The following article originally appeared in HFMWeek's Cyber Compliance Focus.
It’s not enough to have strong security policies. And it’s not enough to have robust technologies in place to ward off cyber threats. In truth, it’s not even enough to have both of these.
An effective cybersecurity program, rather, can only be achieved through a consistent and comprehensive strategy that touches layers across the entirety of the organization – from perimeter security and access control to policy enforcement and employee training. Without each of these building blocks, the effectiveness of a cyber risk management program is crippled at best.
And today’s standards for cybersecurity are increasing rapidly.
Post-launch, many hedge funds and investment firms struggle to gain ground and attract the institutional capital needed to succeed in today’s competitive market. As firms grow – and bandwidth and budget are less likely to be roadblocks – it can be a challenge to reinvent the wheel and position your firm to capture institutional dollars.
During a recent webinar, speakers from EisnerAmper and Eze Castle Integration explored trends in hedge fund operational due diligence and technology operations and offered advice for asset managers looking to grow out of their startup boots and achieve an institutional grade operation. Some areas they explored during the 40-minute webinar include:
How institutional investor expectations have changed for firms at the pre-launch and post-launch phases;
The importance of (and detriment to not) passing an operational due diligence examination;
How cyber security expectations are evolving to increase standards across both technology infrastructure and policy planning;
If the public cloud is suitable for investment management firms looking to solidify institutional investments; and
Top mistakes emerging managers make that prevent successful ODD exams and institutional evolution.
Scroll down or click here to watch the replay.
As you’re probably aware, the topic of cybersecurity has been splashed prominently across headlines lately. Earlier this year, the former US director of national intelligence, James Clapper, identified cybersecurity as the top global threat.
In his testimony before the Senate Armed Services Committee, Clapper stated “I think the private sector needs to up its game on cyber security and not just wait for the government to provide perfect warning or a magic solution.” So what should you be doing to better protect your firm’s critical systems and data?
The truth is both large, well-established hedge funds and smaller startups are equally at risk of intrusion. Hackers may target large firms because they see an opportunity to profit from their substantial asset pools. Additionally, they might be after the notoriety associated with successfully hacking a well-known fund’s critical systems, especially in cases that will likely garner media attention. For smaller funds, hackers are likely after intellectual property, namely business plans, market forecasts and investment strategies.
Last week, we shared some important questions to include in hedge fund technology RFPs, focusing on Staffing, Client Service Model and User Support. In today’s article, let’s dive back into the RFP process, and look at some questions on Business Continuity & Disaster Recovery Plans, Backup & Retention of Information, Data Security and Intrusion Detection & Incident Response.
Business Continuity & Disaster Recovery Plans
Does your company have a written policy and program in place for business continuity and disaster recovery?
Have your company’s policies and programs for business continuity and disaster recovery been fully implemented? If not fully implemented, please discuss those areas in detail and explain any plans to address them.
We’ve all heard the saying, “there are no stupid questions,” but when it comes to technology it is easy to feel undereducated. Knowing what to ask a hedge fund technology provider not only makes you look smart (or smarter!) but also ensures you get the right solution.hedge fund tech guidebook
In this article we’ll look at questions around Staffing, Client Service Model and User Support for your hedge fund technology Request for Proposal. Next week we’ll give questions for DR Plans, Information Backup & Retention and Data Security.
Staffing and Skills
Provide the total number of employees (current year and past year). Please show numbers for overall staff as well as a breakdown by function (e.g., developers, client service, etc.).
Provide the number of employees gained and lost (current year and past year).
Describe the organizational structure of your company. Please detail the roles specific to your business (e.g., engineers, client managers, trainers, QA, etc.)
How many full-time employees are assigned to these particular roles, by functional and geographic split?
What is the anticipated project resource profile through the stages of the implementation process?
When it comes to cybersecurity, the list of haves and have nots is constantly evolving due to the changing regulatory and threat landscape. In case you missed it, we hosted a webinar this week on Cybersecurity Basics for Asset Managers, during which we uncovered various elements within three primary cybersecurity layers: from Tier 0 (Basic Protection) to Tier 1 (Industry Standard) to Tier 2 (Advanced Protection).
How does your firm stack up when it comes to your cybersecurity practices? Watch the replay below and find out where you fit in.
Tier 0: We call this level Tier 0 in part because, well, there’s zero chance your firm will have long-term success in thwarting cyber risks if you don’t employ these basic security measures.
Hedge fund outsourcing is not a new trend, as buy-side firms have long dispersed the responsibility of many functions to third-party service providers more adept and accomplished at said functions. Technology, for example, is an area where many firms choose to leverage outsourced providers to manage complete or partial infrastructures, support projects or supplement on-site IT staffs. The benefits to outsourcing are numerous, but the true measure of a successful service provider relationship comes when an investment firm’s level of risk in using that provider is low.
Risks are everywhere, particularly in today’s cyber-focused environment. But the risk a hedge fund undertakes when outsourcing a function of its business to a third-party is enormous. Not only is the firm relinquishing control to an outside company, it also takes on the added burden of managing that company, in addition to its own.
It’s one thing to put faith in your service providers to do their jobs effectively. It’s another to ignore your own firm’s responsibility to manage that third party as a means of protecting your own firm. Successfully managing risk associated with third-party service provider relationships is a full-time job, especially for financial services firms working with dozens of various parties. Here are a few tips to help your firm properly manage third-party service provider risk:
How much security protection is enough? That’s a tough question to answer and the catalyst behind our recently published whitepaper on selecting the right cybersecurity tier based on individual risk profiles (download it HERE). The paper outlines three common tiers including Tier 0 (the ‘must-have’ list) to Tier 2 (the ‘advanced’ list), however it only touches briefly on the human element of security.
The reality is that in today’s sophisticated cyber environment firms must go beyond physical or virtual firewalls firms and establish a ‘Human Firewall,’ because sometimes technology alone won’t stop some of the most damaging attacks. In many instances, employees are “holding the door open” to criminals or inadvertently “leaving the keys out.” At other times, disgruntled employees act with more malicious intent.
Building a ‘human firewall’ comes down to establishing a security-conscious workplace and culture where employees understand the risk landscape and know how to respond. So what goes into their ‘human firewall’? It has varying parts including policies, training, awareness and of course people(!).
Practical, User-Friendly Policies
Many firms create a 20+ page written information security plan that formalizes the definitions and policies that govern the creation, access, and deletion of confidential information and computing services. That can be everything from a definition of personally identifiable information (PII), a description of user access privileges and roles, or policies regarding data handling. What matters is that you’ve explicitly and unambiguously documented all aspects of your company’s at-risk assets and services.
While the plan should be comprehensive, firms should also avoid getting bogged down in “tech speak.” Employees need user-friendly policies that are straightforward to follow. For example, they want to know the implications of their actions (“If I read this on a mobile phone, am I creating a security vulnerability?” “What happens if I lose my mobile device?”).
2017 is already shaping up to be an interesting year. With a new presidential administration taking office and the hedge fund industry coming off the heels of a challenging year, there’s a lot to keep an eye on. We recently hosted a panel with law firm Morgan Lewis to discuss these and many other topics as part of our “2017 Outlook for Hedge Funds: Risk, Regulation and Technology” event.
Read on for some of our panel’s key takeaways.
2017 Regulatory Outlook
While little is known about how a Trump presidency will operate, there could be potential tax savings for managers depending on how the administration chooses to regulate Wall Street.
Firms should expect to see reforms with the Dodd-Frank Act and the Volcker Rule, which could add more competition into the marketplace if limits on bank investments are adjusted.
SEC Focus Areas
Top six areas of focus for the Securities & Exchange Commission will likely be: (1) expenses and fees, (2) trade allocation, (3) material non-public personal information, (4) valuation processes, (5) operating partners and due diligence, and (6) security, privacy, insider trading and business continuity.
Cybersecurity is not necessarily part of every SEC examination, however, the bar will continue to be raised in terms of preparations firms will need to employ.
In 2016, the SEC provided additional guidance on business continuity and transition plan requirements, highlighting the need for hedge fund and financial firms to maintain their fiduciary responsibility to their clients and investors.
Operational due diligence meetings have become impactful moments for hedge funds to impress both current and potential investors. Firms have the ability to answer questions, alleviate fears and market themselves in a one-on-one setting that affords more opportunity than a completed due diligence questionnaire and an up-to-date performance sheet.
But how can today’s hedge funds truly set themselves apart and impress investors during these ODD meetings? Here are five ways:
1. Demonstrate your knowledge of and commitment to regulatory compliance.
Increasing regulatory oversight of investment firms has been a consistent trend over the course of the last few years, and it can be a challenge for hedge funds to keep abreast of changing legislation and regulator expectations. Disclosure and reporting requirements under the Investment Advisers Act of 1940, record-keeping requirements under the Dodd-Frank Act, and growing cybersecurity recommendations as part of the SEC’s ongoing inquiry are just a few of the initiatives to keep track of. But demonstrating to investors that your firm has knowledge of these regulations and takes them seriously will serve you well.
Whether your firm is compliant to the SEC, FINRA, NFA, CFTC, FCA – phew! – or another regulatory body, it’s imperative that you take the time to fully understand your firm’s legislative requirements and, in writing, show investors your level of preparedness. For example, if you’re a registered investment adviser with the SEC, are you aware of the proposed rule that would require firms to implement business continuity and transition plans? Have you compiled a document that outlines the SEC’s 28 points identified in its cybersecurity risk alert? Coming to your next investor due diligence meetings with this knowledge and the appropriate documentation will demonstrate that you take regulatory compliance seriously and are equipped to comply with the necessary requirements facing your organization.