The following article originally appeared in HFMWeek's Cyber Compliance Focus.
It’s not enough to have strong security policies. And it’s not enough to have robust technologies in place to ward off cyber threats. In truth, it’s not even enough to have both of these.
An effective cybersecurity program, rather, can only be achieved through a consistent and comprehensive strategy that touches layers across the entirety of the organization – from perimeter security and access control to policy enforcement and employee training. Without each of these building blocks, the effectiveness of a cyber risk management program is crippled at best.
And today’s standards for cybersecurity are increasing rapidly.
Traditionally, hedge funds and private equity firms have allocated significant capital budgets to build out their own sophisticated Communication (Comm.) Rooms, which can take months to provision and bring online. With servers to buy and install, software to license and configure, and voice/networks to deploy – not to mention recruiting, hiring, and managing expensive and hard-to-find IT talent – it’s no wonder cloud solutions have emerged as the dominant choice for computing infrastructures at investment firms large and small.
Not surprisingly, many investment management firms – including those with well-established in-house infrastructures – are making the move to the cloud for a number of compelling reasons, most notably these five:
Timing. Understanding when the right time to move to the cloud might be is a smart first step. There are three typical inflection points: when you’re adding new applications, moving or opening a new office, or in need of an IT refresh. But even if you’re not under any of those circumstances, there are a lot of motivating factors (keep reading).
Cost Containment. You may not always be able to reduce the cost of IT in the long-run with the cloud (depends on your firm’s size and scope), but you will have a predictable budget to work with, which means you can contain costs and create greater predictability and smoother, linear cash flows. As an added bonus, you can better allocate funds to other strategic projects and areas more directly relevant to the business mission. Even within the IT discipline, instead of spending time on mundane, daily operation of commodity IT resources, the firm can focus on proprietary application development, application integration, cyber security protections or other strategic initiatives.
Post-launch, many hedge funds and investment firms struggle to gain ground and attract the institutional capital needed to succeed in today’s competitive market. As firms grow – and bandwidth and budget are less likely to be roadblocks – it can be a challenge to reinvent the wheel and position your firm to capture institutional dollars.
During a recent webinar, speakers from EisnerAmper and Eze Castle Integration explored trends in hedge fund operational due diligence and technology operations and offered advice for asset managers looking to grow out of their startup boots and achieve an institutional grade operation. Some areas they explored during the 40-minute webinar include:
How institutional investor expectations have changed for firms at the pre-launch and post-launch phases;
The importance of (and detriment to not) passing an operational due diligence examination;
How cyber security expectations are evolving to increase standards across both technology infrastructure and policy planning;
If the public cloud is suitable for investment management firms looking to solidify institutional investments; and
Top mistakes emerging managers make that prevent successful ODD exams and institutional evolution.
Scroll down or click here to watch the replay.
The following article originally appeared in Opalesque's Private Equity Strategies.
The role of the private equity CTO has changed significantly. New technology along with a growing list of cybersecurity threats have placed more demands on the IT department than ever before. According to a new survey of private equity CTOs from Eze Castle Integration, these demands have led to an evolution in the role of the CTO away from simply maintaining hardware and workflows and into making the CTO an integral part of information security and compliance support.
For 2017, respondents to the survey said that their key priorities were cybersecurity, improving customer experience and updating older technologies. Outsourcing some business functions and technology infrastructure to cloud services providers and others also made the list in a big way, with firms looking to outsource a variety of operations.
None of this comes as a surprise to Eze Castle’s Chief Strategy Officer, Mark Coriaty. He says that private equity CTOs have been looking to companies like Eze Castle for those new technologies as well as guidance on how best to implement them.
“Outsourcing has grown significantly over the past three years. Firms are looking for guidance, advice and managed services capabilities,”Coriaty tells Private Equity Strategies. “Private equity firms, specifically, are looking closely at how they manage and maintain data securely. Many firms lack a centralized data source. We can provide a private cloud that allows for centralization and data management.” He adds that Eze Castle also works with CTOs on a consulting basis to help them learn about best practices for information security and maintaining compliance.
Categorized under: Outsourcing
As you’re probably aware, the topic of cybersecurity has been splashed prominently across headlines lately. Earlier this year, the former US director of national intelligence, James Clapper, identified cybersecurity as the top global threat.
In his testimony before the Senate Armed Services Committee, Clapper stated “I think the private sector needs to up its game on cyber security and not just wait for the government to provide perfect warning or a magic solution.” So what should you be doing to better protect your firm’s critical systems and data?
The truth is both large, well-established hedge funds and smaller startups are equally at risk of intrusion. Hackers may target large firms because they see an opportunity to profit from their substantial asset pools. Additionally, they might be after the notoriety associated with successfully hacking a well-known fund’s critical systems, especially in cases that will likely garner media attention. For smaller funds, hackers are likely after intellectual property, namely business plans, market forecasts and investment strategies.
Last week, we shared some important questions to include in hedge fund technology RFPs, focusing on Staffing, Client Service Model and User Support. In today’s article, let’s dive back into the RFP process, and look at some questions on Business Continuity & Disaster Recovery Plans, Backup & Retention of Information, Data Security and Intrusion Detection & Incident Response.
Business Continuity & Disaster Recovery Plans
Does your company have a written policy and program in place for business continuity and disaster recovery?
Have your company’s policies and programs for business continuity and disaster recovery been fully implemented? If not fully implemented, please discuss those areas in detail and explain any plans to address them.
We’ve all heard the saying, “there are no stupid questions,” but when it comes to technology it is easy to feel undereducated. Knowing what to ask a hedge fund technology provider not only makes you look smart (or smarter!) but also ensures you get the right solution.hedge fund tech guidebook
In this article we’ll look at questions around Staffing, Client Service Model and User Support for your hedge fund technology Request for Proposal. Next week we’ll give questions for DR Plans, Information Backup & Retention and Data Security.
Staffing and Skills
Provide the total number of employees (current year and past year). Please show numbers for overall staff as well as a breakdown by function (e.g., developers, client service, etc.).
Provide the number of employees gained and lost (current year and past year).
Describe the organizational structure of your company. Please detail the roles specific to your business (e.g., engineers, client managers, trainers, QA, etc.)
How many full-time employees are assigned to these particular roles, by functional and geographic split?
What is the anticipated project resource profile through the stages of the implementation process?
When it comes to cybersecurity, the list of haves and have nots is constantly evolving due to the changing regulatory and threat landscape. In case you missed it, we hosted a webinar this week on Cybersecurity Basics for Asset Managers, during which we uncovered various elements within three primary cybersecurity layers: from Tier 0 (Basic Protection) to Tier 1 (Industry Standard) to Tier 2 (Advanced Protection).
How does your firm stack up when it comes to your cybersecurity practices? Watch the replay below and find out where you fit in.
Tier 0: We call this level Tier 0 in part because, well, there’s zero chance your firm will have long-term success in thwarting cyber risks if you don’t employ these basic security measures.
I just finished Season 1 of Showtime’s ‘Billions’ and can’t resist calling out the horrible IT security on a key character’s laptop. ‘Billions’ centers on a multi-billion dollar CT hedge fund and federal prosecutors looking to take them down for financial crimes. [Spoiler Alert] As season 1 nears an end, US Attorney Chuck Rhoades easily logs into the laptop of his wife, who is also the hedge fund’s in-house psychiatrist. On the laptop he finds the incriminating evidence necessary to potentially take down Mr. Billions (aka Bobby "Axe" Axelrod).
From an IT security perspective, there were so many things wrong with this scene, but I’ll highlight three that any hedge fund, regardless of AUM, should consider:
First up: password security.
In ‘Billions’ they broke the golden rule of NEVER sharing your password, but beyond that, multi-factor authentication should have been implemented. Multi-factor authentication is established by requiring at least two authentication factors that are knowledge based (password), possession based (something you have – token, mobile phone) and/or inherence based (something you are – fingerprint or eye scan).
Eze Castle Integration’s Eze Managed Suite offering includes two-factor authentication via a tool called Duo. Duo combines knowledge based (password) with possession based (smartphone) authentication factors.
Hedge fund outsourcing is not a new trend, as buy-side firms have long dispersed the responsibility of many functions to third-party service providers more adept and accomplished at said functions. Technology, for example, is an area where many firms choose to leverage outsourced providers to manage complete or partial infrastructures, support projects or supplement on-site IT staffs. The benefits to outsourcing are numerous, but the true measure of a successful service provider relationship comes when an investment firm’s level of risk in using that provider is low.
Risks are everywhere, particularly in today’s cyber-focused environment. But the risk a hedge fund undertakes when outsourcing a function of its business to a third-party is enormous. Not only is the firm relinquishing control to an outside company, it also takes on the added burden of managing that company, in addition to its own.
It’s one thing to put faith in your service providers to do their jobs effectively. It’s another to ignore your own firm’s responsibility to manage that third party as a means of protecting your own firm. Successfully managing risk associated with third-party service provider relationships is a full-time job, especially for financial services firms working with dozens of various parties. Here are a few tips to help your firm properly manage third-party service provider risk: