind. 2014 was a reactive year for hedge funds, but we envision a shift in trends for 2015.
Prior to heightened regulations and detailed due diligence and IT security questionnaires, the majority of financial firms were drawing their curtains closed when it came to facing the reality of the threat landscape. But it was only a matter of time until businesses no longer could turn a blind eye to threats and investors knocking at their front doors.
Over the past year we have witnessed an unceasing number of cyber-attacks and potential threats, as well as heightened security regulations placed upon hedge funds. Consequently, we’ve all read the headlines and best practices guidelines when it comes to cybersecurity. While these resources are all helpful, there is an untapped core that lies beneath this hot topic’s surface layer. That is, the ever-evolving future and forthcoming trends for hedge fund information security. So what do we at Eze Castle Integration forecast for cybersecurity in 2015?
It’s officially 2015! With the New Year upon us it is important to set new goals for the future. In today’s post, we offer five resolutions hedge funds should consider to help pave the pathway for another prosperous year.
Resolution #1: Prepare for Cybersecurity
In 2014, hedge funds were revamping their IT policies and upgrading their methods of preventing, detecting and responding to cyber threats. However, this push to overhaul and enhance security was largely reactive to the several breaches we witnessed in 2014. Among those companies affected were Sony, Target, JP Morgan Chase and Home Depot. In 2015, we predict cybersecurity will remain at the forefront of headlines. That being said, hedge funds should prepare ahead of time and have detailed information security policies in place.
Resolution #2: Avoiding Common Cloud Mistakes
When it comes to hedge fund operations and technology, there is no margin for error. Common mistakes range from not sizing bandwidth adequately to business needs to not planning proactively for applications and assuming deep security safeguards are in place. Hedge funds that take the proper precautions and do their research when cloud shopping save themselves from preventable stress and inflated issues down the road.
It’s been quite a year, and as always, it’s hard to believe it’s over. In 2014, Hedge IT continued to thrive in its goal to provide advice and insight into hedge fund technology and operations. The financial services industry is evolving at a rapid pace, and we’re evolving our topics and conversations to keep up. Across 100 blog posts this year (not including this one), almost half of them – 49 to be exact – addressed the topic of security, which is undoubtedly one of the single most important focus areas for hedge funds and investment firms today. In addition to security, we covered everything from tips for starting a hedge fund to avoiding cloud mistakes to hiring for IT roles.
Looking ahead to 2015, we plan to keep the conversations tuned in to what really matters to hedge funds when it comes to technology, and we’ll share as much content as we can in as many formats as we can. But before we get too ahead of ourselves – it’s not quite 2015 yet – let’s take a look back at 10 of our most popular blog posts from 2014.
When it comes to the cost of a successful data breach, the ensuing ramifications are not limited to monetary loss. A firm’s confidential information, customer trust and overall operations are all at risk of being compromised. To protect their data and systems from cyber-attacks and breaches, it is critical that firms become as secure as possible.
Raising the Bar
Over the past year, we have witnessed more firms strengthening their security measures in an effort to comply with industry regulations as well as the SEC cybersecurity expectations. Additionally, we’ve seen an increase in frequency and sophistication of both data theft and cybercrime. A study by Risk Based Security revealed that within the first nine months of 2014 there were 1,922 data breaches reported and 904 million records exposed. Four of those incidents have made the Top Ten All time Breach List and three hacking incidents combined were accountable for nearly sixty percent of exposed records. Today, most hedge funds are aware of the severe negative effects a security breach can cause; however, gaining this knowledge may have been a tough lesson to learn.
As technology changes, it can become overwhelming to keep up with. That’s why we’ve decided to take a step back in today’s blog article to go over some of the basic vocabulary involved in cloud computing. Here are 10 terms to get you started:
Services or applications that are hosted in a web-based repository known as the “cloud”; the service is often hosted by a third-party provider who then provides access to that service to users on an on-demand basis via a network connection. This alleviates that firm from having to purchase and maintain costly infrastructure in-house.
A facility used to house computer systems and associated components, such as telecommunications and storage systems; typically includes redundant or backup power supplies, redundant communications connections, environmental controls and security features. The Update Institute classifies data centers into four tiers based on the percentage of availability and uptime.
How important is day to day communications within your company/firm? If an incident or disaster occurred today, how would your organization respond? Do you have a team or group designated to develop messages for both internal (employees, vendors, third parties, building management) and external (public, employee families, media) contacts? Have they practiced? When the pressure is on, is your organization prepared if a disaster or event suddenly puts your firm under the microscope with an onslaught of internal/external calls, questions, requests, emails, social media messages or media requests?
Crises and disasters continue to happen across borders and industries. Let’s not forget some of the more recent large scale disasters such as Hurricane Katrina, Typhoon Haiyan, Deepwater Horizon, Fukushima, Hurricane Sandy, and, of course, the ongoing major data breaches, just to name a few. That list doesn’t include more common events that may not make the major news networks such as utility failures, office fires, and systems outages. Smaller events like previously mentioned can cause minimal to significant disruption to business operations. This is why developing and practicing a variety of communications is vital in an organization’s response to an incident.
Some of these events can be predicted in advance, giving an organization time to make decisions, analyze other organization’s responses, consider impacts, and communicate a message or action. Sometimes events are sudden, such as an earthquake or active shooter. These events require immediate actions, decisions, and communications to be made. In either case - an immediate or delayed event - communication is critical to demonstrating proper leadership and providing employees with proper direction, especially if the event is centered specifically on your organization.