Hedge fund outsourcing is not a new trend, as buy-side firms have long dispersed the responsibility of many functions to third-party service providers more adept and accomplished at said functions. Technology, for example, is an area where many firms choose to leverage outsourced providers to manage complete or partial infrastructures, support projects or supplement on-site IT staffs. The benefits to outsourcing are numerous, but the true measure of a successful service provider relationship comes when an investment firm’s level of risk in using that provider is low.
Risks are everywhere, particularly in today’s cyber-focused environment. But the risk a hedge fund undertakes when outsourcing a function of its business to a third-party is enormous. Not only is the firm relinquishing control to an outside company, it also takes on the added burden of managing that company, in addition to its own.
It’s one thing to put faith in your service providers to do their jobs effectively. It’s another to ignore your own firm’s responsibility to manage that third party as a means of protecting your own firm. Successfully managing risk associated with third-party service provider relationships is a full-time job, especially for financial services firms working with dozens of various parties. Here are a few tips to help your firm properly manage third-party service provider risk:
How much security protection is enough? That’s a tough question to answer and the catalyst behind our recently published whitepaper on selecting the right cybersecurity tier based on individual risk profiles (download it HERE). The paper outlines three common tiers including Tier 0 (the ‘must-have’ list) to Tier 2 (the ‘advanced’ list), however it only touches briefly on the human element of security.
The reality is that in today’s sophisticated cyber environment firms must go beyond physical or virtual firewalls firms and establish a ‘Human Firewall,’ because sometimes technology alone won’t stop some of the most damaging attacks. In many instances, employees are “holding the door open” to criminals or inadvertently “leaving the keys out.” At other times, disgruntled employees act with more malicious intent.
Building a ‘human firewall’ comes down to establishing a security-conscious workplace and culture where employees understand the risk landscape and know how to respond. So what goes into their ‘human firewall’? It has varying parts including policies, training, awareness and of course people(!).
Practical, User-Friendly Policies
Many firms create a 20+ page written information security plan that formalizes the definitions and policies that govern the creation, access, and deletion of confidential information and computing services. That can be everything from a definition of personally identifiable information (PII), a description of user access privileges and roles, or policies regarding data handling. What matters is that you’ve explicitly and unambiguously documented all aspects of your company’s at-risk assets and services.
While the plan should be comprehensive, firms should also avoid getting bogged down in “tech speak.” Employees need user-friendly policies that are straightforward to follow. For example, they want to know the implications of their actions (“If I read this on a mobile phone, am I creating a security vulnerability?” “What happens if I lose my mobile device?”).
2017 is already shaping up to be an interesting year. With a new presidential administration taking office and the hedge fund industry coming off the heels of a challenging year, there’s a lot to keep an eye on. We recently hosted a panel with law firm Morgan Lewis to discuss these and many other topics as part of our “2017 Outlook for Hedge Funds: Risk, Regulation and Technology” event.
Read on for some of our panel’s key takeaways.
2017 Regulatory Outlook
While little is known about how a Trump presidency will operate, there could be potential tax savings for managers depending on how the administration chooses to regulate Wall Street.
Firms should expect to see reforms with the Dodd-Frank Act and the Volcker Rule, which could add more competition into the marketplace if limits on bank investments are adjusted.
SEC Focus Areas
Top six areas of focus for the Securities & Exchange Commission will likely be: (1) expenses and fees, (2) trade allocation, (3) material non-public personal information, (4) valuation processes, (5) operating partners and due diligence, and (6) security, privacy, insider trading and business continuity.
Cybersecurity is not necessarily part of every SEC examination, however, the bar will continue to be raised in terms of preparations firms will need to employ.
In 2016, the SEC provided additional guidance on business continuity and transition plan requirements, highlighting the need for hedge fund and financial firms to maintain their fiduciary responsibility to their clients and investors.
Categorized under: Security Cloud Computing Disaster Recovery Hedge Fund Due Diligence Hedge Fund Operations Hedge Fund Regulation Outsourcing Infrastructure Business Continuity Planning Trends We're Seeing
Operational due diligence meetings have become impactful moments for hedge funds to impress both current and potential investors. Firms have the ability to answer questions, alleviate fears and market themselves in a one-on-one setting that affords more opportunity than a completed due diligence questionnaire and an up-to-date performance sheet.
But how can today’s hedge funds truly set themselves apart and impress investors during these ODD meetings? Here are five ways:
1. Demonstrate your knowledge of and commitment to regulatory compliance.
Increasing regulatory oversight of investment firms has been a consistent trend over the course of the last few years, and it can be a challenge for hedge funds to keep abreast of changing legislation and regulator expectations. Disclosure and reporting requirements under the Investment Advisers Act of 1940, record-keeping requirements under the Dodd-Frank Act, and growing cybersecurity recommendations as part of the SEC’s ongoing inquiry are just a few of the initiatives to keep track of. But demonstrating to investors that your firm has knowledge of these regulations and takes them seriously will serve you well.
Whether your firm is compliant to the SEC, FINRA, NFA, CFTC, FCA – phew! – or another regulatory body, it’s imperative that you take the time to fully understand your firm’s legislative requirements and, in writing, show investors your level of preparedness. For example, if you’re a registered investment adviser with the SEC, are you aware of the proposed rule that would require firms to implement business continuity and transition plans? Have you compiled a document that outlines the SEC’s 28 points identified in its cybersecurity risk alert? Coming to your next investor due diligence meetings with this knowledge and the appropriate documentation will demonstrate that you take regulatory compliance seriously and are equipped to comply with the necessary requirements facing your organization.
Due to changes in the cyber security landscape, traditional firewalls on the port level are no longer effective at managing traffic. Malicious traffic has the capacity to enter any open port, which provides great risk to firm security. Next-generation firewalls work further than port-based firewalls by adding application inspection and intrusion prevention. Next generation firewalls have the ability to scan traffic as it enters and leaves the network, therefore stopping potential threats.
Eze Castle Integration is increasingly implementing Palo Alto next-gen firewalls for our hedge fund and alternative investment firm clients. Palo Alto is not only a next generation firewall but it is also the market leader based upon ratings, support, pricing and overall performance. A Palo Alto firewall has the ability to detect what traffic is doing and immediately stop threats from spreading by distributing protection.
Unknown traffic is analyzed by Palo Alto Wildfire, where new threats are identified and protections are simultaneously developed. Upon the discovery of an unknown threat, the threat is not only blocked but updates are sent to all global subscribers within five minutes to be able to stop them from spreading. Due to this feature each threat and its variants are blocked without having to go through the analysis process again. Through Wildfire information is also fed through a filter which allows for automatic blocking of any correlated threats.
Older port-based models do not detect what traffic is doing, therefore allowing threats to port hop until they find an open port in which they can enter. Viruses are not port specific and can therefore utilize any port. Without analyzing what traffic is doing threats can easily bypass a port-based model.
The current threat landscape is such that security threats are more likely to arise from within your network as opposed to external sources. Internal users opening malicious emails or becoming victims of phishing schemes are now preferred methods for attackers. The next generation capabilities of the Palo Alto firewalls allow for deep application level inspection to detect and thwart these threats from opening backdoors to your network.
Additional Advantages of Next Generation Firewalls
All-in-one functionality: Next-generation firewalls bundle traditional firewall functionality with intrusion prevention, antivirus and protocol filtering.
On occasion, hedge fund C-level execs don’t see eye to eye. It’s inevitable. One such topic of occasional discord is outsourced IT. Chief technology officers (CTOs), for example, are immersed in every level of technology, from applications to security to disaster recovery, and they have a vested interest in concerns from user experience to business continuity and beyond.
Meanwhile, chief financial officers (CFOs) must focus on the bottom line, factoring in the cost-benefit of new technologies and projects. Elsewhere in the C-suite, the chief operating officer (COO) is looking at opportunity costs and asking key questions including if the CTO is managing day-to-day IT “plumbing,” which strategic projects are getting pushed aside?
Following is an excerpt from a whitepaper we recently published looking at various C-level perspectives on IT outsourcing – including where certain executives may differ on its value, where those same executives can agree, and ultimately why outsourcing IT and using the cloud sets alternative investment firms up for success. DOWNLOAD THE FULL PAPER HERE.
The cloud point-counterpoint
Based on investor comfort, the SEC’s increased scrutiny of cybersecurity practices and the impact of legislation like the Dodd-Frank Act, moving to private cloud services seems like a no-brainer. The cloud creates a far more cost-efficient and effective way for alternative investment firms to improve security and manage day-to-day IT demands. So why the conflict between CFOs/COOs and CTOs?
Total Control Comes with Risks
One reason for the conflict is that CTOs want to retain control, and understandably so. Outsourced security measures may seem opaque compared to the control they impart – it is tempting to believe that no third party could be as invested in system resiliency (i.e. disaster recovery) and security as the firm itself.
The reality is that most CTOs are so tasked for time and money that they cannot maintain complete control over their environments. The burden of ensuring continuous, reliable and secure operations is difficult even for large enterprises that have vast time and budgets and potentially unsurmountable for smaller teams. Often only the largest firms can adequately invest in and manage the layers of security necessary to defend against growing cybersecurity threats.
In seeking to retain control, CTOs are limiting their options. Embracing the idea of cloud-based services expands the CTO’s team, provides greater redundancies and enables more cost efficiencies. Most importantly, it lets the CTO focus on priority IT projects that enhance and improve the company’s bottom line.
CTO’s Role is Evolving
Procuring, maintaining, testing and upgrading adequate technology on-premise is out of reach for most alternative investment firms. It is also becoming an antiquated strategy. Today’s progressive CTOs are increasingly drawing on cloud technology to create agile firms that can quickly deliver the applications users require.
CFOs/COOs must recognize the valuable business knowledge and insights the CTO can insert into functions including risk management, product development, operations and innovation. CTOs must understand where they can deliver functional results and utilize the cloud as an IT-enabler for the firm.
As the CTO’s role evolves, so does the entire IT team. Too often in-house IT teams are allocating valuable time to reacting to IT issues and troubleshooting rather than proactively solving user issues or addressing regulatory mandates.
Outsourcing Has a Track Record
CFOs and COOs have the advantage of positive experiences with outsourcing. Many have used third-party providers for functions like payroll, accounting or even hiring, so it’s not surprising that they tend to be more comfortable with bringing in cloud service providers to deliver more efficiencies and dedicate focus to revenue-producing activities.
To wrap up and round out our 6-week Risk Outlook Webinar Series, we spoke with John Cotronis, Executive Director at JP Morgan, about hedge fund risk management and governance. Specifically, he addressed the following questions:
What have you observed in recent years in terms of changes affecting hedge funds – particularly at the startup phase?
Have you noticed a marked shift in the importance managers are placing on risk?
Do the firms you typically engage with have staff on hand to manage risk – compliance officers, etc.?
In terms of corporate governance, where do you see investment firms excelling when it comes to implementing risk management controls and also fostering a culture of risk management across the firm?
Let’s talk a little bit about counterparty risk. What kind of criteria are you looking for that indicates to you a provider has the right risk management framework and best practice structure to support your clients?
A lot has gotten tougher for firms, particularly on the investment side with capital raising, also with regulatory reporting, etc. What areas of operations do you think have gotten easier for hedge funds over the years?
What is your assessment of outsourcing risk – is it higher or lower than managing various functions in-house?
As our Risk Outlook Series continues, we recently spoke with John Araneo, Partner at Cole-Frieman & Mallon LLP in New York, about many of the regulatory risks facing hedge funds today, including compliance, expense allocations and cybersecurity. Continue reading for a brief synopsis or scroll down to watch our webinar replay below.
How would you describe the current regulatory climate for fund managers and investment advisers?
For hedge fund managers and investment advisers, the regulatory expectations have never been higher. Looking ahead to 2017, managers and advisers should expect the challenge of having to navigate potentially seismic regulatory changes - each of which has the potential to complicate business practices and add to the cost and complexity of compliance.
How should clients prepare to react to these changes?
It’s a top-down approach that all comes down to compliance. A culture of compliance is no longer a lofty goal or a cliché; it is now a regulatory expectation. There needs to be a robust compliance program, actual implementation, and accountability. Clients should be prepared and able to effectively manage the SEC examinations. Managers need to take time to understand regulatory priorities and expectations before an exam.
What is the current regulatory regime's appetite for outsourcing the compliance function?
There is no requirement for firms to employ a full-time person to service compliance. However, the worries about outsourcing certain functions, particularly the compliance officer function, may lead to weakened compliance culture. The opportunity of outsourcing creates a gap between the compliance function and the operations, decision makers and day-to-day activities. Outsourcing can be effective and sufficient, but management needs to resist setting it and forgetting it.
With October being cybersecurity awareness month it is an important time to ensure your firm and employees are aware of and using best practices, and security policies and procedures. Risk mitigation is needed to protect both the firm and its employees from savvy hackers and attacks. Data breaches continue to wreak havoc on businesses, and the cost is continuously rising. According to the Ponemon Institute, the total average cost of a data breach is now $4 million, up from $3.8 million in 2015. Hackers have everything to gain while your firm bears reputational and operational harm.
While companywide policies should reflect long-range expectations and corporate best practices, they should also include tactical recommendations that employees can follow to ensure they are complying with the company’s overall risk strategy. To get started here are just a few pieces of advice we offer our investment firm clients and remember to not only inform employees on what to do, but also what not to do.