If you missed it, last week we shared the first excerpt from our newest whitepaper, A Fund Manager’s Cyber Security Action Plan, which we wrote in conjunction with Sadis & Goldberg. Today, we’re sharing our section on the risks employees pose to firm security, including both unintentional and malicious actions that can wreak havoc on an organization.
With mounting regulatory pressure, Fund Managers can no longer afford to sit idly and rely on technology to protect them from the next cyber-attack. Advanced technology systems and infrastructure protocols are, of course, critical in mitigating cyber risk, however, for the prudent Fund Manager, the list of defense mechanisms cannot end there. Even while the sophistication of perimeter security systems and vigilant monitoring tools increases, the greatest vulnerability to a firm remains within its interior: its own employees – the people who use IT systems to conduct transactions and access sensitive data.
Employees – particularly those with unrestricted access to sensitive information and financials – are a hacker’s easiest access point into a firm. Every day, more employees fall victim to social engineering schemes and phishing attacks designed to fool them.
Entering a password or financial information. Downloading malicious software. Transferring funds. Hackers are well-versed in how to trick users into committing these acts. And while not malicious (though we’ll discuss that also), these employee actions can end up costing their organizations more than money.
Let’s look at unintentional security risks presented by employees – many of which can be addressed through training and creating a culture of security.
In case you missed it, the SEC just announced this week that it levied a $1 million fine to a prominent financial services firm for failing to adopt written policies and procedures reasonably designed to protect customer data. The SEC also stated it expects “SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information.”
Eze Castle Integration and Sadis & Goldberg just published ‘A Fund Manager’s Cyber Security Action Plan’ that covers what the SEC expects from managers. You can download the paper at www.eci.com/cyberplan or read an excerpt below.
Cybersecurity has fast become an imminent and pervasive threat to the investment management industry. Investment advisers, including those managing private funds (“Fund Managers”) are required to disclose and report a higher quantum of more sensitive and meaningful information than ever before, via Form ADV, Form PF, CPO-PQR and (for some Fund Managers) Annex IV. Cyber-attacks can be manifested in a variety of ways from multiple sources and can lead to direct losses (e.g., theft of funds, data or other property), reputational harm, regulatory actions, third party litigation and other forms of liability.
While it’s reasonable to believe that a typical CFO would not respond to a “spear-phishing” email from a fictional Nigerian prince, consider the risks presented by a more realistic cyber-attack wherein a personal email is sent to the CFO, purporting to be from your prime broker, auditor or administrator (information discoverable from your Form ADV), mimicking the patterns and style of previous email communications (discoverable from your email server) and asking for confirmation of a recent wire or some other sinister request. Internal attacks such as this are discussed further throughout this paper, and each one has the potential to cripple a fund and/or damage thousands of investors.
The below information is an excerpt from Eze Castle Integration’s 2016 webinar: The Evolution of Investor IT Due Diligence.
Investors have long been asking questions about firm operations and even technology. But with the way IT has evolved over the last 5-10 years, it’s no wonder investor inquiries have changed in both size and scope. Of course, in addition to technology evolution, we’ve also seen influences on the regulatory side, as the SEC continues to examine and evaluate firms’ security practices, which ties heavily into technology.
In looking back, it’s not unfair to say that 10 years ago, technology was what we’d call a “check the box” category. An investor due diligence questionnaire may have been one or two pages and focus mostly on firm investment history, performance, etc. On the IT side, it may have said “are you using an outsourced IT provider” or even “do you have a disaster recovery system” but beyond that, there was very little inquiry into the types of technologies being used at hedge funds as well as the protections in place to mitigate risk.
Of course, times have changed and now we see investor DDQ documents upwards of 5-10-20 pages in length and asking great levels of detail about technology, cybersecurity and operations. So let’s talk a little bit more about the influences for this due diligence evolution.
Categorized under: Hedge Fund Due Diligence Cloud Computing Security Disaster Recovery Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Outsourcing Business Continuity Planning Trends We're Seeing
In today's Eze Castle Tech Tip: we're discussing myths about Voice over IP -- or hosted voice -- services.
It’s no secret that investment manangement firms (including hedge funds and private equity firms) have historically been divided over the use of public and private clouds. We’ve discussed it in depth here on the Hedge IT Blog, explaining the differences between the two and why most funds are choosing to go with a private cloud solution.
A case can be made, however, that there’s a time and a place for each cloud platform and both offer their own advantages for financial services firms. We’ve taken a look at some of the key areas firms will consider when looking at public and private clouds and identified which we think comes out on top.
Service & Support
Investment firms demand uptime to ensure operational efficiency and profitability. Public cloud providers, however, do not offer investment-specific IT support and rather have limited customer service representatives troubleshooting the most basic of email and desktop support issues.
Financial services firms are increasingly interested relying on third-party service providers to increase efficiencies and benefit from industry expertise. While outsourcing has grown, however, regulatory bodies such as the Securities & Exchange Commission (US) and Financial Conduct Authority (UK) have begun to evaluate outsourced relationship and provide guidance around how investment management firms should engage and manage these partnerships. In 2015, the FCA drafted a “guidance for firms outsourcing to the ‘cloud’ and other third party services.”
The document aims to ensure that risks associated with outsourcing are appropriately identified and managed. Thirteen key areas of consideration are highlighted below.
Legal and Regulatory Considerations. In undertaking the due diligence process, an investment firm should consider and compare operational risks associated with outsourcing to various providers (e.g. public vs private cloud) as well as any specific legal or regulatory obligations. Firms should identify and record contracts with all service providers, ensuring that compliance with any relevant requirements lives throughout the supply chain.
It's time for another Tech Tip video! Today, we have five security practices your investment firm should not overlook. Watch and learn!
This article was written by Bob Guilbert, Managing Director, and first appeared in Hedgeweek's 2016 Guide to Setting Up an Alternative Investment Fund in the USA.
You're a new fund manager, and somewhere on your task list the letters "IT" are probably followed by a question mark. Odds are, you don't have a technology background, so as your firm's Chief Operating/Financial/Compliance Officer (or in some cases, Portfolio Manager), the sudden responsibility you've undertaken as your firm's de facto IT Manager is intimidating at best.
The good news is, as a startup, your IT options are pretty clear. In 2016, there's no better technology decision a new firm can make than selecting a cloud platform – an infrastructure that has proven benefits including scalability, flexibility and robust security, among others. And while the thought of hosting IT offsite was once a worry for allocators, today's investors find comfort in knowing hedge fund and alternative investment firms are focusing on their investment priorities and leaving the technology decisions to the experts.
From our perspective, the cloud is now a tried and tested infrastructure environment that is acceptable to the institutional investor community. They have become very thorough in their operational due diligence process, understanding exactly what cloud providers provide from an operational, management and security perspective. This has allowed managers to become much more comfortable at appointing a cloud provider to deliver an infrastructure that will perform well in any type of trading environment.
Where managers need to spend their time is deciding on the best cloud provider to work with, as opposed to thinking about whether or not they should use a cloud provider in the first place.
And how exactly do emerging fund managers embark on that decision-making process?
Whether you are preparing to launch a new hedge fund, considering expanding your established firm to another geographical location, or simply interested in relocating to a new space, there are a few important real estate options to consider, including commercial space, subleases, and hedge fund hotels. Today, we will delve deeper into one of these primary options, hedge fund hotels (also known as “managed suites” or “executive suites”) to analyze the benefits of this type of real estate.
You’re about to embark on a business trip or drift away with the waves and a margarita or two on an overdue vacation. To let your clients, partners, colleagues, and the like know that you won’t be able to respond to their emails, you create an out-of-office message.
The typical auto-reply includes a brief explanation of why the recipient is out of the office, an approximate date of return and who the sender can alternatively contact. You may also list your chain of command and if you manage multiple departments, perhaps include the names and contact information for each division. Although this may appear innocuous to the untrained eye, those who are well-versed in information security, or simply read the latest cybersecurity headlines, would immediately cringe at the various red flags.
Let’s examine the probable scenarios that could transpire upon the auto-reply’s launch.
Physical Security Threat
Auto-replies that disclose travel details pose a physical threat as they provide criminals or intruders with the recipient’s whereabouts. Regardless of whether location is provided, one can link travel dates to a popular industry trade show. Criminals may gather this information from other resources, such as a company’s posts and images shared across social networks (e.g. Twitter, Facebook).