During Part 2 of our Risk Outlook Webinar Series we spoke with Eze Castle Integration Director Dan Long about how investment firms should address evolving cybersecurity risks, third party service provider oversight and employee training and education. Many of the points Dan addressed highlight questions hedge funds and private equity firms should be asking themselves.
Read on or scroll to the bottom to watch the full, 30-minute replay.
What is our commitment to cybersecurity and what is our outlook on the future?
Regulators and investors continue to ask more questions about cybersecurity because they want to know that firms are effectively mitigating risk. To meet these growing expectations, firms must demonstrate that you take cybersecurity risk seriously and have implemented sound systems, policies and procedures to combat those risks. As the threat landscape and technology continue to evolve, investment management firms need to evolve accordingly and develop better ways to counteract threats. Firms don’t necessarily need to implement every available security technology, but they should be keenly aware of their options and have a plan to effectively mitigate as much risk as possible.
How are we addressing third party risk and oversight?
Investment management firms often rely on third party vendors to obtain functionality or capabilities that they need, want or can’t afford to produce on their own. But moving functions out of the firm's control can present challenges. With any outsourced function, the firm inherently takes on additional risks at the hands of the third party. But it's critical for investment managers to limit those risks through sufficient due diligence. To combat vendor risk, financial firms need to maintain strict oversight of all third party relationships and investigate security practices and protocols, particularly for those vendors who have access to the firm's confidential information. An outsourced vendor should be providing the same level of security (or better!) as your firm would if the function was under in-house control.
Private equity firms have been slow to embrace outsourcing, but managing data and technology is more complex than ever. With increasing regulatory requirements and a growing urge to focus on core competencies, PE firms are shifting their views of the back office. In case you missed our recent webinar on 'The Transformation of Private Equity Operations', speakers from Citco Fund Services and Eze Castle Integration examined the changing tide for private equity operations and how CFOs, CTOs and fund managers alike can control operating costs, maximize efficiency and better perfect operational workflows.
Drivers for change.
The number one reason for managers to make the switch to an outsourced solution is the desire for managers to get back to their roots. The idea of back office transformation is really founded in that managers have found themselves spending much more time doing everything but raising money and investing money.
Beneath this layer, back office transformation is also driven by regulation, investor transparency, the lifecycle of a private equity firm, and global reach. Slow adoption, fast results. The private equity sector has been slow on the uptake when it comes to outsourcing, and we contribute this lag due to lack of education on the process and benefits of outsourcing. In the past three to five years, adoption in the PE space has increased because it is cost effective, secure and feature rich. Private equity firms that have made the switch wonder why others are not doing the same. The idea of leveraging an experienced managed service provider is one that private equity firms have really embraced because there is no burden for firms to hire and attract talent, which can be challenging and expensive.
Risk. Across the financial services industry, it’s a buzzword right now, and rightfully so. Perpetuated by mounting regulatory change, growing cybersecurity threats and a challenging market climate, the focus on risk is one that grows with each passing day.
As such, we are hosting a 6-week webinar series, Risk Outlook, wherein we’re interviewing industry experts on a host of risk-related topics. To kick off the series, last week we interviewed Mark Strachan, chief operating officer and compliance officer for BBL Commodities, a New York hedge fund. Read on for a recap of my conversation with Mark or scroll to the bottom to watch the webinar replay.
Question (Q): The last 5-10 years have been challenging for the investment management industry, looking back to the 2008 financial crisis as well as with increasing regulatory initiatives and changes across the investor due diligence process. How have your views on risk and the risk landscape evolved during this time? Or have they evolved?
Mark Strachan (MS): I think they’ve certainly evolved. The core features of non-investment risk – such as operational, counterparty, regulatory, security and business risk – have been constant, but they have evolved in terms of their complexity, our experiences with them, the tools available to help mitigate exposure and the focus by investors through their due diligence process.
What Investment Advisers Need to Know About the SEC Proposed Business Continuity and Transitions Plan Rule
The Securities and Exchange Commission (SEC) recently proposed Rule 206(4)-4, which would require investment advisors to enact business continuity plans (BCPs) and transition or succession plans. This rule would aid advisers in maintaining the continuity of services in the occurrence of a business disruption.
If you missed it, our recent webinar with featuring our Director of BCP Lisa Smith and speakers from Arthur Bell CPAs examines internal, external and transition-related risks to business continuity, mitigation strategy best practices and points highlighted by the SEC within the rule.
Rather watch a video? Scroll down and listen to the full webinar replay.
Potential Risks to Business Operations
The SEC stresses that investment advisers need to assess not only external threats, but also internal threats to accurately ascertain their own risk from a holistic standpoint. This evaluation is critical to identifying the risk impact to specific capabilities and operations, as well as, how they will affect the firm’s employees, clients and third parties. Advisers should take a proactive and organized approach to creating risk mitigation programs for employee activity, as well as, required systems (e.g. email and Internet). Risk mitigation programs should include documentation of processes, segregation of responsibilities, critical tools (think cross-training), etc.
The new Apple iOS version 10, that was released today, delivers some cool new features but before jumping in we recommend you review the following upgrade steps.
Here’s why. As with any major update, there can be risks associated with early adoption until issues are uncovered and Apple has the time to debug and fix them. Eze Castle Integration has learned of some significant potential issues including risk of data loss due to incompatibilities with mobile device management (MDM) applications.
So here’s a critical to-do list before starting the iOS 10 upgrade.
FIRST - BACKUP
Backup your device. Always take a backup before updating your device.
1. The best way to do this is via WiFi at night when the device is also plugged into a power source (computer or electrical outlet). iCloud will back up your device on its own if configured correctly and provided you have enough storage. To ensure this is occurring, launch the Settings App -> iCloud -> Backup and see what it says next to “Last Backup:”. If it only states a time, then it means it backed up today and no further action is needed. If it says a date, you can back up the device by clicking “Back Up Now”. (Note: WiFi is required to back up this way). If this fails, you can back up to iTunes (see next bullet) or clients can call ECI’s Help Desk for assistance.
2. Alternatively, you can backup using iTunes. Plug the device into a computer, launch iTunes, right-click on your device and click “Back Up.”
Manually backup passwords. Ensure you know your iCloud passwords, iTunes Store password, email passwords and any other critical passwords. Write them down and test them. Then safely and securely discard that information. As a best practice, there are secure password storage applications available through the App Store.
Copy anything you can’t live without. Backup anything (i.e. photos) that you cannot live without. Do so in a way that you can verify the backup easily. One option is enabling iCloud Photo Library so you can access copies of your photos on all your other iOS devices.
The day that many Apple users wait for every year finally came - the release of the newest Apple products. From the latest iPhone to the all-new Airpods, Apple had a lot to share with us yesterday afternoon. We’ve recapped some highlights below.
Watch Series 2
Unlike the Watch Series 1, the Watch Series 2 now has a built-in GPS and is water resistant. The new processor will now be in the Watch Series 1 and the Watch Series 2, but there will be a $100 price difference between the two models.
The new iPhone 7 introduces a new camera, better performance, longer battery life, stereo speakers, the brightest display yet, and it’s the first water resistant iPhone. iPhone 7 and iPhone 7 Plus are splash, water, and dust resistant and were tested under controlled laboratory conditions with a rating of IP67 under IEC standard 60529. Battery life and charge cycles vary by use and settings, but the iPhone 7 and & 7 Plus have been tested to hold a charge up to one (7 Plus) or two (7) hours longer.
Strangely, Apple seemed quite excited to announce the introduction of two new colors - black and jet black.
The biggest change for iPhone users is the elimination of the audio port. Stepping in are AirPods, Apple’s version of wireless headphones. The iPhone 7 will come with traditional EarPods that are connected through the lighting connector (goodbye, headphone jack!), or you can use an old set of headphones using the provided adapter. AirPods are an additional cost ($159).
As we work with clients on completing due diligence questionnaires (DDQs), one increasingly common question is, “does your firm block access to data sharing sites such as DropBox or Google Drive?”
Generally the answer to this question should be ‘Yes,’ but that isn’t always the case because public file sharing services such as these are very convenient, and firms may overlook the security risk they pose. Additionally, employees accustomed to using Dropbox for personal use may be tempted to go for convenience over security when they need to share a large file or data set.
However, with security threats multiplying exponentially, hedge funds and alternative investment firms need to be proactive in protecting data and personally identifiable information (PII) from accidental and malicious insider risks. That’s why for secure file sharing Eze Castle Integration includes Varonis' DatAnywhere product as a standard feature within our Eze Managed Suite. Varonis' DatAnywhere offers users seamless and secure collaboration and file sharing across devices.
Beyond security, Varonis' DatAnywhere is easy to use. Users receive the same drag-n-drop experience as shared network drives or a cloud sync folder, which means no need for training on complex user interfaces and collaboration workflows. Additionally, data is automatically backed up and version controlled.
If you signed up to use Dropbox’s storage platform before mid-2012, you received an email last week requiring that you change your password. The notification was triggered after it was learned that both the quantity and quality of users affected during Dropbox’s 2012 hack had been significantly underestimated. Turns out back in 2012, more than 68 million email addresses and hashed passwords were stolen. Previous knowledge had indicated only usernames were affected.
The more concerning piece of news revealed this time around, however, is how hackers were able to access this information. It seems they accessed the account of a Dropbox employee (who seemingly had a file containing user information), using the employee’s own password, which they acquired from the details of the 2012 LinkedIn breach. The user was using the same password for both accounts – an error we often call attention to here on Hedge IT as a big, and potentially devastating, no-no.
The dangers of password reuse are coming to the forefront as other companies have recently alerted users to breach attempts at the hands of hackers armed with password information from other security breaches. Online backup firm Carbonite recently issued a warning to its customers about such an incident, as did Citrix GoToMyPC and code repository site GitHub.
On Thursday, August 25, Apple released iOS 9.3.5, the latest version of its iOS and one that should not be ignored. This update addresses multiple security vulnerabilities – namely three iOS flaws that cybercriminals or governments can use to steal confidential messages and eavesdrop using your device’s camera and microphone. It is recommended that all iOS devices be updated immediately.
The Story Behind Uncovering the iOS Exploit
The story behind the discovery of these iOS exploits provides a glimpse into the lucrative world of cyberwar and cybercriminals.
It all started when an internationally recognized human rights defender, Ahmed Mansoor, received two suspicious SMS text messages with hyperlinks. Mansoor identified the messages as questionable and forwarded them to researchers at Citizens Lab and Lookout Security for investigation.
Citizens Lab and Lookout, according to their report, “determined that the links led to a chain of zero-day exploits (“zero-days”) that would have remotely jailbroken Mansoor’s stock iPhone 6 and installed sophisticated spyware.” This spyware, known as a government-exclusive “lawful intercept” product, would have made Mansoor’s phone “a digital spy in his pocket” able to use the iPhone’s camera and microphone to monitor activity near the device. It also would have allowed for recording of his WhatsApp and Viber calls, logging of messages sent in mobile chat apps, and tracking of his movements. Scary stuff.
Phishing at Its ‘Finest’
According to a Lookout Security blog post, "the attack sequence, boiled down, is a classic phishing scheme: Send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information. This, however, happens invisibly and silently, such that victims do not know they've been compromised."
If you haven’t already, now might be a good time to check out the Eze Managed Phishing and Training Service (after you update your iPhone of course).
What did Citizens Lab and Lookout Security Do?
The following article was written and contributed by James E. Grand, Esq. of The Securities Law Group, a specialized boutique law firm dedicated exclusively to representing investment advisers.
We are often asked by advisers who are switching firms whether they can use in their own performance presentation or the predecessor firm’s performance record at their new firm. There are two separate questions here: First; if Jill Doe moves from one firm to another, can Jill use her own performance record while she worked at the old firm in the new firm’s advertising? Second, can Jill use the old firm’s overall performance record in the new firm’s advertising?
A number of SEC staff no-action letters address these questions. These no-action letters generally take the position that an advertisement that includes prior performance of accounts managed by advisors at their prior place of employment will not, in and of itself, be deemed to be misleading so long as:
1. The advertisement is consistent with SEC staff interpretations with respect to the advertisement of performance results.
2. All accounts that were managed in a substantially similar manner are advertised unless the exclusion of any account would not result in materially higher performance. For example, in one case we know of the SEC allowed a newly registered adviser solely owned by an employee to use performance data of several accounts managed by the employee prior to registration. In other words, Jill could advertise the performance of some but not all of her prior client accounts so long as such performance is not materially higher than her accounts’ overall performance.
3. The accounts managed at the old firm are so similar to the accounts currently under management at the new firm that the performance record would provide relevant information to prospective clients.
4. The person(s) managing accounts at the new firm are also those primarily responsible for achieving the prior performance results at old firm. In other words, the individual(s) primarily responsible for achieving the prior performance results must also be the individual(s) primarily responsible for the accounts at the new firm. To put in another way, it would be misleading for an adviser to advertise the performance results of accounts managed at her prior place of employment when she was one of several persons responsible for selecting the securities for the adviser’s clients. The question is whether she was actually responsible for making investment decisions without the need for consensus from other advisers (e.g., an investment committee, etc.).
5. The advertisement includes all relevant disclosures, including that the performance results were from accounts managed at another firm.