The SEC and other financial regulatory bodies have increased transparency demands with regard to cybersecurity in recent years, and as such, registered investment advisers face a long list of requirements to meet on the technology and operational front. In each of its cybersecurity guidance updates, the SEC has called out the need for hedge funds and private equity firms to "indicate whether they conduct periodic risk assessments to identify cybersecurity threats, vulnerabilities and potential business consequences", and if so, who conducts them and how often.
Risk and vulnerability assessments have not only become must-haves for financial firms due to these regulatory initiatives, but also as a result of growing investor calls for transparency. Side note: If you missed the news, Eze Castle Integration has expanded its cybersecurity consulting services to deliver comprehensive vulnerability assessments (as well as penetration testing and third party due diligence audits) across both internal and external networks. Click here to read more about Eze Vulnerability Assessments.
We field a lot of questions about what exactly a security vulnerability assessment is, so we thought it best to review what such a test entails.
Here’s a quick overview.
The type of risk assessment typically associated with information technology/security is an external vulnerability assessment. Essentially, this is the process of identifying and categorizing vulnerabilities related to a system or infrastructure. Typical steps associated with a vulnerability scan or assessment include:
Identifying all appropriate systems, networks and infrastructures;
Scanning networks to assess susceptibility to external hacks and threats;
Classifying vulnerabilities based on severity; and
Making tactical recommendations around how to eliminate or remediate threats at all levels.
The following article was written by Dean Hill, Executive Director, Eze Castle Integration and first appeared on Hedgeweek as part of their special report: A Guide to Setting up an Alternative Investment Fund in Europe.
There is no shortage of threats to financial services firms, and the list of requirements from investors and regulators alike is growing at a rapid pace. As a startup, it's important to demonstrate to investors that you take your business seriously, hence, investments in operational excellence are required. On the cybersecurity front, that means leveraging technology infrastructure with robust, security-rich features including intrusion detection and ongoing traffic monitoring, regular vulnerability assessments and next-generation software, firewalls and patches to keep hackers out and firm assets secure.
But beyond technology safeguards, today's successful financial firms require the wherewithal to implement comprehensive cybersecurity programmes – whether you're a seasoned firm or embarking on your first investment venture. The most effective cyber programmes will focus on four critical administrative areas: (1) developing comprehensive security policies and plans to prevent external cyber-attacks or internal breaches, (2) training firm employees on said policies and current cyber threats, (3) cultivating a culture of security awareness from Management down, and (4) managing an effective risk programme via external vendor oversight.
Plan: True cybersecurity defence starts with proper planning. To start, funds need to develop written information security plans – comprehensive documentation of the firm's corporate security initiatives. This should include technical and administrative safeguards being employed to secure confidential data. In the development stage, firms will need to identify systems and plans currently being used, technical procedures and systems in effect, employee access controls relative to confidential data as well as user responsibilities for both prior to and in the event of a data breach.
In case you missed it, the SEC just announced this week that it levied a $1 million fine to a prominent financial services firm for failing to adopt written policies and procedures reasonably designed to protect customer data. The SEC also stated it expects “SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information.”
Eze Castle Integration and Sadis & Goldberg just published ‘A Fund Manager’s Cyber Security Action Plan’ that covers what the SEC expects from managers. You can download the paper at www.eci.com/cyberplan or read an excerpt below.
Cybersecurity has fast become an imminent and pervasive threat to the investment management industry. Investment advisers, including those managing private funds (“Fund Managers”) are required to disclose and report a higher quantum of more sensitive and meaningful information than ever before, via Form ADV, Form PF, CPO-PQR and (for some Fund Managers) Annex IV. Cyber-attacks can be manifested in a variety of ways from multiple sources and can lead to direct losses (e.g., theft of funds, data or other property), reputational harm, regulatory actions, third party litigation and other forms of liability.
While it’s reasonable to believe that a typical CFO would not respond to a “spear-phishing” email from a fictional Nigerian prince, consider the risks presented by a more realistic cyber-attack wherein a personal email is sent to the CFO, purporting to be from your prime broker, auditor or administrator (information discoverable from your Form ADV), mimicking the patterns and style of previous email communications (discoverable from your email server) and asking for confirmation of a recent wire or some other sinister request. Internal attacks such as this are discussed further throughout this paper, and each one has the potential to cripple a fund and/or damage thousands of investors.
The below information is an excerpt from Eze Castle Integration’s 2016 webinar: The Evolution of Investor IT Due Diligence.
Investors have long been asking questions about firm operations and even technology. But with the way IT has evolved over the last 5-10 years, it’s no wonder investor inquiries have changed in both size and scope. Of course, in addition to technology evolution, we’ve also seen influences on the regulatory side, as the SEC continues to examine and evaluate firms’ security practices, which ties heavily into technology.
In looking back, it’s not unfair to say that 10 years ago, technology was what we’d call a “check the box” category. An investor due diligence questionnaire may have been one or two pages and focus mostly on firm investment history, performance, etc. On the IT side, it may have said “are you using an outsourced IT provider” or even “do you have a disaster recovery system” but beyond that, there was very little inquiry into the types of technologies being used at hedge funds as well as the protections in place to mitigate risk.
Of course, times have changed and now we see investor DDQ documents upwards of 5-10-20 pages in length and asking great levels of detail about technology, cybersecurity and operations. So let’s talk a little bit more about the influences for this due diligence evolution.
Categorized under: Hedge Fund Due Diligence Cloud Computing Security Disaster Recovery Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Outsourcing Business Continuity Planning Trends We're Seeing
In today's Eze Castle Tech Tip: we're discussing myths about Voice over IP -- or hosted voice -- services.
It’s no secret that investment manangement firms (including hedge funds and private equity firms) have historically been divided over the use of public and private clouds. We’ve discussed it in depth here on the Hedge IT Blog, explaining the differences between the two and why most funds are choosing to go with a private cloud solution.
A case can be made, however, that there’s a time and a place for each cloud platform and both offer their own advantages for financial services firms. We’ve taken a look at some of the key areas firms will consider when looking at public and private clouds and identified which we think comes out on top.
Service & Support
Investment firms demand uptime to ensure operational efficiency and profitability. Public cloud providers, however, do not offer investment-specific IT support and rather have limited customer service representatives troubleshooting the most basic of email and desktop support issues.
It's time for another Tech Tip video! Today, we have five security practices your investment firm should not overlook. Watch and learn!
This article was written by Bob Guilbert, Managing Director, and first appeared in Hedgeweek's 2016 Guide to Setting Up an Alternative Investment Fund in the USA.
You're a new fund manager, and somewhere on your task list the letters "IT" are probably followed by a question mark. Odds are, you don't have a technology background, so as your firm's Chief Operating/Financial/Compliance Officer (or in some cases, Portfolio Manager), the sudden responsibility you've undertaken as your firm's de facto IT Manager is intimidating at best.
The good news is, as a startup, your IT options are pretty clear. In 2016, there's no better technology decision a new firm can make than selecting a cloud platform – an infrastructure that has proven benefits including scalability, flexibility and robust security, among others. And while the thought of hosting IT offsite was once a worry for allocators, today's investors find comfort in knowing hedge fund and alternative investment firms are focusing on their investment priorities and leaving the technology decisions to the experts.
From our perspective, the cloud is now a tried and tested infrastructure environment that is acceptable to the institutional investor community. They have become very thorough in their operational due diligence process, understanding exactly what cloud providers provide from an operational, management and security perspective. This has allowed managers to become much more comfortable at appointing a cloud provider to deliver an infrastructure that will perform well in any type of trading environment.
Where managers need to spend their time is deciding on the best cloud provider to work with, as opposed to thinking about whether or not they should use a cloud provider in the first place.
And how exactly do emerging fund managers embark on that decision-making process?
The financial services industry is currently under tremendous pressure to meet both investor and due diligence requirements. Thus, it is increasingly important to maximize technology to meet these pressures. To conclude our six-part hedge fund launch webinar series, we spoke with Eze Castle Integration’s own managing director Vinod Paul, who shared insights about current IT challenges and demands and how today’s hedge funds can employ best practices for operational excellence.
Key Priorities for New Managers
Paul defined cybersecurity and scalability as two primary technology considerations for new managers. You must first understand your firm’s specific vulnerabilities and exposures. One of the most common mistakes new launches make, according to Paul, is assuming that they only require the basic bare minimum in terms of technology. He urges new managers to pick an IT solution with operational growth in mind -- considering the business not at the onset, but in three to five years.
Service Provider Selection Criteria
Paul continued to place emphasis on customized IT, stating that when it comes to outsourcing, it is imperative that a firm carries out proper due diligence in choosing a provider to meet the firm’s unique needs. “You want enter into a true partnership that offers open lines of communication, flexibility, and ultimately, trust and accountability,” he said. Brand and reputation, long lasting relationships with clients, and industry experience are some of criteria Paul feels are most important when selecting a service provider. “Don’t step in to it with the attitude that a current provider is good enough, for right now,” he cautioned. The service provider should not only address day-to-day operations but also anticipate potential problems down the road.
On Monday, March 21st at its California headquarters, Apple unveiled a new iPhone and iPad, as well as announced improvements to current products. Fittingly, CEO Tim Cook also discussed security at length – not shying away from concerns resulting from the current fight with the FBI. "We believe strongly that we have a responsibility to help you protect your data and protect your privacy. We owe it to our customers, and we owe it to our country,” he said. The key takeaways from the event are summarized below.
The 4-inch iPhone SE
The new iPhone was introduced as having all the power of the iPhone 6s, but with the aesthetic of the iPhone 5. The reason, said Apple VP Greg Joswiak, is simple: “For some people, they simply love smaller phones.” With a $399 price point, analysts believe that the new phone is Apple’s attempt to penetrate the fastest-growing markets of India and China, specifically “prepaid consumers who cannot afford, or are not familiar with, bigger screen smartphones,” said Neil Mawston, an analyst at Strategy Analytics.
The iPhone SE promises an A9 processor with faster LTE and Wi-Fi speeds, better battery life, 4k and 240 fps slow-mo video recording, live photo support, and Apple Pay. The 16GB model, as well as a 64 GB model for $499 go up for pre-order on March 24, 2016, with the first units shipping March 31, 2016.
9.7 inch iPad Pro
The “baby brother” to the 12.9 inch screen iPad Pro that some consumers deemed too large, the new 9.7 inch model is roughly the same size as the iPad Air 2 but with features like Apple Pencil, Apple’s Smart Keyboard, a 12 MP rear camera with 4K video recording and live photo support, and a 5 MP front-facing camera. In addition, the screen of the new iPad pro will be 40% less reflective than that of the iPad Air 2, but will be 25% brighter.
A feature called “True Tone” will benefit designers by constantly checking the lighting of the room and adjusting accordingly for color accuracy. Three models will be available for pre-order March 24, 2016: the 32GB for $599, 12GB for $749, and 256GB for $899.