The importance of employee security awareness cannot be understated. We hear and read stories too often about employees being victims of social engineering schemes. From downloading a malicious virus to falling for a wire transfer scam, these occurrences not only have financial implications to an investment firm but can also impact an employee personally and directly.
Most employees who fall prey to social engineering tactics never intend to hurt a company. In cases of wire transfer scams, for example, often an employee doesn’t follow the appropriate checks and balances at the firm or is being too "responsive" in order to impress a colleague or boss.
Just last week we learned of yet another inbound ransomware email (subject line: debt fax from <your domain here>) that had the ability to impact hedge funds if opened by an employee.
Pop Quiz: Phishing Email Example
Following is an example of the type of phishing or imposter emails that enter employees’ inboxes. Would your employees catch at least one of the items that make this email suspicious? Note the sender email address, which includes Eze Castle Integration’s domain, the balance due amount and the type of company (medical) sending the invoice. You may (and hopefully do) have advanced email security mechanisms in place, but you still have to train your employees because scams are only going to get more sophisticated.
Security Awareness Tips for Your Hedge Fund Employees
Phishing attempts can occur via email, phone, instant message, SMS or social media. Here’s what to look out for:
Check the sender email address as well as “to” and “cc” fields
Is it personalized? Be wary of generic greetings
Improper spelling and grammar can be giveaways as well
When evaluating technology providers, there are a number of factors to consider when determining which is the best fit for your firm. One important, and often overlooked, criterion is the quality of the Help Desk. Alternative investment firms rely heavily on technology, but no technology is completely infallible. In the event of an unexpected issue, having a knowledgeable, experienced Help Desk at your fingertips is essential.
So, what makes an exceptional Help Desk?
In this article, we will take a look at some critical considerations and provide guidelines for what to look for when selecting a Help Desk provider for your firm.
The financial services industry is currently under tremendous pressure to meet both investor and due diligence requirements. Thus, it is increasingly important to maximize technology to meet these pressures. To conclude our six-part hedge fund launch webinar series, we spoke with Eze Castle Integration’s own managing director Vinod Paul, who shared insights about current IT challenges and demands and how today’s hedge funds can employ best practices for operational excellence.
Key Priorities for New Managers
Paul defined cybersecurity and scalability as two primary technology considerations for new managers. You must first understand your firm’s specific vulnerabilities and exposures. One of the most common mistakes new launches make, according to Paul, is assuming that they only require the basic bare minimum in terms of technology. He urges new managers to pick an IT solution with operational growth in mind -- considering the business not at the onset, but in three to five years.
Service Provider Selection Criteria
Paul continued to place emphasis on customized IT, stating that when it comes to outsourcing, it is imperative that a firm carries out proper due diligence in choosing a provider to meet the firm’s unique needs. “You want enter into a true partnership that offers open lines of communication, flexibility, and ultimately, trust and accountability,” he said. Brand and reputation, long lasting relationships with clients, and industry experience are some of criteria Paul feels are most important when selecting a service provider. “Don’t step in to it with the attitude that a current provider is good enough, for right now,” he cautioned. The service provider should not only address day-to-day operations but also anticipate potential problems down the road.
Freshness, simplicity, clarity. Words we may use to describe the Spring season. While we wait for warmer winds to come sweep away the chaos of winter, it may also be time to freshen up our digital ecosystems. Below are some tips to help with your spring cleaning process, whether you are looking to tighten up your personal security situation or aiming to stay on top of enterprise-wide security concerns for the sake of your business.
Get rid of “junk”. Old photos, videos, and archives take up disc space and slow performance.
Check up on unused software. First, see what it’s actual purpose is. If it’s not something you use or need, uninstall. This will reduce potential malware-targeted software.
Install program updates. Updates include critical security patches that combat ever-morphing computer viruses.
Refresh passwords. Make sure your passwords vary across different platforms. Use a combination of numbers, special characters, and upper and lowercase letters. If you are an administrator, flag accounts that have not undergone a password change in three months.
Categorized under: Trends We're Seeing
During part 5 of our 6-part Hedge Fund Launch Webinar Series, we discussed the real estate frontier for startups with guest Ben Friedland, Executive Vice President at CBRE in New York, and his colleagues.
When searching for a space for your firm, “The trickiest part is the great unknown,” said Friedland, expressing perhaps the most common sentiment of new managers. “Flexibility,” he continued, “is the most important factor.” As a new manager, you must be willing to ask yourself, How is my firm going to do? Will it double in size in a year or shut down?
This uncertainty calls for careful consideration of what type of space is best suited for your firm. Friedland described four typical types of spaces:
Temporary office suites; and
Whether you're shopping around for new outsourced providers/business partners or just reevaluating them, it’s always important to consider the vendor’s approach to continuity and how that could impact your business. If your firm has a comprehensive business continuity plan in place and you conduct regular BCP tests, you might think your responsibility ends there. However, if the service providers that you engage with do not also have proper disaster recovery systems and business continuity plans and test said plans regularly, they are exposing your firm to serious risk and may be the weakest link in your continuity or recovery.
To properly conduct review and discussion with vendors and business partners, firms should have a series of questions and discussion points ready. Four critical areas you may want to review include continuity program activities, disaster recovery system details, business continuity procedures, and communication practices.
Continuity Program Activities: This would include ensuring that the vendor or business partner regularly reviews and updates necessary plans and procedures. Do they conduct ongoing tests of their disaster recovery systems? They should also be testing and exercising their business continuity plan. Lastly, it’s also critical that they provide employees with necessary training on these plans, both at the outset of the plan implementation and at least annually.
Disaster Recovery Systems: During vendor discussions and evaluations, ensure your business partners are identifying the location or locations where data is backed up. They should also identify recovery time objectives (RTO) related to that data and compare that desire with the RTO outlined within the existing plan. This is important as it relates to recovery time, since it will outline at which point after a disaster you are expected to have access to critical systems and data. If RTOs are unclear, you run the risk of being unable to work or access data or information you need, potentially disrupting clients and even violating contracts or regulations.
Categorized under: Business Continuity Planning
In the last decade, the financial services industry has seen a dramatic increase in the number of high-profile cyber-attacks. Data breaches have risen in frequency, sophistication and risk impact. In light of this trend, emerging and established firms alike must consider measures to mitigate these growing risks. During this week’s session of our Hedge Fund Launch Webinar Series, Nicole Segal and Gamelah Palagonia of Willis Towers Watson spoke with us about how to leverage cyber and privacy liability insurance, as well as offered insight in to the evolving nature of cybercrime.
“In the past two years, there’s been more talk than action,” Palagonia began. In the past, most hedge funds didn’t feel like they had exposure because they weren’t collecting personally identifiable information (PII) or credit card information. Now, with the threat of ransomware and damage to digital assets looming, hedge funds are increasingly interested in cyber insurance. Our guests acknowledged, however, that new SEC guidelines have also played a large role in shaping how firms consider cyber insurance. “There was a shift at the SEC level from a compliance-based to risk-based approach,” said Palagonia. “You can’t just wait until an event happens to remediate it.”
Segal noted that despite increased regulatory exposure, the general insurance market for hedge funds has reacted quite favorably. In the past two or three years, many insurance companies have entered the marketplace for underwriting for hedge funds on both the property and casualty side. Rates are dropping dramatically, and coverage terms are relatively favorable at this point in time. For example, many of the required coverages for startups come in business packages at oftentimes reasonable costs. Some of this must-have coverage typically includes property & casualty, general liability and worker’s compensation.
Categorized under: Launching A Hedge Fund
The official definition given in TechTarget’s IT Dictionary reads: “Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. Authentication is a process in which the credentials provided are compared to those on file in a database of authorized users’ information on a local operating system or within an authentication server. If the credentials match, the process is completed and the user is granted authorization for access.”
At the heart of authentication is controlling access to ensure individuals only access the information they need. With stories of password compromises becoming more common it is important to understand the types of authentication factors available and good computing practices.
As part of Information Security Planning, firms should also identify applications, services or websites that require at least one level of authentication (e.g. password protection, PC certificate, or security tokens) as well as any that may require multi-factor authentication.
Following are the three commonly used authentication factors:
This week, we had the pleasure of speaking with Shelly Rosenweig, Partner at Haynes and Boone LLP, who discussed the importance of compliance as well as the 2016 examination priorities of the SEC. Throughout the webinar, Shelly reminded attendees about the importance of undertaking compliance measures right at the start of a launch, not only for regulatory purposes, but to demonstrate to prospective investors commitment to compliance.
2016 SEC Examination Priorities
There are four priorities for the SEC that any startup manager will want to be aware of:
Exempt Reporting Advisors (ERA) – An exempt reporting advisor is any advisor that takes advantage of the venture capital fund advisor exemption or the private fund advisor exemption. The private funded advisor exemption is available to investment advisors whose clients are solely comprised of private funds who have less than $150 AUM and are not required to be registered as an advisor in the state where their principal office is located. In November of 2015, OCIE began to examine ERAs as part of their routine examinations.
What can ERAs do to prepare?
Ensure your information provided on your ADV application is accurate and consistent. The ADV application is required to be updated annually and when changes occur.
Make sure marketing and advertising material are in compliance with the anti-fraud provisions of the Advisers Act preventing advisors from engaging in manipulative activity. For example, advisors are surprised to learn that performance returns may only be disclosed to prospective investors in certain instances
Confirm you are in compliance with the “pay to play” rule under the Advisers Act (Rule 205). Pay-to-pay generally refers to various arrangements by which advisers may seek to influence the award of advisory business by making or soliciting political contributions to government officials charged with awarding such business.
Comply to the Books and Records Requirements under the Advisers Act. This technically only applies to registered advisors, but the SEC has championed the importance of organized record keeping. These records fall under two categories, the first being general accounting. These are business records, such as keeping ledger of sales. The second is additional records, such as memos describing disciplinary events.
A virtual family office is a lean single family office that uses a high level of outsourcing to keep the staff as low-cost and flexible as possible. A virtual family office and single family office are essentially one in the same, but the former model is most typically used by families with just $20M-$200M in assets under management, where a customized model is needed but not all of the overhead and support of a fully-fledged single family office.
Virtual family offices first gained modest popularity in the 1990’s, particularly in London, Zurich, and New York, as wealthy families heard about the benefits of having their own single family office and desired the direct control that can be designed into such a structure. As the family office industry has expanded over the past 20 years, this term has become more common and will likely gain traction in the future as families continue to seek out customized, affordable family office solutions.
Three Benefits of a Virtual Family Office
One might wonder why a family would set up a virtual family office rather than hiring a multi-family office or establishing a full-fledged single family office. Here are the three benefits of a virtual family office that are most often cited by families:
Direct Control & Flexibility: If you don’t like one person on the team, you replace them; if you want to reshape your team, your portfolio, etc., you can do so swiftly at your own discretion. If you hire a multi-family office or wealth management firm instead of a virtual family office, you may feel “stuck” with the team that is assigned to you and have little flexibility to pursue a different wealth management approach. Many families have recently wanted to conduct more co-investments and club deals, for example, and a team may be re-built around that need very quickly.
Diverse Investment Perspectives: If you hire a Chief Investment Officer (CIO) to only manage your family’s wealth, they may soon lose track of what other families are investing in and techniques they are using. Inside of a virtual family office, however, you could use a multi-family office asset management service or outsourced CIO. You could negotiate the management of liquid assets or additional areas of your investment portfolio to be administered by a leading multi-family office and they would gladly accept your business.
In my experience, this is not common practice but it can be a tremendous benefit for families that use this strategy. Most virtual family offices hire an outsourced CIO who helps hire and fire investment fund managers, reviews deal flow, helps manage real estate investments, and is responsible for the overall investment portfolio design and risk management. In either case—hiring a multi-family office or outsourced CIO—you get the benefit of using the best practices collected from serving multi-family offices, but within the structure of a single family office. Yes, you can gain this perspective as a traditional single family office, but likely at a higher price point, which leads us to the next benefit.
Categorized under: Launching A Hedge Fund