In today’s competitive market, research management software (RMS) has become a must-have integrated feature for investment management firms. Significant benefits offered via RMS have caused a ripple effect of soaring adoption rates across the global investment industry. In this article we’ll examine how adopting a research management solution could benefit your firm.
With offices, colleagues and clients spread across the world, firms need to consolidate data in an organized fashion. From meeting and call notes, to audits and analyst reports, the demand for readily accessible information is ever burgeoning. Storing information within multiple programs and folders not only welcomes disorder and the opportunity for digression in the workplace, but also increases costs and wastes valuable time. This prehistoric method of aggregating data has been replaced with advanced RMS, a much more viable, flexible and comprehensive solution. Hosting a firm’s data within a user-friendly, central repository simplifies processes, optimizes productivity and uncovers new business opportunities. When selecting a RMS, managers may consider a generic or industry-specific product. While both options present benefits, the latter assimilates seamlessly with an investment firm’s daily workflows, terminology and diverse range of data. An ideal RMS will also offer customization, accessibility and integrate with other applications, such as Outlook.
On December 9, 2015, Wells Fargo Prime Services and Eze Castle Integration hosted a panel on cybersecurity to discuss the current landscape. The panel featured leading industry experts including:
Eldon Sprickerhoff, Founder & Chief Security Strategist, eSentire
Stuart Levi, Partner, New York, Skadden, Arps, Slate, Meagher & Flom LLP
Vinod Paul, Managing Director, Eze Castle Integration
Timothy O’Brien, Supervisory Special Agent, Cyber branch, Federal Bureau of Investigation – New York Office.
Marc P. Berger, Partner, Government Enforcement, Ropes & Gray LLP
Marc Berger’s opening statements emphasized the extent of the cybersecurity threat currently facing firms across a wide swath of industries. He quoted FBI Director James Comey, who stated: “There are two kinds of big companies in the United States. There are those who’ve been hacked … and those who don’t know they’ve been hacked ….” (FBI Director James B. Comey, 60 Minutes, CBS TV Interview, October 5, 2014). Alarming statistics from the Ponemon Institute’s 2015 Cost of Cyber Crime Study, conducted with HP Enterprise Security, found that the average cost to resolve a single cybersecurity incident is $1.9M, and the average time to resolve is 46 days. Perpetrators range from nation-state-sponsored hackers and disgruntled/rogue employees to organized crime units, activists, and other thieves.
With a new year brings new excitement and new ambition. Across the hedge fund and alternative investment industry, firms are devising new strategies and implementing plans to drive growth and increase returns. In 2016, we expect the following industry trends will play a role in shaping many of the decisions hedge funds and other investment management firms make.
Hedge Fund Cybersecurity 2.0
Last year, cybersecurity took center stage across the investment community, and there is little doubt that it will continue to dominate in 2016. If we can assume that firms used 2015 to shore up security practices and have, at minimum, established a baseline for protecting firm assets with firewalls, password protections and penetration testing, we can expect 2016 to take cyber preparedness to the next level in the form of advanced features and analytics including phishing and social engineering tests, designed to increase the level of preparedness held by firm employees. With cyber-attacks increasing in sophistication, firms will need to spend time in 2016 working with managed providers and internal IT teams to continue the education process and identify strategies to outsmart hackers.
Happy New Year! Here at Hedge IT, we’re looking forward to sharing more educational articles with you in 2016, but before we do, let’s take a look back at our readers’ favorite articles from last year.
Cybersecurity Regulations Take Center Stage
The Securities and Exchange Commission took major strides to regulate investment firm cybersecurity practices in 2015, with the release of multiple guidance updates (Click for the September 2015 update). At a high level, the SEC has identified the following six areas as paramount for investment firms to demonstrate preparedness:
In December 2015, we participated in a Wells Fargo Prime Services cybersecurity event and the panelists outlined everything your hedge fund needs to know about the SEC’s security expectations. Read “SEC Cybersecurity Checklist: 6 Areas Your Hedge Fund Better Have Covered” for the full scoop.
Earlier this week we presented at a Wells Fargo Prime Services breakfast briefing on cybersecurity. During the discussion, Stuart Levi of Skadden reminded attendees that the SEC has clearly defined (and communicated) its cybersecurity expectations. He recapped the following six areas advisers must have covered to demonstrate preparedness to regulators.
1. Risk Assessments
4. Access Control
5. Vendor Management
6. Information Sharing
Here's Eze Castle Integration's take on these focus areas:
#1 Risk Assessments
The April 2015 SEC Cybersecurity Guidance Update goes deeper into risk assessments expectations. Here are some key cyber risk assessment takeaways:
Define what confidential data is and determine how it's protected.
You must also understand where your data is located, how it is collected and who and what technology systems have access to it.
Registered investment advisers should have a clear understanding of the threat landscape, including potential internal and external risks as well as unique vulnerabilities specific to the firm. Evaluate a variety of potential scenarios as well as their likelihood to occur.
Once firms understand the risks facing their organization, they must conduct assessments of the existing controls and processes to ensure they account for the risk landscape and put the appropriate safeguards in place.
Be sure to understand the potential impacts of various cyber risk scenarios and outline specific protocols for incident response and quick resolution. The impact of cybersecurity incidents can range from financial to technological to reputational.
Finally, testing and assessing the governance structure, including administrative and technical safeguards, is key to ensuring effectiveness.
Gone are the days of management simply outsourcing responsibility to third-party experts and trusting them blindly. Telling the SEC, “we hired the best security consultant,” won’t cut it. Today management must understand their firm’s security posture and be able to outline the safeguards that are in place to minimize risk.
Additionally, management must instill the importance of security preparedness in all employees by making it a top-down priority.
On September 15, 2015, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert providing additional guidance on key focus areas for round two of its cybersecurity examinations. Specifically OCIE stated exams will “involve more testing to assess implementation of firm procedures and controls.” The Commission intends to focus on the following areas as a means to collect information on cybersecurity-related controls and assess the controls in place at firms:
Governance and Risk Assessment: According to the Alert, OCIE may evaluate the governance and risk assessment process for areas including, but not limited to, access control, employee training, third-party/vendor management and IT systems management. Examiners also expect to see that assessments and associated policies are specific to a firm’s business.
Access Rights and Controls: OCIE warns that the lack of basic access controls and user management policies can result in unauthorized access to systems and information. Examiners may request details on how a firm manages user rights and what supporting technologies are in place.
The following article is part of our Hedge Fund Insiders Article Series and was contributed by TriNet. Read more articles from the Series HERE.
Beginning January 1, 2016 every U.S. firm with 51-100 employees will be migrated to the “small group market” for healthcare benefits, as part of Affordable Care Act (ACA) mandated changes. Currently, in many states the small group market encompasses firms with 50 or fewer employees. But for policies that renew in 2016, this market will be expanded to include companies with up to 100 full-time employees.
Companies with 51-100 employees, who previously enjoyed the “economies of scale” benefits associated with being in the large group health care market, will become part of the small group market as of their first renewal on or after January 1, 2016. While this change will happen across the U.S., we believe its impact will be very significant in New York State.
What mid-size businesses can expect from ACA changes:
Healthcare premiums, on average, will increase – potentially significantly – and the access to a wide-array of rich benefit plans these companies previously enjoyed is likely to be reduced. This is because New York State’s small group healthcare market is “community-rated,” which means the demographics (for example, average age of employees) at a firm have no impact on small group market healthcare pricing. New York State currently prohibits insurance rate variations based on the demographic characteristics of the firm. This is in stark contrast to the rest of the country, where firms are priced based on their employee “census”- thus taking into account their demographic characteristics. We believe this will result, on average, in significantly higher healthcare premiums – especially if the firm has a relatively young average age composition, as so many New York financial firms do.
“Small group” market plans will be “canned,” meaning you will now have to select your benefits from a group of plans that the carrier offers – and plans cannot be modified. This will likely cause firms with 51-100 employees to lose some of the previous benefits they were able to offer employees. As a result, this change is likely to affect deductibles, out-of-network coverage, advanced infertility treatments and lower limits on certain services.
Companies that have 51-100 employees and a relatively young demographic composition will likely be hit with significant healthcare premium increases, as the small group community rates will be much higher than what they currently pay. By my calculations, some groups could see premiums increase as high as 50 percent for plans similar to what they offer today.
The following article is part of our Hedge Fund Insiders Article Series and was contributed by Haynes and Boone, LLP. Read more articles from the Series HERE.
Cybersecurity risks pose an increasingly significant threat to investment advisers. In early 2015, the Securities and Exchange Commission’s (the “SEC”) Office of Compliance Inspections and Examinations (“OCIE”) identified its annual adviser examination priorities which reflect certain practices perceived to present heightened risk to investors and/or the integrity of US capital markets, one of which was cybersecurity compliance and controls. In April 2015, the SEC’s division of investment management (the “Division”) issued guidance (the “Guidance”)  reinforcing cybersecurity as a priority for advisers and suggesting that advisers implement cybersecurity risk assessment plans, response strategies, and written policies and procedures. Included below are measures advisers should consider (some of which are directly from the Guidance) when addressing cybersecurity risks relating to their operations:
Risk Assessment. Advisers should conduct assessments of: (1) the nature, sensitivity and location of information that it collects, processes and/or stores and the technology systems it uses; (2) internal and external cybersecurity threats to and vulnerabilities of the adviser’s information and technology systems; (3) security controls and processes currently in place; (4) the impact should its information or technology systems become compromised; and (5) the effectiveness of the governance structure for the management of cybersecurity risk.
We take our thought leadership efforts seriously around here, and we’re always interested in educating our clients and partners about technology issues that can affect them. We’re also fortunate to be invited to speak frequently on a variety of hedge fund technology topics – most recently, cybersecurity. Our own Managing Director, Vinod Paul, participated in a panel session last month in New York dedicated to this topic.
Featuring speakers from Eze Castle Integration, Citrin Cooperman, Akin Gump, and CFO Consulting Partners, the panel spoke candidly about how the cybersecurity landscape is evolving for financial services firms and how they can begin to comply with recent recommendations from the SEC and FINRA. Following are some highlights from the event. If you’d like to listen to the podcast of the panel, click here.
Many firms question whether they need to do anything to comply with SEC cybersecurity recommendations. The answer is yes. And it’s more than technology firms need to employ.
Cybersecurity governance is a critical component. Who is in charge beyond the IT team? Someone at the firm needs to take accountability for this process and interface with various functions to ensure compliance. Ideally, a Chief Compliance Officer or Chief Information Security Officer should handle.
Last week, we partnered up with law firm Sadis & Goldberg to host a webinar where we discussed the Securities and Exchange Commission’s (SEC) Division of Investment Management’s latest cybersecurity guidance recommendations and offered firms clear direction on satisfying these new requirements from both a legal and technology perspective. Featured speakers included John Araneo, counsel, and Lance Friedler, partner at Sadis & Goldberg, as well as Eze Castle Integration’s Managing Director Vinod Paul. To watch a full recap of the webinar, click here or scroll down.
Cyber Threats Across the Industry
The cyber threat landscape is changing rapidly, and our speakers shared examples of how developed hackers are targeting all industries, not only financial services. Araneo gave two examples of data breaches from two companies that were recently penalized by the SEC for failure to meet requirements. The first example was from a firm that failed to use strong passwords and allowed access to systems after long periods of computer inactivity, resulting in a penalty and mandatory independent security consulting for two years. The second firm failed to enforce the use of anti-virus software, leading to an unauthorized trade from a customer’s account and resulting in fines totaling over $100,000.
Beyond mismanagement of internal cyber controls, phishing and ransomware are other targeted approaches our speakers noted they are seeing across the industry, as hackers are targeting executives by sending fake emails to try to phish sensitive information or attaching files that could infect entire systems. In the case of ransomware, if a user opens an email that is infected, it will lock down files and the only way to recover the files is to buy a key from the hacker. As the sophistication of cyber hackers increases, firms are expected to shore up securities and employ best practices to protect sensitive company information – a goal the SEC is targeting with their most recent cybersecurity guidance recommendations.