One of the first questions on the SEC’s cybersecurity questionnaire for financial firms asks firms to "indicate whether they conduct periodic risk assessments to identify cybersecurity threats, vulnerabilities and potential business consequences", and if so, who conducts them and how often. Clearly the goal behind this question is to ensure that firms are taking a proactive approach to security. But what exactly does this assessment entail?
Here’s a quick overview.
The type of risk assessment typically associated with information technology/security is an external vulnerability assessment. Essentially, this is the process of identifying and categorizing vulnerabilities related to a system or infrastructure. Typical steps associated with a vulnerability scan or assessment include:
Identifying all appropriate systems, networks and infrastructures;
Scanning networks to assess susceptibility to external hacks and threats;
Classifying vulnerabilities based on severity; and
Making tactical recommendations around how to eliminate or remediate threats at all levels.
We continue to speak with clients and prospects on a regular basis on the topic of cybersecurity, and with the expectation that the SEC will start security exams sometime around September, it’s evident that firms are working diligently to answer the questionnaire and shore up internal practices.
To continue fostering education around this topic, we hosted two events last week dedicated to cybersecurity for hedge funds and investment firms. For your convenience, you can read a brief recap of some of the key topics discussed or scroll down to watch our full webinar replay.
Cybersecurity a Hot Topic on State & Federal Level
By now, we all know the SEC has taken steps to assure that hedge funds and investment advisers put security mechanisms and practices in place to protect against cyber threats. SEC Commissioner Luis Aguilar said there is “substantial risk that a cyber-attack could cause significant and wide-ranging market disruptions and investor harm.” Even beyond the federal level, some states are chiming in on the cybersecurity front. Earlier this month, Massachusetts and Illinois acknowledged that they were polling investment advisers about their security practices, and that based on responses, state regulations could be impacted.
Categorized under: Launching A Hedge Fund Security Hedge Fund Due Diligence Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Outsourcing Business Continuity Planning Trends We're Seeing Videos And Infographics
Hedge funds have known for some time the importance of effective cybersecurity, and regulation increasingly enforces this as a requirement. For any practice to be effective, however, there are a number of factors which need to be considered prior to implementation. Eze Castle’s Lisa Smith recently sat down with HFMWeek Magazine to talk about how to meet and understand the new cybersecurity guidelines advised by the SEC. Following is an excerpt of the article.
The SEC's cybersecurity questionnaire sets the framework and best practices for the financial industry. When you consider the type of information that hedge funds are handling on a day-to-day basis, it's really important that they have security controls in place. The questionnaire is a way for the SEC to ensure that hedge funds, private equity and investment management companies are taking security controls seriously and are aware of what's in place for their company.
HFMWeek (HFM): Within the sample SEC cybersecurity request document, questions were divided into five categories. What is the SEC looking for in these categories?
Lisa Smith (LS): Identification of risk in cybersecurity governance - this involves an analysis of what's in place. So for instance - when I conduct a business assesment I'll focus on what's currently in place versus what should be in place in accordance with the recommendations from the SEC. Anything that is not in place that should be goes into our risk assesssment summary and is categorized as low, medium or high. It's about ensuring that hedge funds have certain controls and security policies in place to protect their environment and data.
As your firm evaluates moving to the cloud – as most firms today will inevitably do – your list of priorities will likely include:
Regulatory and investor impact
Migration plans and operational effects
Hardware disposal and infrastructure changes
But another critical business area your firm should put some thought into is the effect of the cloud movement on your internal IT department (assuming you have one). What exactly happens to a firm’s IT team once it moves operations into a cloud environment? Is there still value in maintaining an in-house staff?
The simple answer is ‘yes,’ but the day-to-day responsibilities for those staffers may not look quite the same post-cloud. With a fully managed service provider, everyday management is typically taken care of – leaving internal resources with a lot more time on their hands. But that doesn’t mean there’s no longer a need for an IT department.
Earlier this month alongside KPMG, we hosted a seminar in New York on “The Transformation of IT and Hedge Fund Operations.” We asked experts to examine the changes impacting hedge funds today and the future of this industry transformation. Our distinguished panel included Vinod Paul, Managing Director, and Steve Schoener, Vice President, at Eze Castle Integration, John Budzyna, Managing Director, and Dave Messier, Director, at KPMG, Timothy Ng, Managing Principal at Clearbrook Global Services, Jon Anderson, Global Head of OTC Derivatives at SS&C GlobeOp and Sheldon Rubin, COO/CFO/CCO at S Squared Technology LLC.
Below is a brief recap of the topics discussed during the lively event. To listen to the full audio podcast of the event, click here.
What do you see as the greatest transformation the hedge fund industry has undergone or is currently in the midst of?
There is more acceptance of outsourcing. Many firms are leveraging outsourced service providers for front office support, for example, and leaving their in-house departments to focus on the core business.
Many firms starting today don’t even consider building out a middle and back office – they immediately look to outsourcing. The quality and opportunities provided by outsourced service providers, including administrators, are much better than they have ever been before.
The following article is part of our Emerging Managers Insight Article Series. Read more articles from the Series HERE.
What are the keys to starting a hedge fund? How does an emerging manager ensure success in a constantly-changing world of legal and regulatory guidelines, increasing investor expectations and evolving technology platforms?
In order to answer these questions, Asset TV and the Hedge Fund Association recently gathered an expert panel for a video roundtable focused on hedge fund startups. Our own Managing Director, Vinod Paul, was featured on the panel, along with experts from The Kingdom Trust Company, Eisner Amper LLP, and Thompson Hine LLP. Watch the video below to learn more about a variety of topics important to new fund launches, including:
Technology Infrastructure Priorities
Dodd-Frank & Regulatory Requirements
Cybersecurity is one of the hottest buzzwords in the industry right now – but it’s also a serious concern for hedge funds and investment firms. So much so that the Securities and Exchange Commission has taken formidable steps in 2014 to assess the cybersecurity landscape and provide guidance to registered broker dealers and investment advisers around what policies and technical safeguards should be in place to protect them.
With so much information being shared and so many industry changes around this topic, we asked our cybersecurity experts – Steve Schoener and Lisa Smith – to talk us through what’s happening in the world of hedge fund cybersecurity and provide direction for firms looking to comply with the SEC’s latest guidelines. Following is a brief recap of a webinar we held earlier this week doing just that. To watch the full replay of the event, click here.
Industry Update: How did we get here?
Before we dive into what expectations the SEC has for registered firms in regards to their cybersecurity practices, let’s first take a look at how we got to this point. Among the host of high-profile security incidents we’ve seen dominate the news of late, these few resonate the most:
Dec 2013: Target data breach results in customers’ personal data stolen
Feb 2014: Crytolocker ransomware holds data hostage
April 2014: Heartbleed vulnerability poses potential data exposure threat
April 2014: Internet Explorer vulnerability puts technology at risk, leaves PCs open to being hacked
As a result of these and other security concerns, the SEC has taken steps to ensure hedge funds and investment firms are prepared for the next incident. In a Risk Alert issued last month, the SEC announced it will perform examinations of at least 50 registered firms and also provided a lengthy sample questionnaire for firms to use as a guide in their preparations. The seven-page document addresses various aspects of a firm’s technical infrastructure and corporate policies and sets expectations that firms should meet a set of standard criteria in order to comply with the new guidelines.
Regulatory oversight, competition for assets and investor due diligence concerns have left investment management firms with more pressure than ever to succeed. And technology innovations like the cloud have turned the traditional hedge fund operations model on its head. The questions remain: how do fund managers evolve in 2014 and meet the increasing demands of the financial services industry? And how do firms compete with the incoming crop of new launches that continue to emerge and vie for investor allocations?
The following presentation takes a closer look at these key transformations within the hedge fund industry and examines the shift firms are making from traditional, on-premise IT infrastructures to cloud-based platforms. It also highlights managed disaster recovery services and offers best practices for security in the cloud.
Take a look, and if you can, join us in New York on Tuesday, May 6 as a panel of experts discusses these topics and more at our Transformation seminar.
It has been said that cyber weapons can be as dangerous as weapons of mass destruction. To emphasize this, at last night’s FBI Citizens Academy seminar on cyber security in financial markets, the speaker noted that if you take out an industry (think financial, teleco) you can cripple an entire country.
But just how would this happen? What’s in a hacker’s tool kit? Quinn Shamblin, executive director of information security at Boston University, provided a glimpse into the cyber security underworld.
Targeting Your Favorite Device
Let’s start with Mobile Device Security. Hackers are shifting their focus and resources to mobile devices. They recognize that a user’s life is virtually encapsulated on his/her mobile device. From contacts and email to documents, passwords and banking apps, mobile devices now hold as much as or more personal information than PCs or laptops. And most devices do not have anti-virus/malware software installed.
Just last Friday, Apple released a critical update to its iOS 7 operating system after a flaw was identified that could give an attacker with a privileged network position the ability to capture or modify data in sessions protected by SSL/TLS (aka public key encryption). Following that announcement, researchers at a cyber security firm (FireEye) published a proof of concept for a surveillance app that, if created and distributed by hackers, could capture every tap on an iPhone’s screen. The information captured, including passwords and credit card numbers, would be accessible to the attacker. These are just two examples of the cyber security threats facing mobile devices. Users need to be aware that these threats exist and practice smart computing on all devices.
The results from our Global Hedge Fund Technology and Operations Benchmark Study are in and here is a snapshot of the 2013 findings. You can find the complete report here. We surveyed 538 buy-side firms across the United States, UK and Asia in order to discover their front, middle, and back office technology and application preferences.
All survey respondents fell into the following categories within the financial industry: hedge fund (60%), asset/investment manager (13%), private equity firm (8%), fund of hedge fund (5%), non-financial firm (5%), advisory firm (1%), broker dealer (1%), venture capital firm (1%), quant fund (1%), or ‘other’ (3%).
The firms resided in three different asset classes: 30 percent reported their AUM as $100 million and under; 32 percent fell between $101 and $500 million; and 38 percent reported over $500 million in assets under management.
In regards to investment strategy, long/short equity continues to dominate as the most favorable with 45 percent of respondents reporting this to be their primary investment strategy. Other preferred strategies include fixed income (8%), credit (7%), global macro (6%), emerging markets (6%), distressed debt (5%), and event driven (4%). The top prime brokers employed by firms in 2013 are Goldman Sachs, Morgan Stanley, Credit Suisse, JP Morgan and UBS (same as last year).