This article first appeared in Hedgeweek's September 2014 Special Report on Risk Management.
Cyber security has quickly become a headline risk for hedge fund managers. On 15 April 2014, the SEC issued its Cyber-Security Risk Alert, a detailed 26-point questionnaire that aims to address various elements of a hedge fund’s technical and operational infrastructure to determine how vulnerable it is to cyber attacks and data theft.
This initiative is being driven by the SEC’s Office of Compliance Inspections and Examinations. It will assess 50 individual firms and based on its findings will draft a set of final guidelines for hedge funds to adhere to. This is essentially a way to address ‘technology risk’ and implement best practices through documentation in the form of a Written Information Security Policy (WISP).
According to Assured SKCG Inc, an insurance advisory firm, 37 per cent of security breaches between 2012 and 2013 affected financial organisations. Hedge funds are a high profile target. Establishing a WISP and becoming as data secure as possible is critical.
At Eze Castle Integration, the phones haven’t stopped ringing as clients look to address any gaps in their IT infrastructure and operational policies.
The North American Securities Administrators Association (NASAA) recently released survey results of cybersecurity practices of 440 registered investment adviser firms across nine states. The purpose of NASAA’s pilot project was to better understand cybersecurity practices of state-registered investment advisers, how they communicate with clients and what types of policies and procedures they currently maintain. Of those surveyed, 47% have assets under management of less than $25 million, 37% manage more than $25 million and 16% do not manage assets. In today’s post, we will share our favorite graphics and findings from the organization’s survey.
Client Contact via E-mail and Use of Secure E-mail
NASAA's survey reported 92% of investment firms contact clients through e-mail and/or other electronic messaging and only 54% of that group utilizes secure email. While 14% were unsure, a staggering 30% responded that they did not utilize secure messaging whatsoever.
Cybersecurity is a hot topic -- and rightfully so -- as headlines tout new vulnerabilities or incidents with increasing frequency. In the fight to prevent attacks, technology safeguards are typically the focus. A firm must have layers of security that include, but are not limited to, anti-virus, firewalls, intrusion detection systems and Internet monitoring and reporting, as well as procedures that restrict and monitor access.
However beyond technology, the role employees play cannot be underestimated. The reality is that employees can be one of a firm’s best lines of defense or weakest link. The deciding factor in which way it swings often comes down to access control policies and cybersecurity training.
Getting the Access Right
Employees require access to the data necessary to complete their job functions. But beyond that, firms should be limiting what data employees have access to. It’s not about not trusting your employees, but more so about not trusting the technology behind those employees. The less data employees can get to, the less damage can be done via an internal breach or external hack.
The SEC Cybersecurity Risk Alert issued in April 2014 highlights the importance of access control by asking about the controls a firm maintains to “prevent unauthorized escalation of user privileges” and how firms “restrict users to those network resources necessary for their business functions.”
Part of a firm’s cybersecurity planning must be defining how company data is protected, where it is located and who has and needs access. Once access levels are defined, they must be reviewed at least annually to ensure adherence firm wide.
Security has been THE topic of 2014 thus far and was amped up last week when many A-list celebrities’ phones were hacked and racy photos released. The hack was allegedly the result of an iCloud infiltration, prompting many Apple users to question the company’s privacy settings. In response, Apple CEO Tim Cook released a letter to consumers, and the company’s website will now feature a privacy section:
Apple’s privacy site includes details on both the built-in security features within Apple devices as well as how users can manage their own privacy settings and tailor them to individual needs. Here is a brief snapshot of some security functions highlighted:
Built In Privacy
iMessages and FaceTime calls are protected with end-to-end encryption
iMessages and SMS messages are backed up to iCloud, but can be turned off by the user
All iCloud content is encrypted in transit and when stored (in most cases)
iCloud Keychain allows users to create strong passwords and stores them securely without giving Apple access
Safari blocks third-party cookies on all devices and offers private browsing
We’ve tapped the expertise of nine experts in the hedge fund startup space to share their thoughts on a range of topics specific to emerging hedge fund managers. Below are some highlights, and you can read the entire Emerging Managers Insight Series eBook here.
Set a realistic schedule to launch and don’t rush to get the hedge fund up and running too quickly. Take the time to partner with the right service providers that will support your business from the start and as you grow.
Budget for a marketer in your first two years of operation. If you look at the largest funds in the industry, they all have substantial investor relations teams that keep current investors informed while prospecting for future investors.
Capital introduction is a much sought after service from prime brokers which can be very helpful in providing a new hedge fund exposure to potential investors. Take advantage of introductions and begin to build relationships with potential investors.
Last week our SVP of client technology, Steve Schoener, presented at a hedge fund due diligence event on the topic of protections in the cloud.
Since cloud security and ensuring a hedge fund’s data is protected is such a hot topic we thought we’d share his presentation. In a nutshell, the presentation looks at the layers of security that should be built into a cloud environment, which includes deep and detailed practices around:
Principle of Defense in Depth
Principle of Least Privilege
Audit & Logging
Secure User Authentication Protocols & Encryption
Check out the complete presentation for more details:
We all make mistakes, but when it comes to technology and hedge fund operations, mistakes aren’t an option. So let’s look at seven common cloud mistakes we see hedge fund firms making and talk about how to avoid them.
Mistake #1: Not Sizing Bandwidth to Business Needs
Determining the right amount of bandwidth comes down to the types of services being delivered and user expectations. Nothing ruins a cloud or really any computing experience like sluggish application and Internet performance.
Beyond bandwidth, firms must also consider latency. While latency issues don’t impact all applications (i.e. email is relatively insensitive) for others it is a killer. Latency has little place in trading applications or voice over IP services. When moving to the cloud, have a realistic conversation with the hedge fund cloud provider about the amount of bandwidth your firm really needs.
Mistake #2: Not Planning for Applications
Not all cloud platforms are equal especially when it comes to supporting hedge fund specific applications such as Order Management Systems or Portfolio Accounting Systems. While a hedge fund may not launch day one with one of these applications, there is a good chance they will require one in the future. To help mitigate future growing pains a hedge fund should plan for the future when evaluating cloud providers. Being shortsighted can result in future disruptions and integration pains.
Following the steadily growing hype for the new iPhone 6, CEO Tim Cook put all rumors to rest at their San Francisco event today. Apple revealed not one, but two iPhones, boasting significantly larger screens to compete with Android smartphones. The iPhone 6 and the iPhone 6 Plus are expected to hit stores on September 19th, and response has already been overwhelming.
Both iPhones will come in Apple’s standard gold, space gray and silver, and instead of the straight edged look of the iPhone generations 4 and 5, have curved sides and the thinnest body of iPhones to date. The iPhone 6 has a 4.7 inch screen, while the iPhone 6 Plus appeals to all the “phablet” users with its 5.5 inch screen. Pricing for the iPhone 6 16GB starts at $199 with a two-year contract and $299 for the iPhone 6 Plus 16 GB.
With the new iPhones comes the unveiling of the awaited iOS 8, which also includes some features that will be useful with the iPhone 6 and 6 Plus’ large screen. “Reachability,” for example, allows the user to reach the top of the screen without having to reach across the screen by double touching the Touch ID. There will be more content available in Messages, including face images of the recipient. The iSight camera focuses automatically and continuously when taking photos and videos. And now for the first time, the user has the ability to view the home screen horizontally. The iOS 8 will be available for free to download on September 17th.
Categorized under: Trends We're Seeing
Last month we covered the five myths about Voice over IP (VoIP) in preparation for the general availability of our next generation Eze Voice service. In case you don’t recall, the myths we debunked were:
MYTH 1: Poor Call Quality – Everyone Will Know I’m on VoIP
MYTH 2: VoIP is Unreliable – I’ll Experience Downtime
MYTH 3: I’ll Lose Critical Functionality Required by My Investment Firm
MYTH 4: I Can’t Keep My Phone Number
MYTH 5: Someone May Hack My Phone System
Now that Eze Voice is officially here and already being used by many clients, we wanted to give it a little shout-out, so here goes. Eze Voice is an innovative hosted voice solution that combines high levels of redundancy and quality of service with the communication features financial firms require.
The newest version of the Eze Voice service leverages Eze Castle Integration’s premier global cloud platform, Eze Private Cloud, and is ideal for firms that want to benefit from the flexibility, scalability and cost-effectiveness offered with a cloud-based voice service. Featured benefits of Eze Voice include:
Here at Eze Castle Integration, we’re not ready for summer to end! This year, we decided to ask our employees how technology enhanced their sun-soaked season.
Check out the slideshow below to read their responses!