We’ve seen the face of the financial services industry change dramatically over the last few years, with emerging technologies, investor transparency demands and growing competition fueling firms to assess their operations and focus on the health and success of the overall business. But perhaps beyond any of these trends, the focus on industry regulations and compliance efforts may be the most significant in changing the way financial services firms do business.
This year alone, we’ve seen regulatory initiatives dominate headlines and leave firms scrambling to comply, notably the SEC’s cybersecurity guidelines released this spring and the official implementation of the Alternative Investment Managers Fund Directive (AIFMD), which went into effect last week. Also becoming official this month is the Foreign Account Tax Compliance Act, or FATCA, which requires U.S. persons to report financial accounts held outside of the United States and financial institutions (notably banks) to report foreign financial accounts and clients who hold foreign assets.
To identify non-compliance, the Internal Revenue Service is requiring financial institutions with foreign entities and foreign financial institutions (FFIs) to disclose information about U.S. clients with balances over $50,000. The law threatens a steep 30 percent withholding tax on payments for non-compliant FFIs.
There is also a significant cost for firms to implement compliance procedures and reporting standards to meet the legislative requirements of FATCA. It is reported that implementation costs average between $100,000 and $500,000 depending on firm size and are expected to amount to roughly $8 billion USD a year for financial institutions alone (not including costs to the private sector, IRS and foreign entities).
Your hedge fund's information security plan likely includes details on where information is stored, how it is accessed and who it is accessible to. But a critical component of this plan often overlooked is how and why data is destroyed when it is no longer needed. Including data destruction procedures in your WISP or as a separate document is vital to ensuring your firm’s sensitive data and intellectual property does not fall into the hands of the wrong people. Unfortunately, in today’s technology-driven, cyber-aware environment, simply hitting the delete key is not enough.
There are a few different scenarios that warrant secure data destruction maneuvers:
Changing service providers
Retiring a service/product
Your methods and policies for secure destruction may vary according to the above scenarios, or they may be standard across the firm. Your hedge fund should also consider if there are any regulatory implications. Do you need to maintain/archive data for a prescribed period of time in order to comply with state, federal or other compliance or auditing standards?
In any case, you’ll want to consider a variety of methods in the beginning to ensure your firm’s confidential data (e.g. investment portfolio, investor contact information, etc.) is thoroughly destroyed, preventing unwanted breaches or thefts.
One of the first questions on the SEC’s cybersecurity questionnaire for financial firms asks firms to "indicate whether they conduct periodic risk assessments to identify cybersecurity threats, vulnerabilities and potential business consequences", and if so, who conducts them and how often. Clearly the goal behind this question is to ensure that firms are taking a proactive approach to security. But what exactly does this assessment entail?
Here’s a quick overview.
The type of risk assessment typically associated with information technology/security is an external vulnerability assessment. Essentially, this is the process of identifying and categorizing vulnerabilities related to a system or infrastructure. Typical steps associated with a vulnerability scan or assessment include:
Identifying all appropriate systems, networks and infrastructures;
Scanning networks to assess susceptibility to external hacks and threats;
Classifying vulnerabilities based on severity; and
Making tactical recommendations around how to eliminate or remediate threats at all levels.
We continue to speak with clients and prospects on a regular basis on the topic of cybersecurity, and with the expectation that the SEC will start security exams sometime around September, it’s evident that firms are working diligently to answer the questionnaire and shore up internal practices.
To continue fostering education around this topic, we hosted two events last week dedicated to cybersecurity for hedge funds and investment firms. For your convenience, you can read a brief recap of some of the key topics discussed or scroll down to watch our full webinar replay.
Cybersecurity a Hot Topic on State & Federal Level
By now, we all know the SEC has taken steps to assure that hedge funds and investment advisers put security mechanisms and practices in place to protect against cyber threats. SEC Commissioner Luis Aguilar said there is “substantial risk that a cyber-attack could cause significant and wide-ranging market disruptions and investor harm.” Even beyond the federal level, some states are chiming in on the cybersecurity front. Earlier this month, Massachusetts and Illinois acknowledged that they were polling investment advisers about their security practices, and that based on responses, state regulations could be impacted.
Categorized under: Launching A Hedge Fund Security Hedge Fund Due Diligence Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Outsourcing Business Continuity Planning Trends We're Seeing Videos And Infographics
As your firm evaluates moving to the cloud – as most firms today will inevitably do – your list of priorities will likely include:
Regulatory and investor impact
Migration plans and operational effects
Hardware disposal and infrastructure changes
But another critical business area your firm should put some thought into is the effect of the cloud movement on your internal IT department (assuming you have one). What exactly happens to a firm’s IT team once it moves operations into a cloud environment? Is there still value in maintaining an in-house staff?
The simple answer is ‘yes,’ but the day-to-day responsibilities for those staffers may not look quite the same post-cloud. With a fully managed service provider, everyday management is typically taken care of – leaving internal resources with a lot more time on their hands. But that doesn’t mean there’s no longer a need for an IT department.
In Part 1 of our Transformation of IT seminar recap, we shared what our expert panel discussed relative to evaluating outsourced solutions and leveraging technology solutions. Our panel included Vinod Paul, Managing Director, and Steve Schoener, Vice President, at Eze Castle Integration, John Budzyna, Managing Director, and Dave Messier, Director, at KPMG, Timothy Ng, Managing Principal at Clearbrook Global Services, Jon Anderson, Global Head of OTC Derivatives at SS&C GlobeOp and Sheldon Rubin, COO/CFO/CCO at S Squared Technology LLC.
Read on to see what our speakers had to say about the considerations for outsourcing, typical transformation challenges and more. You can also read Part 1 of the event recap or listen to the complete audio replay.
Q: Whether it's technology, compliance or another area of the business, firms ultimately need to decide if they are going to manage these areas internally or outsource to an expert vendor. How does a hedge fund determine what is the right solution for them and whether to outsource or maintain their own systems and operations?
When considering internal operations vs. outsourcing, a firm must determine which option gives it the most control over the given process. The firm is not only considering outsourcing technology but also outsourcing control.
We’re back for Part Two of our UK Cloud Summit seminar recap. Last week on Hedge IT, we explored connecting to the cloud. In today's article, we will dive into the most talked about UK regulation: the Financial Conduct Authority’s (FCA) Dear CEO letter. We will cover how the letter affects IT outsourcing and the steps firms can take to mitigate service provider risk and adhere to the Dear CEO letter guidance.
The “Dear CEO” letter was issued in December 2012 to all UK asset managers and expressed concern about the endemic outsourcing risk in the sector, particular around asset managers having effective business continuity plans (BCP) and exit strategies in place with their service providers in the event of service provider failure.
Since the letter was issued, the FCA has asked firms to demonstrate they have a clear handle on what they outsource and why, a full understanding of the potential impacts of failure, and contingency plans that are viable, robust, and realistic.
Regulatory oversight, competition for assets and investor due diligence concerns have left investment management firms with more pressure than ever to succeed. And technology innovations like the cloud have turned the traditional hedge fund operations model on its head. The questions remain: how do fund managers evolve in 2014 and meet the increasing demands of the financial services industry? And how do firms compete with the incoming crop of new launches that continue to emerge and vie for investor allocations?
The following presentation takes a closer look at these key transformations within the hedge fund industry and examines the shift firms are making from traditional, on-premise IT infrastructures to cloud-based platforms. It also highlights managed disaster recovery services and offers best practices for security in the cloud.
Take a look, and if you can, join us in New York on Tuesday, May 6 as a panel of experts discusses these topics and more at our Transformation seminar.
The SEC last week provided even more clarity into its growing focus on cybersecurity at broker dealers and registered investment advisers. A key takeaway in a Risk Alert issued on April 15, 2014, is that the Office of Compliance Inspections and Examinations (OCIE) will be conducting examinations of more than 50 registered broker-dealers and registered investment advisers, focusing on areas related to cybersecurity.
In order to help compliance professionals prepare and assess their firms’ responsive cybersecurity preparedness, OCIE has created a sample cybersecurity request document that outlines the types of questions firms can expect. OCIE is good to point out that these questions should not be considered all inclusive of the information that OCIE may request. OCIE will alter its request for information as it considers the specific circumstances presented by each firm’s particular systems or information technology environment.
You can find the Risk Alert and questions HERE.
Earlier this week, it was reported that Nasdaq was reconsidering its Amazon-based cloud product, FinQloud. According to the Financial Times, FinQloud has failed to gain significant traction in the marketplace amongst financial services firms including broker-dealers and exchanges. If Nasdaq pulls out of the deal with Amazon Web Services (AWS), it would be a major disappointment to Amazon, who is actively pitching AWS to large financial institutions and enterprises.
Whether the limited adoption of FinQloud is a sign of a product flaw or a larger industry trend, we feel it important to draw attention to a longstanding debate within the financial services industry – a debate that we’ve shared our thoughts on here on Hedge IT many times: public vs. private clouds.
It’s certainly possible that the slow adoption of FinQloud is a result of concerns over mass public cloud usage – a stern reality for many financial services firms who expect and demand that their critical applications and data be stored in a highly secure and available environment. Hedge funds and investment firms, in particular, cannot afford unexpected downtime, and unfortunately, we’ve seen several public cloud providers experience major outages in recent years. Just last week, Dropbox users logged in to find the service was unavailable, and Amazon and Google have both found their services in the headlines in recent years over very large and public disruptions.