I just finished Season 1 of Showtime’s ‘Billions’ and can’t resist calling out the horrible IT security on a key character’s laptop. ‘Billions’ centers on a multi-billion dollar CT hedge fund and federal prosecutors looking to take them down for financial crimes. [Spoiler Alert] As season 1 nears an end, US Attorney Chuck Rhoades easily logs into the laptop of his wife, who is also the hedge fund’s in-house psychiatrist. On the laptop he finds the incriminating evidence necessary to potentially take down Mr. Billions (aka Bobby "Axe" Axelrod).
From an IT security perspective, there were so many things wrong with this scene, but I’ll highlight three that any hedge fund, regardless of AUM, should consider:
First up: password security.
In ‘Billions’ they broke the golden rule of NEVER sharing your password, but beyond that, multi-factor authentication should have been implemented. Multi-factor authentication is established by requiring at least two authentication factors that are knowledge based (password), possession based (something you have – token, mobile phone) and/or inherence based (something you are – fingerprint or eye scan).
Eze Castle Integration’s Eze Managed Suite offering includes two-factor authentication via a tool called Duo. Duo combines knowledge based (password) with possession based (smartphone) authentication factors.
Hedge fund outsourcing is not a new trend, as buy-side firms have long dispersed the responsibility of many functions to third-party service providers more adept and accomplished at said functions. Technology, for example, is an area where many firms choose to leverage outsourced providers to manage complete or partial infrastructures, support projects or supplement on-site IT staffs. The benefits to outsourcing are numerous, but the true measure of a successful service provider relationship comes when an investment firm’s level of risk in using that provider is low.
Risks are everywhere, particularly in today’s cyber-focused environment. But the risk a hedge fund undertakes when outsourcing a function of its business to a third-party is enormous. Not only is the firm relinquishing control to an outside company, it also takes on the added burden of managing that company, in addition to its own.
It’s one thing to put faith in your service providers to do their jobs effectively. It’s another to ignore your own firm’s responsibility to manage that third party as a means of protecting your own firm. Successfully managing risk associated with third-party service provider relationships is a full-time job, especially for financial services firms working with dozens of various parties. Here are a few tips to help your firm properly manage third-party service provider risk:
They say the more things change, the more they stay the same. Turns out it’s a pretty accurate assessment of the hedge fund industry then and now.
You see, back in 2011 we hosted a “State of the Hedge Fund Industry” event that yielded some interesting trends and perspectives, and we thought it might be fun to not only look back at those trends, but compare them to what we’re seeing in today’s industry – more than five years later.
Like I said: the more things change, the more they stay the same.
Hedge Fund Market Trends & Challenges
THEN (2011): It’s been an interesting year thus far for hedge funds and other alternative investment firms, as inflows have been high but performance low. In addition to performance challenges, hedge funds continue to deal with increased competition for investments, and thus asset-raising remains a hurdle for many funds – regardless of their size or strategy.
How much security protection is enough? That’s a tough question to answer and the catalyst behind our recently published whitepaper on selecting the right cybersecurity tier based on individual risk profiles (download it HERE). The paper outlines three common tiers including Tier 0 (the ‘must-have’ list) to Tier 2 (the ‘advanced’ list), however it only touches briefly on the human element of security.
The reality is that in today’s sophisticated cyber environment firms must go beyond physical or virtual firewalls firms and establish a ‘Human Firewall,’ because sometimes technology alone won’t stop some of the most damaging attacks. In many instances, employees are “holding the door open” to criminals or inadvertently “leaving the keys out.” At other times, disgruntled employees act with more malicious intent.
Building a ‘human firewall’ comes down to establishing a security-conscious workplace and culture where employees understand the risk landscape and know how to respond. So what goes into their ‘human firewall’? It has varying parts including policies, training, awareness and of course people(!).
Practical, User-Friendly Policies
Many firms create a 20+ page written information security plan that formalizes the definitions and policies that govern the creation, access, and deletion of confidential information and computing services. That can be everything from a definition of personally identifiable information (PII), a description of user access privileges and roles, or policies regarding data handling. What matters is that you’ve explicitly and unambiguously documented all aspects of your company’s at-risk assets and services.
While the plan should be comprehensive, firms should also avoid getting bogged down in “tech speak.” Employees need user-friendly policies that are straightforward to follow. For example, they want to know the implications of their actions (“If I read this on a mobile phone, am I creating a security vulnerability?” “What happens if I lose my mobile device?”).
2017 is quickly approaching and so are a plethora of new financial technology and operations articles here on Hedge IT. As we wrap up 2016, let’s take a look back and share some of our readers’ favorite articles from this past year.
Tips for launching a hedge fund are always popular on Hedge IT, and 2016 was no different. Earlier this year, Eze hosted a webinar featuring speakers Paul Schultz from Wells Fargo, Michael Mavrides from Proskauer Rose LLP, and Bob Guilbert from Eze Castle Integration. A few key takeaways from the 1-hour event include:
Understand that investors will expect enterprise-grade technology built in from Day 1.
Remember the advantages of the cloud: a predictable cost, flexibility and scalability (“tech on demand”), enterprise security, and professional management and monitoring.
Compare both the benefits and disadvantages of a “master fund” versus a “side-by-side” structure (e.g. the master fund allows for one set of books and trades, while the side-by-side structure allows for more tax flexibility)
Show investors that you have a 3+ year budget for working capital without any performance fees.
The following article was written and contributed by James E. Grand, Esq. of The Securities Law Group, a specialized boutique law firm dedicated exclusively to representing investment advisers.
We are often asked by advisers who are switching firms whether they can use in their own performance presentation or the predecessor firm’s performance record at their new firm. There are two separate questions here: First; if Jill Doe moves from one firm to another, can Jill use her own performance record while she worked at the old firm in the new firm’s advertising? Second, can Jill use the old firm’s overall performance record in the new firm’s advertising?
A number of SEC staff no-action letters address these questions. These no-action letters generally take the position that an advertisement that includes prior performance of accounts managed by advisors at their prior place of employment will not, in and of itself, be deemed to be misleading so long as:
1. The advertisement is consistent with SEC staff interpretations with respect to the advertisement of performance results.
2. All accounts that were managed in a substantially similar manner are advertised unless the exclusion of any account would not result in materially higher performance. For example, in one case we know of the SEC allowed a newly registered adviser solely owned by an employee to use performance data of several accounts managed by the employee prior to registration. In other words, Jill could advertise the performance of some but not all of her prior client accounts so long as such performance is not materially higher than her accounts’ overall performance.
3. The accounts managed at the old firm are so similar to the accounts currently under management at the new firm that the performance record would provide relevant information to prospective clients.
4. The person(s) managing accounts at the new firm are also those primarily responsible for achieving the prior performance results at old firm. In other words, the individual(s) primarily responsible for achieving the prior performance results must also be the individual(s) primarily responsible for the accounts at the new firm. To put in another way, it would be misleading for an adviser to advertise the performance results of accounts managed at her prior place of employment when she was one of several persons responsible for selecting the securities for the adviser’s clients. The question is whether she was actually responsible for making investment decisions without the need for consensus from other advisers (e.g., an investment committee, etc.).
5. The advertisement includes all relevant disclosures, including that the performance results were from accounts managed at another firm.
It’s no surprise that starting a hedge fund is no easy feat. In an increasingly competitive landscape challenged with evolving investor and regulatory demands, progressive technology and mounting cyber threats, emerging managers can become overwhelmed at the winding path that lay before them. Still, hundreds of emerging managers attempt launching every year due to the prospective monetary and fundamental rewards.
What sets apart successful startups from those that fail? In today’s post we will cover a few essential areas startupreneurs should consider during their launch journey.
Invest in People
Your greatest assets walk out of the door every day: Your team. Every hedge fund startup is backed by people, and the more dynamic and versatile this team is, the greater chance the firm has of achieving and sustaining a successful future. Why? Since capital is limited during the development phase, selecting people with skill sets in multiple arears is essential. Additionally, employees are ambassadors for your firm, and thus, critical to attracting investors.
There's a lot to learn about business continuity planning for investment managers. To help, you might want to watch our recent webinar highlighting the SEC's June 2016 business continuity guidance update. You can watch the full webinar replay here. The SEC not only highlights the importance of being able to access critical systems and applications during a disruption, but also the importance of effective communication.
It is vital to communicate with your employees about the procedures of your business continuity plan before, during and after an incident. By doing so, you set the wheels in motion by creating the guidelines for the firm’s recovery.
Effective communication should include, but not be limited to:
Accounting for employees;
Setting workload expectations; and
Providing employees with recovery status updates.
Let’s take a deeper look into those strategies.
Whether it is your summer interns heading back to school or a full-time employee moving on, an investment firm must have a detailed employee termination checklist for information technology (IT) that is diligently followed.
But what are the key items that must be on your employee termination checklist?
Here’s An Employee Termination Checklist Foundation:
Contact IT Department or IT Provider to terminate or change network or application logins
Ensure subscriptions are either cancelled or changed
Collect employee equipment such as laptops, monitors, mobile devices, etc.
Ensure employee has documented transition procedures
Reset user password and disabled account
The following article was written by Dean Hill, Executive Director, Eze Castle Integration and first appeared on Hedgeweek as part of their special report: A Guide to Setting up an Alternative Investment Fund in Europe.
There is no shortage of threats to financial services firms, and the list of requirements from investors and regulators alike is growing at a rapid pace. As a startup, it's important to demonstrate to investors that you take your business seriously, hence, investments in operational excellence are required. On the cybersecurity front, that means leveraging technology infrastructure with robust, security-rich features including intrusion detection and ongoing traffic monitoring, regular vulnerability assessments and next-generation software, firewalls and patches to keep hackers out and firm assets secure.
But beyond technology safeguards, today's successful financial firms require the wherewithal to implement comprehensive cybersecurity programmes – whether you're a seasoned firm or embarking on your first investment venture. The most effective cyber programmes will focus on four critical administrative areas: (1) developing comprehensive security policies and plans to prevent external cyber-attacks or internal breaches, (2) training firm employees on said policies and current cyber threats, (3) cultivating a culture of security awareness from Management down, and (4) managing an effective risk programme via external vendor oversight.
Plan: True cybersecurity defence starts with proper planning. To start, funds need to develop written information security plans – comprehensive documentation of the firm's corporate security initiatives. This should include technical and administrative safeguards being employed to secure confidential data. In the development stage, firms will need to identify systems and plans currently being used, technical procedures and systems in effect, employee access controls relative to confidential data as well as user responsibilities for both prior to and in the event of a data breach.