The following article was written by Dean Hill, Executive Director, Eze Castle Integration and first appeared on Hedgeweek as part of their special report: A Guide to Setting up an Alternative Investment Fund in Europe.
There is no shortage of threats to financial services firms, and the list of requirements from investors and regulators alike is growing at a rapid pace. As a startup, it's important to demonstrate to investors that you take your business seriously, hence, investments in operational excellence are required. On the cybersecurity front, that means leveraging technology infrastructure with robust, security-rich features including intrusion detection and ongoing traffic monitoring, regular vulnerability assessments and next-generation software, firewalls and patches to keep hackers out and firm assets secure.
But beyond technology safeguards, today's successful financial firms require the wherewithal to implement comprehensive cybersecurity programmes – whether you're a seasoned firm or embarking on your first investment venture. The most effective cyber programmes will focus on four critical administrative areas: (1) developing comprehensive security policies and plans to prevent external cyber-attacks or internal breaches, (2) training firm employees on said policies and current cyber threats, (3) cultivating a culture of security awareness from Management down, and (4) managing an effective risk programme via external vendor oversight.
Plan: True cybersecurity defence starts with proper planning. To start, funds need to develop written information security plans – comprehensive documentation of the firm's corporate security initiatives. This should include technical and administrative safeguards being employed to secure confidential data. In the development stage, firms will need to identify systems and plans currently being used, technical procedures and systems in effect, employee access controls relative to confidential data as well as user responsibilities for both prior to and in the event of a data breach.
Unless you’re living under a rock, you’ve at least heard rumblings about the newest app craze to hit the market: Pokémon GO. In existence for a mere 6 days thus far, Pokémon GO has already amassed more daily users than Twitter and Snapchat. And we’re not just talking about kids and millennials here. The app seems to be, perhaps unexpectedly, popular with users of all ages.
The potentially big concern to be aware of is the information users are making accessible to the app’s developer, Niantic Labs. To play the game, a Google login is required (unless you have a login with Pokémon), meaning the permissions you grant to the app include giving access to your full portfolio of Google accounts. That means email, contacts, calendar, photos and files. Even scarier, if you use Google Apps for Work, what information are you unwillingly providing to Pokémon GO?
If you’re a public cloud user and leverage Google Apps for corporate purposes, it’s worth taking the time to research the potential privacy and security impacts if your firm’s users also happen to be Pokémon GO users. At just six days old, there’s likely plenty more to be learned from the app, and the developer will likely be sharing more information in the near future on security permissions and settings.
At Eze Castle Integration we often reference data center tiers (i.e. Tier II and Tier III) in our written materials and assume readers will automatically understand the value of these distinctions. In some cases this might be a safe assumption, but you know what they say about assuming so we’ll do a refresher in this blog post.
Data center tiers – Tier I to IV – represent a standardized method to define the uptime of a data center. The tiers are useful in measuring:
Data center performance
Return on investment (ROI)
Categorized under: Cloud Computing
When assessing technology options and evaluating outsourced IT providers, there are a number of questions hedge fund managers should be asking in order to make the best decision for their firms.
As we talk with investment managers – especially those whose firms are considering a move to the cloud – we’re hearing many of these great questions on an increasingly regular basis. One particular area where there tends to be some confusion, however, is the topic of audit standards which govern service organizations and the data centers they manage on behalf of client firms. To help you navigate through the evaluation process, we’ve pulled together a guide to understanding audit terminology and industry standards.
There is a lot of change happening across the investment management industry, as hedge funds and alternative firms deal with uncertain markets, regulatory pressure and a fiercely competitive landscape. As a result, hedge funds are becoming smarter and thriftier. Budgets are tightening, and with increased demands from investors and regulators, funds now face greater challenges than ever before.
A key challenge in today’s landscape is weighing cost versus benefit when it comes to maintaining internal hedge fund operations and technology. Back in the aftermath of the 2008 economic crisis, operational cuts were made across personnel, infrastructure and everywhere in between. Funds rebounded in recent years, but with global challenges (e.g. Brexit) looming and a tough economic market for investments, fund managers are once again looking to maximize efficiency and operations across the organization.
How does a firm go about maintaining their existing levels of performance and efficiency while also trimming costs and anticipating changes that cannot yet be defined? Determining what a fund should be evaluating is half the battle; developing an actionable game plan and executing it is the hard part.
Hedge Fund Staffing
People are the foundation of a company no matter what the size. Ironically, managing the day-to-day operations are not tasks that investment professionals typically have experience with or have much interest in. In order to create a performance-driven hedge fund operating staff, fund managers should identify and define the roles and responsibilities of each staff member.
Setting individual and group goals and objectives, as well as a clear method for achieving these, is one of the most important things a fund can do in order to maintain an effective, scalable staff. If a hedge fund does not have a sound staffing and operating model, managers may find that certain operational tasks are not being fulfilled, which could lead to portfolio or compliance risk.
There's a lot to be mindful of when it comes to cybersecurity. Experienced and savvy hackers. Insider threats. Regulatory guidance updates and subsequent enforcement actions. The list goes on. So how do today's hedge fund and private equity firm managers navigate the changing landscape and stay above the fray? It all starts with planning.
If you missed it, our recent webinar with law firm Sadis & Goldberg explores the regulatory climate for investment firms, recaps recent SEC enforcement actions and the variance in how compliance is evaluted, and provides practical and actionable advice for fund managers looking to address insider threats, education awareness and policy gaps around information security.
If you have a free hour, this one's worth your time.
Watch below or read our joint whitepaper, A Fund Manager's Cyber Security Action Plan.
In an alert posted to its website, the U.S. Federal Bureau of Investigation (FBI) stated that phishing email scams requesting wire fraud transfers have cost firms more than $2.3 billion in losses since 2013.
At the root of a phishing email scam is in-depth reconnaissance during which the cybercriminal delves into employees's personal information and the organization’s processes. During this phase, schemers phish languages within email threads and obtain enough information to pinpoint money-managing employees within the firm. Equipped with this insider information, the criminal sends a spoofed email, assuming the identity of the firm’s CEO or other senior executive, to an employee responsible for managing funds and requests an illegitimate wire transfer. Typically, the message will relay a sense of urgency – a key factor in the fraud's success.
According to the FBI, these email scams have increased by 270 percent (%) since January 2015. With the rise of these incipient, sophisticated attacks, the need for fully managed phishing and training programs grows exponentially. Breaches will happen, but when employees are provided with the tools and knowledge needed to recognize fraudulent emails, risk decreases and a firm’s defense system becomes stronger and more agile.
As hedge funds, private equity firms and other financial services organizations work diligently to develop and maintain organizational business continuity plans, an item often lost in consideration is employee personal planning. While firms should focus on how their businesses will recover from a disaster scenario or disruption, it’s also helpful to be proactive in addressing how employees can recover from these scenarios if family members/friends are affected or if the employee himself is affected outside of working hours. Here are a few tips for employers:
Plans and resources are helpful in getting employees more organized, but for employers, finding time to develop and gather these materials can be difficult. It might be easier to have employees gather together and discuss emergency preparedness techniques and why they are important. Consider providing some resources such as binders or forms where employees can write down contact information of insurances, utility vendors, neighbors, etc. Encourage employees to research local/regional emergency preparedness information as well. Getting the conversation going and providing some resources or relevant websites can better ensure that planning activities happen prior to a disruption.
Alternate locations are not just for the workplace. Employees' family members and roommates should have established meeting spots if evacuating the residence is necessary. Two locations are recommended: one close to the residence and another perhaps slightly father away (e.g. down the street or at a neighbor’s house or apartment), in the event it’s not safe to be at/near the closer meeting site.
Last week it was widely publicized that approximately 32 million Twitter passwords were compromised and leaked online. These days, the reality is that password leaks are all too common.
While users must be responsive to leak news and immediately change their passwords, they should also consider being proactive in enabling advanced password protections (i.e. two-factor authentication) provided by many social media and mainstream applications.
Here’s a rundown of some popular social media and other applications that provide two-factor authentication. (Note, if you aren’t familiar with two-factor authentication, read our article What Is Multi-Factor Authentication, and How Can I Use It?)
Apple: By enabling two-factor authentication, your Apple accounts can only be accessed on devices you trust. During the initial sign-in on a new device, you will need your password and six-digit verification code that's automatically displayed on your trusted devices. Once signed in, you won’t be asked for a verification code on that device again unless you sign out completely, erase the device, or need to change your password for security reasons.
Facebook: Facebook calls it Login Approvals, but the concept is the same. Once Login Approvals is activated on your account (here’s how), you'll log in with your password, and a code will be sent to your phone. The code is required to successfully log in.
Google/Gmail: Google's two-step verification allows users to protect their accounts with both a password and phone. Step 1) Sign into Google with your usual password; Step 2) You’ll be asked for either a security code that is sent to your phone via text/voice call/Google mobile app, or you can insert your Google Security Key into your computer’s USB port.
It is worth noting that during Google sign-in, you can choose not to use 2-Step Verification again on that particular computer. From then on, that computer will only ask for your password when you sign in.
Categorized under: Security
If you missed it, last week we shared the first excerpt from our newest whitepaper, A Fund Manager’s Cyber Security Action Plan, which we wrote in conjunction with Sadis & Goldberg. Today, we’re sharing our section on the risks employees pose to firm security, including both unintentional and malicious actions that can wreak havoc on an organization.
With mounting regulatory pressure, Fund Managers can no longer afford to sit idly and rely on technology to protect them from the next cyber-attack. Advanced technology systems and infrastructure protocols are, of course, critical in mitigating cyber risk, however, for the prudent Fund Manager, the list of defense mechanisms cannot end there. Even while the sophistication of perimeter security systems and vigilant monitoring tools increases, the greatest vulnerability to a firm remains within its interior: its own employees – the people who use IT systems to conduct transactions and access sensitive data.
Employees – particularly those with unrestricted access to sensitive information and financials – are a hacker’s easiest access point into a firm. Every day, more employees fall victim to social engineering schemes and phishing attacks designed to fool them.
Entering a password or financial information. Downloading malicious software. Transferring funds. Hackers are well-versed in how to trick users into committing these acts. And while not malicious (though we’ll discuss that also), these employee actions can end up costing their organizations more than money.
Let’s look at unintentional security risks presented by employees – many of which can be addressed through training and creating a culture of security.