It's been a remarkable and evolutionary year for the hedge fund industry, and it's hard to believe it's coming to a close. As we wrap up these final moments in 2015, we'd like to wish everyone a happy New Year! We look forward to seeing you in 2016.
If you’re a loyal Hedge IT reader, you may remember we highlighted a few simple dos and don’ts that, when utilized, can go a long way in shoring up your firm’s security. To make it easy, we’ve put these tips together into a video. Take a look below and discover a vast range of security tips and tricks from email encryption to proper security measures for protecting computers and mobile devices.
With the holiday season upon us, we'd like to wish all of our clients, partners, friends and colleagues Happy Holidays and a healthy, successful 2016!
Click below to view our 2016 holiday e-card.
Categorized under: Eze Castle Milestones
Welcome back for our monthly Eze Tech Tips Video.
2016 is just around the corner, which means we’re entering resolution time and the hedge fund launch season. So, here’s our list of the top four hedge fund IT mistakes you need to resolve not to make in 2016.
Times have changed. There is little doubt that the hedge fund industry has evolved in recent years with the rise of new regulations, the wide spread adoption of cloud services and deep focus on cybersecurity risks. These changes have affected the way many firms do business on both operational and technology levels.
But what effect do these changes have for the person responsible for technology at a hedge fund or investment firm? As a Chief Technology Officer (or comparable role: Director of IT, Chief Information Officer, etc.), one has historically been responsible for day-to-day IT functions and routine technology refreshes. But as the industry has experienced rapid change over the last several years, so too have the CTOs and their responsibilities.
Operational due diligence has become a hot topic that continues to gain importance and attention throughout the alternative investment industry. Over the past few years, as regulations have changed and investors increasingly seek transparency, funds are spending more time than ever preparing for the due diligence process.
It is no surprise that the investment industry landscape is becoming more and more competitive. As this trend continues, investors are raising their expectations and looking towards funds that display the highest levels in operational excellence. One important way to ensure your firm meets these high standards is to complete a due diligence questionnaire (DDQ) that can be shared with potential investors.
A comprehensive DDQ covers a wide range of topics, from assets under management to audited financial statements and investment strategies. One major area of focus is the fund’s IT and accompanying cybersecurity policies and procedures.At Eze Castle, we frequently assist our hedge fund clients in completing DDQ questions on technology, and we often see the same types of questions popping up. So, to help you get started, we have compiled the following list of some frequently asked DDQ questions.
Earlier this week we presented at a Wells Fargo Prime Services breakfast briefing on cybersecurity. During the discussion, Stuart Levi of Skadden reminded attendees that the SEC has clearly defined (and communicated) its cybersecurity expectations. He recapped the following six areas advisers must have covered to demonstrate preparedness to regulators.
1. Risk Assessments
4. Access Control
5. Vendor Management
6. Information Sharing
Here's Eze Castle Integration's take on these focus areas:
#1 Risk Assessments
The April 2015 SEC Cybersecurity Guidance Update goes deeper into risk assessments expectations. Here are some key cyber risk assessment takeaways:
Define what confidential data is and determine how it's protected.
You must also understand where your data is located, how it is collected and who and what technology systems have access to it.
Registered investment advisers should have a clear understanding of the threat landscape, including potential internal and external risks as well as unique vulnerabilities specific to the firm. Evaluate a variety of potential scenarios as well as their likelihood to occur.
Once firms understand the risks facing their organization, they must conduct assessments of the existing controls and processes to ensure they account for the risk landscape and put the appropriate safeguards in place.
Be sure to understand the potential impacts of various cyber risk scenarios and outline specific protocols for incident response and quick resolution. The impact of cybersecurity incidents can range from financial to technological to reputational.
Finally, testing and assessing the governance structure, including administrative and technical safeguards, is key to ensuring effectiveness.
Gone are the days of management simply outsourcing responsibility to third-party experts and trusting them blindly. Telling the SEC, “we hired the best security consultant,” won’t cut it. Today management must understand their firm’s security posture and be able to outline the safeguards that are in place to minimize risk.
Additionally, management must instill the importance of security preparedness in all employees by making it a top-down priority.
Mobile devices have transformed the way we manage our everyday lives: from how we track our bank accounts, to interacting with friends and family to booking travel, and so on. Everything you need is at your fingertips, but are you taking the proper security measurements to protect your device? Below are a few tips to help keep your smartphone’s data safe.
Set a Password: When you do not set a password to lock your phone, anyone who obtains possession of the device has instant access to all of your apps that automatically log-in upon launching. This is a simple security measure to take and yet, according to Consumer Reports' annual State of the Net Survey, only 36 percent of smartphone owners have a passcode. From a business use perspective, any device that accesses corporate email or networks should have a complex password and be managed by mobile device management tools such as AirWatch or Good Technology.
Mobile Security Apps: Looking to the future, we expect the adoption of mobile device security apps that provide antivirus, privacy and anti-malware protection to increase. And for good reason. According to the June 2014 McAfee Labs Threat Report, mobile malware has increased by 167 percent in the past year alone. Companies, such as AirWatch, aim to ensure your enterprise mobility deployment is secure and corporate information is protected with end-to-end security.
If you’re one of the seemingly few firms who has yet to make the move to the cloud, it could be for a variety of reasons. Perhaps you want to maintain total control of your IT environment. Or maybe you’re waiting for a tech refresh to motivate you. Alternatively, it could be that you just haven’t made the proper case to management for switching to the cloud – and many times the one who really needs convincing is the Chief Financial Officer (CFO).
If you’re the Chief Technology Officer (CTO) or IT Manager, your responsibility is determining the infrastructure choices that are going to best suit operations at your firm. But those priorities may not line up exactly with those of the firm’s CFO. IT doesn’t always have insight into the financial ramifications of an operations decision of this magnitude. Instead they are typically focused on the other benefits including personnel reallocation, workflow efficiencies, etc.
The CFO, on the other hand, is ultimately tasked with ensuring the company’s financial decisions are appropriate, and therefore, it’s often advantageous to at least attempt to speak his/her language when pushing for an IT change.
The Financial Industry Regulatory Authority (FINRA) recently issued a notice that it has filed a rule that became effective on November 30, 2015. This rule, known as Rule 4380, grants FINRA the authority to designate member firms to participate in FINRA’s annual Business Continuity/ DR Testing under Regulation System Compliance and Integrity (SCI).
Regulation SCI was adopted by the Securities and Exchange Commission (SEC) in November of 2014 which detailed out specific requirements of FINRA to “establish, maintain, and enforce written policies and procedures that address, among other things, business continuity and disaster recovery." And as part of that FINRA must designate firms to participate in of its BC/DR Plans. The SEC adoption of SCI can be tied to experiences such as Superstorm Sandy which caused the securities market to close for two days.
FINRA Notification Process and Designation Criteria
FINRA will privately notify firms that meet the standards for designation. This will happen at least 90 day prior to the testing date. For the most part the designation criteria is based on volume of activity over a specified time period. For the most this equates to about 5-9 firms designated per system.
The following table provides details on the criteria designations.
Categorized under: Launching A Hedge Fund