The following article was written and contributed by James E. Grand, Esq. of The Securities Law Group, a specialized boutique law firm dedicated exclusively to representing investment advisers.
We are often asked by advisers who are switching firms whether they can use in their own performance presentation or the predecessor firm’s performance record at their new firm. There are two separate questions here: First; if Jill Doe moves from one firm to another, can Jill use her own performance record while she worked at the old firm in the new firm’s advertising? Second, can Jill use the old firm’s overall performance record in the new firm’s advertising?
A number of SEC staff no-action letters address these questions. These no-action letters generally take the position that an advertisement that includes prior performance of accounts managed by advisors at their prior place of employment will not, in and of itself, be deemed to be misleading so long as:
1. The advertisement is consistent with SEC staff interpretations with respect to the advertisement of performance results.
2. All accounts that were managed in a substantially similar manner are advertised unless the exclusion of any account would not result in materially higher performance. For example, in one case we know of the SEC allowed a newly registered adviser solely owned by an employee to use performance data of several accounts managed by the employee prior to registration. In other words, Jill could advertise the performance of some but not all of her prior client accounts so long as such performance is not materially higher than her accounts’ overall performance.
3. The accounts managed at the old firm are so similar to the accounts currently under management at the new firm that the performance record would provide relevant information to prospective clients.
4. The person(s) managing accounts at the new firm are also those primarily responsible for achieving the prior performance results at old firm. In other words, the individual(s) primarily responsible for achieving the prior performance results must also be the individual(s) primarily responsible for the accounts at the new firm. To put in another way, it would be misleading for an adviser to advertise the performance results of accounts managed at her prior place of employment when she was one of several persons responsible for selecting the securities for the adviser’s clients. The question is whether she was actually responsible for making investment decisions without the need for consensus from other advisers (e.g., an investment committee, etc.).
5. The advertisement includes all relevant disclosures, including that the performance results were from accounts managed at another firm.
It’s no surprise that starting a hedge fund is no easy feat. In an increasingly competitive landscape challenged with evolving investor and regulatory demands, progressive technology and mounting cyber threats, emerging managers can become overwhelmed at the winding path that lay before them. Still, hundreds of emerging managers attempt launching every year due to the prospective monetary and fundamental rewards.
What sets apart successful startups from those that fail? In today’s post we will cover a few essential areas startupreneurs should consider during their launch journey.
Invest in People
Your greatest assets walk out of the door every day: Your team. Every hedge fund startup is backed by people, and the more dynamic and versatile this team is, the greater chance the firm has of achieving and sustaining a successful future. Why? Since capital is limited during the development phase, selecting people with skill sets in multiple arears is essential. Additionally, employees are ambassadors for your firm, and thus, critical to attracting investors.
The SEC and other financial regulatory bodies have increased transparency demands with regard to cybersecurity in recent years, and as such, registered investment advisers face a long list of requirements to meet on the technology and operational front. In each of its cybersecurity guidance updates, the SEC has called out the need for hedge funds and private equity firms to "indicate whether they conduct periodic risk assessments to identify cybersecurity threats, vulnerabilities and potential business consequences", and if so, who conducts them and how often.
Risk and vulnerability assessments have not only become must-haves for financial firms due to these regulatory initiatives, but also as a result of growing investor calls for transparency. Side note: If you missed the news, Eze Castle Integration has expanded its cybersecurity consulting services to deliver comprehensive vulnerability assessments (as well as penetration testing and third party due diligence audits) across both internal and external networks. Click here to read more about Eze Vulnerability Assessments.
We field a lot of questions about what exactly a security vulnerability assessment is, so we thought it best to review what such a test entails.
Here’s a quick overview.
The type of risk assessment typically associated with information technology/security is an external vulnerability assessment. Essentially, this is the process of identifying and categorizing vulnerabilities related to a system or infrastructure. Typical steps associated with a vulnerability scan or assessment include:
Identifying all appropriate systems, networks and infrastructures;
Scanning networks to assess susceptibility to external hacks and threats;
Classifying vulnerabilities based on severity; and
Making tactical recommendations around how to eliminate or remediate threats at all levels.
The following article first appeared in Hedgeweek's special report: Cybersecurity for Fund Managers 2016.
Mitigating insider risk is one of the biggest challenges that organisations face when it comes to remaining cyber secure.
One thing we've seen a lot of with clients is their need for consulting support," says Mark Coriaty (pictured), Senior Vice President Strategy & Partnerships, Eze Castle Integration. "They don't necessarily have the biggest IT teams and/or might have been more focused on the engineering side than the cyber side. Consequently, they are spending more time learning about the business, as opposed to just putting a solution in place.
"Cybersecurity comes down to operational and procedural policies as well as employee training, which is by far one of the biggest threats to any firm."
Many of the reasons for internal breaches come down purely to human error, but on occasion it may be the actions of a rogue employee that lead to data misappropriation. To limit the impact, fund managers can put in place permission controls as a way to manage their policies and procedures, this might allow them to shut off a USB drive, protect different file sets on the back-end etc.
"It is important for whomever is managing the overall IT infrastructure to ensure that people only have access to data that they need for their day-to-day responsibilities, and block them from accessing data in other parts of the organisation," says Coriaty, adding that employee training has to be an ongoing process. "For larger firms who hire new employees regularly, managing the process of training them is crucial to maintaining good security. Most hackers target smaller investment managers not to collect credit card numbers, or investor details, but for extortion purposes using the likes of CryptoLocker to pay ransoms.
Last month, the SEC issued a guidance update for registered advisers regarding how funds (and their service providers) plan for potential business disruptions. Eze Castle Integration’s Certified BCP Planners have reviewed the guidance and recently shared their thoughts on how hedge funds and private equity firms can meet the SEC’s growing expectations and standards with regard to business continuity practices.
Read on for five takeaways from the SEC’s business continuity guidance update or scroll down to watch our full, 30-minute webinar replay.
Include all All Key Components of Your Firm
When writing a BCP, firms undoubtedly remember to create plans for their physical office facilities and technology systems, but it is important that you don’t overlook other important components that drive the well-being of your firm. This includes data/colocation centers, employees, activities and dependencies on critical third parties. You could face an array of issues affecting one or more factors within your firm, so it is important to implement a business continuity plan that not only addresses potential risks but also outlines comprehensive protection methods.
A BCP is a Living Document
Internal participation is a fundamental driver for a successful BCP. From senior management executives to representatives from Human Resources and Compliance, internal business continuity contributors need to be informed of and up-to-date on policies and procedures. The BCP should also take into consideration the ideas, recommendations and changes brought forward from other departments within the firm.
Remember: A business continuity plan is dynamic, therefore changes and challenges faced need to be transparent with all parts of the company.
When assessing technology options and evaluating outsourced IT providers, there are a number of questions hedge fund managers should be asking in order to make the best decision for their firms.
As we talk with investment managers – especially those whose firms are considering a move to the cloud – we’re hearing many of these great questions on an increasingly regular basis. One particular area where there tends to be some confusion, however, is the topic of audit standards which govern service organizations and the data centers they manage on behalf of client firms. To help you navigate through the evaluation process, we’ve pulled together a guide to understanding audit terminology and industry standards.
There's a lot to be mindful of when it comes to cybersecurity. Experienced and savvy hackers. Insider threats. Regulatory guidance updates and subsequent enforcement actions. The list goes on. So how do today's hedge fund and private equity firm managers navigate the changing landscape and stay above the fray? It all starts with planning.
If you missed it, our recent webinar with law firm Sadis & Goldberg explores the regulatory climate for investment firms, recaps recent SEC enforcement actions and the variance in how compliance is evaluted, and provides practical and actionable advice for fund managers looking to address insider threats, education awareness and policy gaps around information security.
If you have a free hour, this one's worth your time.
Watch below or read our joint whitepaper, A Fund Manager's Cyber Security Action Plan.
In an alert posted to its website, the U.S. Federal Bureau of Investigation (FBI) stated that phishing email scams requesting wire fraud transfers have cost firms more than $2.3 billion in losses since 2013.
At the root of a phishing email scam is in-depth reconnaissance during which the cybercriminal delves into employees's personal information and the organization’s processes. During this phase, schemers phish languages within email threads and obtain enough information to pinpoint money-managing employees within the firm. Equipped with this insider information, the criminal sends a spoofed email, assuming the identity of the firm’s CEO or other senior executive, to an employee responsible for managing funds and requests an illegitimate wire transfer. Typically, the message will relay a sense of urgency – a key factor in the fraud's success.
According to the FBI, these email scams have increased by 270 percent (%) since January 2015. With the rise of these incipient, sophisticated attacks, the need for fully managed phishing and training programs grows exponentially. Breaches will happen, but when employees are provided with the tools and knowledge needed to recognize fraudulent emails, risk decreases and a firm’s defense system becomes stronger and more agile.
In case you missed it, the SEC just announced this week that it levied a $1 million fine to a prominent financial services firm for failing to adopt written policies and procedures reasonably designed to protect customer data. The SEC also stated it expects “SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information.”
Eze Castle Integration and Sadis & Goldberg just published ‘A Fund Manager’s Cyber Security Action Plan’ that covers what the SEC expects from managers. You can download the paper at www.eci.com/cyberplan or read an excerpt below.
Cybersecurity has fast become an imminent and pervasive threat to the investment management industry. Investment advisers, including those managing private funds (“Fund Managers”) are required to disclose and report a higher quantum of more sensitive and meaningful information than ever before, via Form ADV, Form PF, CPO-PQR and (for some Fund Managers) Annex IV. Cyber-attacks can be manifested in a variety of ways from multiple sources and can lead to direct losses (e.g., theft of funds, data or other property), reputational harm, regulatory actions, third party litigation and other forms of liability.
While it’s reasonable to believe that a typical CFO would not respond to a “spear-phishing” email from a fictional Nigerian prince, consider the risks presented by a more realistic cyber-attack wherein a personal email is sent to the CFO, purporting to be from your prime broker, auditor or administrator (information discoverable from your Form ADV), mimicking the patterns and style of previous email communications (discoverable from your email server) and asking for confirmation of a recent wire or some other sinister request. Internal attacks such as this are discussed further throughout this paper, and each one has the potential to cripple a fund and/or damage thousands of investors.
The below information is an excerpt from Eze Castle Integration’s 2016 webinar: The Evolution of Investor IT Due Diligence.
Investors have long been asking questions about firm operations and even technology. But with the way IT has evolved over the last 5-10 years, it’s no wonder investor inquiries have changed in both size and scope. Of course, in addition to technology evolution, we’ve also seen influences on the regulatory side, as the SEC continues to examine and evaluate firms’ security practices, which ties heavily into technology.
In looking back, it’s not unfair to say that 10 years ago, technology was what we’d call a “check the box” category. An investor due diligence questionnaire may have been one or two pages and focus mostly on firm investment history, performance, etc. On the IT side, it may have said “are you using an outsourced IT provider” or even “do you have a disaster recovery system” but beyond that, there was very little inquiry into the types of technologies being used at hedge funds as well as the protections in place to mitigate risk.
Of course, times have changed and now we see investor DDQ documents upwards of 5-10-20 pages in length and asking great levels of detail about technology, cybersecurity and operations. So let’s talk a little bit more about the influences for this due diligence evolution.
Categorized under: Hedge Fund Due Diligence Cloud Computing Security Disaster Recovery Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Outsourcing Business Continuity Planning Trends We're Seeing