In its 2015 priorities, the SEC’s Office of Compliance Inspections and Examinations (OCIE) listed cybersecurity as a key focus area in its risk-based assessments. Then on February 3, 2015, OCIE released summary findings from its Cybersecurity Examination Sweep.
OCIE’s sweep focused on written documentation for their assessment and conducted "limited testing" of the accuracy of the responses. They did not review the technical sufficiency of the firms’ programs either. OCIE’s reliance on documentation highlights the importance of complete Written Information Security Policies.
Following are noteworthy items Eze Castle Integration observed in reviewing the findings.
Most firms adopted written information security policies, but 43% of advisers did not conduct periodic audits to determine compliance with these information security policies and procedures.
49% of advisers did not discuss mitigating the effects of a cybersecurity incident and/or outline the plan to recover from such an incident in their written business continuity plans.
The vast majority of examined firms conduct periodic risk assessments, on a firm-wide basis, to identify cybersecurity threats, vulnerabilities, and potential business consequences. However, only 32% of advisers require cybersecurity risk assessments of vendors with access to their firms’ networks.
In the Written Information Security Plans (WISP) Eze Castle Integration creates for clients, we include service provider risk assessments as a standard element.
HFMWeek Catches Up with Eze Castle Integration’s Managing Director, Vinod Paul, To Discuss How Technology Can Help Tackle the Challenges Facing Hedge Fund Start-up Firms.
HFMWeek (HFM): Are you seeing a healthy market for new hedge fund launches in the US?
Vinod Paul (VP): 2013 and 2014 were very strong years for start-ups in the US. Our US pipeline is also quite healthy for 2015 in terms of start-ups, which is a little different to Europe, where there aren’t as many launches. In terms of overall US business, 50% of the clients we brought on in 2014 were start-ups; this is up from 40% in 2013. There are several factors that have contributed to this, some that we cannot control, such as how the wider market performs. Institutional money coming back into the market is causing some of the start-up activity. Many of the start-ups we have been able to bring on were funded by larger institutions. HFM: How are today’s start-up funds different than those from five years ago?
This article originally appeared on TABBforum and was contributed by Steve Schoener, senior vice president of client technology at Eze Castle Integration.
Cybersecurity certainly made its mark on the hedge fund and alternative investment industry in 2014. Threats consistently increased in frequency, sophistication and form. With the release of the SEC’s Cybersecurity Risk Alert this past April, firms were forced to react swiftly and leave their outdated security practices behind. 2014 was a reactive year for hedge funds, but we envision a shift in trends for 2015.
Prior to heightened regulations and detailed due diligence and IT security questionnaires, the majority of financial firms were drawing their curtains closed when it came to facing the reality of the threat landscape. But it was only a matter of time until businesses no longer could turn a blind eye to threats and investors knocking at their front doors.
Over the past year we have witnessed an unceasing number of cyber-attacks and potential threats, as well as heightened security regulations placed upon hedge funds. Consequently, we’ve all read the headlines and best practices guidelines when it comes to cybersecurity. While these resources are all helpful, there is an untapped core that lies beneath this hot topic’s surface layer. That is, the ever-evolving future and forthcoming trends for hedge fund information security. So what do we at Eze Castle Integration forecast for cybersecurity in 2015?
It’s officially 2015! With the New Year upon us it is important to set new goals for the future. In today’s post, we offer five resolutions hedge funds should consider to help pave the pathway for another prosperous year.
Resolution #1: Prepare for Cybersecurity
In 2014, hedge funds were revamping their IT policies and upgrading their methods of preventing, detecting and responding to cyber threats. However, this push to overhaul and enhance security was largely reactive to the several breaches we witnessed in 2014. Among those companies affected were Sony, Target, JP Morgan Chase and Home Depot. In 2015, we predict cybersecurity will remain at the forefront of headlines. That being said, hedge funds should prepare ahead of time and have detailed information security policies in place.
Resolution #2: Avoiding Common Cloud Mistakes
When it comes to hedge fund operations and technology, there is no margin for error. Common mistakes range from not sizing bandwidth adequately to business needs to not planning proactively for applications and assuming deep security safeguards are in place. Hedge funds that take the proper precautions and do their research when cloud shopping save themselves from preventable stress and inflated issues down the road.
It’s been quite a year, and as always, it’s hard to believe it’s over. In 2014, Hedge IT continued to thrive in its goal to provide advice and insight into hedge fund technology and operations. The financial services industry is evolving at a rapid pace, and we’re evolving our topics and conversations to keep up. Across 100 blog posts this year (not including this one), almost half of them – 49 to be exact – addressed the topic of security, which is undoubtedly one of the single most important focus areas for hedge funds and investment firms today. In addition to security, we covered everything from tips for starting a hedge fund to avoiding cloud mistakes to hiring for IT roles.
Looking ahead to 2015, we plan to keep the conversations tuned in to what really matters to hedge funds when it comes to technology, and we’ll share as much content as we can in as many formats as we can. But before we get too ahead of ourselves – it’s not quite 2015 yet – let’s take a look back at 10 of our most popular blog posts from 2014.
When it comes to the cost of a successful data breach, the ensuing ramifications are not limited to monetary loss. A firm’s confidential information, customer trust and overall operations are all at risk of being compromised. To protect their data and systems from cyber-attacks and breaches, it is critical that firms become as secure as possible.
Raising the Bar
Over the past year, we have witnessed more firms strengthening their security measures in an effort to comply with industry regulations as well as the SEC cybersecurity expectations. Additionally, we’ve seen an increase in frequency and sophistication of both data theft and cybercrime. A study by Risk Based Security revealed that within the first nine months of 2014 there were 1,922 data breaches reported and 904 million records exposed. Four of those incidents have made the Top Ten All time Breach List and three hacking incidents combined were accountable for nearly sixty percent of exposed records. Today, most hedge funds are aware of the severe negative effects a security breach can cause; however, gaining this knowledge may have been a tough lesson to learn.
As technology changes, it can become overwhelming to keep up with. That’s why we’ve decided to take a step back in today’s blog article to go over some of the basic vocabulary involved in cloud computing. Here are 10 terms to get you started:
Services or applications that are hosted in a web-based repository known as the “cloud”; the service is often hosted by a third-party provider who then provides access to that service to users on an on-demand basis via a network connection. This alleviates that firm from having to purchase and maintain costly infrastructure in-house.
A facility used to house computer systems and associated components, such as telecommunications and storage systems; typically includes redundant or backup power supplies, redundant communications connections, environmental controls and security features. The Update Institute classifies data centers into four tiers based on the percentage of availability and uptime.
How important is day to day communications within your company/firm? If an incident or disaster occurred today, how would your organization respond? Do you have a team or group designated to develop messages for both internal (employees, vendors, third parties, building management) and external (public, employee families, media) contacts? Have they practiced? When the pressure is on, is your organization prepared if a disaster or event suddenly puts your firm under the microscope with an onslaught of internal/external calls, questions, requests, emails, social media messages or media requests?
Crises and disasters continue to happen across borders and industries. Let’s not forget some of the more recent large scale disasters such as Hurricane Katrina, Typhoon Haiyan, Deepwater Horizon, Fukushima, Hurricane Sandy, and, of course, the ongoing major data breaches, just to name a few. That list doesn’t include more common events that may not make the major news networks such as utility failures, office fires, and systems outages. Smaller events like previously mentioned can cause minimal to significant disruption to business operations. This is why developing and practicing a variety of communications is vital in an organization’s response to an incident.
Some of these events can be predicted in advance, giving an organization time to make decisions, analyze other organization’s responses, consider impacts, and communicate a message or action. Sometimes events are sudden, such as an earthquake or active shooter. These events require immediate actions, decisions, and communications to be made. In either case - an immediate or delayed event - communication is critical to demonstrating proper leadership and providing employees with proper direction, especially if the event is centered specifically on your organization.
The results from our Global Hedge Fund Technology and Operations Benchmark Study are in and here is a snapshot of the 2014 findings. You can find the complete report here. We surveyed 279 buy-side firms across the United States, United Kingdom and Asia in order to discover their front, middle, and back office technology and application preferences.
Respondent Profile[Hedge Funds by Type]All survey respondents fell into the following categories within the financial industry: hedge fund (58%), asset/investment manager (13%), private equity firm (3%), fund of fund (3%), and family office (3%). Additionally, 13 percent fell into an ‘other’ category, which included financial firm types such as venture capital, advisory, fund management, quant and wealth management.
Firms surveyed fell into three asset groups: thirty-three percent (33%) reported their assets under management (AUM) as less than $100 million; twenty-eight percent (28%) fell between $101 and $500 million; and the majority (39%) reported over $500 million AUM.
In regards to investment strategy, long/short equity continues to dominate as the most favorable with 50 percent (50%) of respondents reporting this to be their primary investment strategy. Additional preferred strategies include credit (8%), fixed income (6%), emerging markets (5%), event driven (4%), and distressed debt (3%). Twenty-four percent (24%) of firms fell into an “Other” category that included a wide variety of investment strategies such as commodities, derivatives, merger arbitrage, relative value, securities, global macro, and long only. In 2014, the top primes employed by firms are Goldman Sachs, Morgan Stanley, JP Morgan, Credit Suisse and UBS (same as 2013 results).
In it's fourth year running, our Global Hedge Fund Technology Benchmark Study reveals the top technology systems and applications used by investment management firms around the world. And while we aren't due to officially release the results until tomorrow - register for our webinar to hear them live - we thought we'd share a little sneak peek in the form of an infographic.
Take a look below and discover how your hedge fund and investment management firm peers are using technology to power their firm operations.
Categorized under: Hedge Fund Due Diligence Launching A Hedge Fund Cloud Computing Security Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Outsourcing Software Trends We're Seeing Videos And Infographics