The financial services industry is currently under tremendous pressure to meet both investor and due diligence requirements. Thus, it is increasingly important to maximize technology to meet these pressures. To conclude our six-part hedge fund launch webinar series, we spoke with Eze Castle Integration’s own managing director Vinod Paul, who shared insights about current IT challenges and demands and how today’s hedge funds can employ best practices for operational excellence.
Key Priorities for New Managers
Paul defined cybersecurity and scalability as two primary technology considerations for new managers. You must first understand your firm’s specific vulnerabilities and exposures. One of the most common mistakes new launches make, according to Paul, is assuming that they only require the basic bare minimum in terms of technology. He urges new managers to pick an IT solution with operational growth in mind -- considering the business not at the onset, but in three to five years.
Service Provider Selection Criteria
Paul continued to place emphasis on customized IT, stating that when it comes to outsourcing, it is imperative that a firm carries out proper due diligence in choosing a provider to meet the firm’s unique needs. “You want enter into a true partnership that offers open lines of communication, flexibility, and ultimately, trust and accountability,” he said. Brand and reputation, long lasting relationships with clients, and industry experience are some of criteria Paul feels are most important when selecting a service provider. “Don’t step in to it with the attitude that a current provider is good enough, for right now,” he cautioned. The service provider should not only address day-to-day operations but also anticipate potential problems down the road.
The official definition given in TechTarget’s IT Dictionary reads: “Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. Authentication is a process in which the credentials provided are compared to those on file in a database of authorized users’ information on a local operating system or within an authentication server. If the credentials match, the process is completed and the user is granted authorization for access.”
At the heart of authentication is controlling access to ensure individuals only access the information they need. With stories of password compromises becoming more common it is important to understand the types of authentication factors available and good computing practices.
As part of Information Security Planning, firms should also identify applications, services or websites that require at least one level of authentication (e.g. password protection, PC certificate, or security tokens) as well as any that may require multi-factor authentication.
Following are the three commonly used authentication factors:
Because holiday expectations weren’t high enough for parents masquerading as the Easter Bunny or Elf on the Shelf, the latest craze is now centered around St. Patrick’s Day, giving parents the new role of leprechaun. Setting leprechaun traps the night before St. Patty’s has emerged as the newest trend for kids hoping to discover where the mighty leprechaun has hidden his pot of gold – or at least hoping to snag some chocolate coins.
But there is another trap you should be wary of, and that’s the one hackers are setting for you right now. A phishing trap.
Did you hear the story of the Central Bank of Bangladesh that lost $81 million to hackers? It happened in February 2016 and goes like this. The bank believes hackers executed a hack that allowed $81 million to be taken from the bank’s foreign exchange account at the Federal Reserve Bank of New York. It appears that the initial point of entry for the hackers was a spear-phishing email, potentially sent weeks before the fraud took place, which allowed the criminals time to remotely monitor and probe the bank’s networks without detection.
This is just the latest advanced threat facing financial organizations. Beyond cyber technology (which is essential), organizations need an internal culture of security, an ongoing, organization-wide commitment to defining and adhering to careful, thoughtful policies that reduce or eliminate “people vulnerabilities” through assessments, awareness, and education.
We recently published a Four Step Guide to Creating a Culture of Security. Here are some highlights – you can read the full paper HERE.
1. Create a Computer Incident Response Team
Your first step is to find the right people who can oversee your information-security policies and be part of a “Computer Incident Response Team.” Although IT professionals are responsible for overseeing and maintaining your computing infrastructure, you also need business users to play a central role in your security initiatives.
After all, they’re the ones who use these resources – and the ones who can represent the biggest vulnerabilities and risks. While the team’s responsibilities can vary, many CIRTs are active in several key areas:
Create a Plan
Create Training Programs
Respond to Incidents
Communicate with Peers/Industry Groups
According to TechTarget’s SearchSecurity, “an advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time.” As with most sophisticated cybersecurity attacks, the goal of the intruder is to capture valuable information and steal data. APT intrusions are often focused on high-value information and sectors such as the financial industry.
The cybersecurity landscape is constantly changing and today the cyber threat actors range from organized crime to state sponsors.
How do hackers gain access?
When it comes to advanced persistent threats, the cyber criminals often use targeted social engineering tactics including spear phishing. In a spear phishing incident, criminals target specific companies or individuals and conduct background research to compile employee names, titles and contact information. Social networks are common resources crawled for this information. Obtaining such details and observing communications provides criminals with the tools to mirror email addresses, website URLs and dialect. The end result is the criminal’s identity masqueraded as a legitimate, trustworthy source.
How can you defend against Advanced Persistent Threats?
Successfully launching a hedge fund is a complex endeavor. Not only must emerging managers evaluate traditional deployment strategies, but consider current factors influencing the financial landscape.
Last week, Eze Castle Integration presented a webinar, “How to Launch a Hedge Fund,” featuring an expert panel that addressed some critical areas for consideration, notably capital introduction, legal and technology. There was quite a bit of content discussed during the 1-hour event, so we’ve pulled out some key takeaways.
Capital Raising (Paul Schultz, Director of Capital Introduction, Wells Fargo Prime Services)
Examine both content and context, i.e. cash inflows and outflows as well as the “big picture” that accounts for volatility
Be aware of the kinds of investors coming into the hedge fund space. Large and institutional pension plans are currently the largest investor base.
Be prepared when speaking to investors. Target those who have a history of being receptive to founder share class and who may offer lower management and performance fees.
Show investors that you have a 3+ year budget for working capital without any performance fees.
Have a well thought-out blueprint. Clarity and intention make all the difference.
Categorized under: Launching A Hedge Fund Cloud Computing Security Disaster Recovery Hedge Fund Due Diligence Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Outsourcing Business Continuity Planning Trends We're Seeing Videos And Infographics
Today’s the day.
The National Futures Association ("NFA") Interpretive Notice Regarding Information Systems Security Programs goes into effect. The NFA's Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2-49 entitled Information Systems Security Programs requires Member firms to adopt and enforce written policies and procedures to secure customer data and access to their electronic systems.
The Cybersecurity Interpretive Notice applies to all membership categories--futures commission merchants, swap dealers, major swap participants, introducing brokers, forex dealer members, commodity pool operators and commodity trading advisors.
Rather than taking a ‘one-size-fits-all approach,’ the Cybersecurity Interpretive Notice adopts a principles-based risk approach to allow Member firms some degree of flexibility in determining what constitutes "diligent supervision," given the differences in Members' size and complexity of operations, customer types and counterparties.
But whatever approach is taken, the Cybersecurity Interpretive Notice requires Members to adopt and enforce an information systems security program (ISSP) appropriate to its circumstances.
Information Systems Security Program Key Areas
Similar to the SEC’s expectations, the Cybersecurity Interpretive Notice requires a written information security program to contain:
A security and risk analysis;
A description of the safeguards against identified system threats and vulnerabilities;
The process used to evaluate a security incident, including impact and incident response; and
Description of ongoing education and training related to information systems security for employees.Executive-level participation and annual review of the information security program is expected. Additionally, firms must provide employees training during the onboarding processes as well as periodically during employment.
Categorized under: Security Launching A Hedge Fund Hedge Fund Insiders Disaster Recovery Hedge Fund Due Diligence Hedge Fund Operations Hedge Fund Regulation Business Continuity Planning Trends We're Seeing
The following is the second excerpt from our new whitepaper, Launching a Hedge Fund: 10 Keys to Success. Don't forget to visit Hedge IT on Thursday as we reveal the last of our key considerations for starting a hedge fund.
To read part one, click here.
Develop an IT budget for your first 2-3 years.
Operating capital may be limited in the first few years after your launch, so careful budgeting and long range planning will serve your firm well. Your information technology budget should include priorities and figures for at least two to three years, including infrastructure/hardware and software requirements. Some questions you’ll want to consider:
How many offices are you launching with? Do you plan to open additional offices in the near future?
How many users do you have on day one? How many can you expect to have in years 2 and 3?
Where are your offices located? Are there cost differences between domestic and international offices?
What are your trading practices and how does this impact your budget?
What kinds of systems do you need? (Order Management, Portfolio Accounting, Risk Management, CRM, etc.)
Ensure your technology budget coincides with your firm’s growth plan. Do you expect to grow quickly? Open new offices? Expand internationally? You will need to account for these changes.
Understand hedge fund regulations and how they affect your firm.
Governmental oversight of the financial industry has evolved dramatically in the last decade. Hedge funds, private equity firms and registered investment advisers now operate in a world where they are beholden to regulatory bodies with growing expectations and requirements. When launching your hedge fund, you’ll need to be clear up front with any responsibilities you may have to any applicable agencies – in the United States, that means the Securities and Exchange Commission (SEC). Are you required to register? If so, represent your firm accurately and be descriptive of your operations. If not forthcoming, you may open up your firm to serious regulatory and criminal prosecution.
Categorized under: Launching A Hedge Fund Cloud Computing Security Disaster Recovery Hedge Fund Due Diligence Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Outsourcing Business Continuity Planning Software Trends We're Seeing
Today's hedge funds are facing an environment defined by regulatory pressure, investor demands and fierce competition. For hedge fund startups, the challenges are even greater, so too are the demands. Successfully operating a new startup beyond the first year is a feat many managers struggle to accomplish, therefore it's critical for emerging managers to gain a full understanding of the industry that awaits them and the hurdles they should expect to face.
While the list of considerations is surely long for new managers, we've whittled it down to 10 Keys to Launching a Hedge Fund Successfully - a guide for new startups to use when setting off on their new journey.
Take a look at our latest video for a quick look at our 10 Keys to Success. And be sure to come back to Hedge IT later this week when we'll be sharing an excerpt from our brand new whitepaper on the same topic!
Categorized under: Launching A Hedge Fund Cloud Computing Security Disaster Recovery Hedge Fund Due Diligence Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Outsourcing Business Continuity Planning Trends We're Seeing
With threats of data loss increasing in both numbers and severity, it is no surprise that data security is on everyone’s mind within the financial and investment industry. Regulatory agencies and investors now expect businesses to have backup solutions and comprehensive record-keeping practices. Understanding the need and importance of implementing a backup solution can add instrumental value to your business.
We at Eze Castle Integration have identified the top four reasons why backups are critical to not only a firm’s growth, but also their survival.
1. Regulatory agencies demand security of financial records.
The Securities and Exchange Commission (SEC) has instituted regulations on the storage of financial records and electronic communication, and financial industry regulatory agencies such as FINRA now provide standards and guidance information on potential threats. In addition, international regulators such as the FCA, a financial regulatory body in the United Kingdom, are also demanding firms to have a data backup solution.
The reasoning behind these recommendations is the volume of things that can go wrong with your data storage solution. From hardware failure, software corruption, virus or network security breaches, to natural disasters and human error, the threat to your data is endless. With today’s financial services companies managing exponentially growing volumes of sensitive data, the risk of loss grows as well.