During Part 2 of our Risk Outlook Webinar Series we spoke with Eze Castle Integration Director Dan Long about how investment firms should address evolving cybersecurity risks, third party service provider oversight and employee training and education. Many of the points Dan addressed highlight questions hedge funds and private equity firms should be asking themselves.
Read on or scroll to the bottom to watch the full, 30-minute replay.
What is our commitment to cybersecurity and what is our outlook on the future?
Regulators and investors continue to ask more questions about cybersecurity because they want to know that firms are effectively mitigating risk. To meet these growing expectations, firms must demonstrate that you take cybersecurity risk seriously and have implemented sound systems, policies and procedures to combat those risks. As the threat landscape and technology continue to evolve, investment management firms need to evolve accordingly and develop better ways to counteract threats. Firms don’t necessarily need to implement every available security technology, but they should be keenly aware of their options and have a plan to effectively mitigate as much risk as possible.
How are we addressing third party risk and oversight?
Investment management firms often rely on third party vendors to obtain functionality or capabilities that they need, want or can’t afford to produce on their own. But moving functions out of the firm's control can present challenges. With any outsourced function, the firm inherently takes on additional risks at the hands of the third party. But it's critical for investment managers to limit those risks through sufficient due diligence. To combat vendor risk, financial firms need to maintain strict oversight of all third party relationships and investigate security practices and protocols, particularly for those vendors who have access to the firm's confidential information. An outsourced vendor should be providing the same level of security (or better!) as your firm would if the function was under in-house control.
In the context of information technology, social engineering refers to the act of tricking people into divulging confidential or sensitive business information, and breaking security policies. This form of attack infiltrates companies by targeting their weakest access point, which predominantly is a firm’s employees.
The Art of the Phishing Con
Let’s examine a popular technique for social engineering known as phishing. In a phishing scheme, the hacker broadly disseminates a fraudulent email with aim to acquire sensitive data, such as, login credentials, IT resources or banking information. The message may request the recipient to submit personal information or to click on a link embedded with malware. Although this approach rarely dupes sophisticated users, a distracted employee could make one mistake and compromise a firm’s entire network.
With a new year comes new regulations for hedge funds and investment firms. Earlier this week, Eze Castle Integration hosted a webinar during which Ricardo Davidovich, partner at Haynes & Boone LLP shared his insight into the Securities and Exchange Commission’s (SEC) new examination priorities as well as reoccurring themes firms should expect to see play out through the year.
What’s New in 2015
One priority for examinations this year is the focus on retail investors. Davidovich says that “hedge funds, which in [the SEC’s] mind have historically been an exclusive and private club, are being sold to the retail and consumer client base.” Meaning they will be taking a closer look at the types of fees being sold, the sales practices and the suitability analysis. Firms should focus on making sure no information released is misleading and that there are provisions against fraud. There should be a real emphasis on policies to create guidelines that can be shown and proven to the SEC.
Today, we're excited be hosting the 2013 London Hedge Fund Cloud Summit at the Prince Philip House in London. The event features a variety of industry experts participating in thought-provoking panel disccussions focused on the cloud adoption trends shaping the investment industry. Conversations will touch on everything from the differences between public and private clouds to cloud security and application hosting.
In honor of this event and to provide a visual to help encapsulate the many benefits that come from leveraging a private cloud, we have published a new infographic entitled “You Might be a Private Cloud User If…” Check it out to see the top 10 signs that you are likely a private cloud user. For more information and details on the 2013 London Hedge Fund Cloud Summit please visit the event page. Also, be sure to look out for a recap of the event here on the Hedge IT blog next week!
This fall, Microsoft’s new Windows 8 operating system captured the attention of many customers. Windows 8, however, isn’t the only Microsoft change 2013 will bring. Microsoft is planning to provide stricter oversight of its auditing process by conducting up to 30,000 licensing audits on small to midsize companies by 2014. Here is an overview of why you should ensure that your software is up to date and what to expect when it comes to the Microsoft licensing audits.
What are the Microsoft Licensing Audits?
In 2013, Microsoft will conduct audits on customers’ software usage. The audits will be mainly focused on mid-size companies with 500 - 2,000 computers. Many large companies have already put strict companywide licensing policies in place, but smaller firms typically have less formalized processes for ensuring all devices are licensed appropriately. As a result, Microsoft’s auditing focus is shifting to smaller companies. These audits will ensure that clients’ software is correctly licensed and paid for.
Last week, we revealed the results of our 2012 Hedge Fund Operations & Technology Benchmark Study, which surveyed over 300 buy-side firms about their front, middle and back office technology and vendor preferences. This year’s findings underscore the need for investment firms to employ robust systems to support trading operations and meeting increasing regulatory and investor demands.
Below is a summary, but you can download the full report here.
Within the financial services industry, Eze Castle surveyed 320 firms including hedge funds (61%), investment managers or investment banks (12%), private equity firms (7%), fund of hedge funds (4%), broker/dealers (2%), and venture capital firms (1%). Additional firms included in an ‘Other’ category include family office, legal, real estate, endowment, quant, biotech and insurance brokerage.
Firms surveyed fell into three asset classes: 30 percent reported their AUM as $100 million and under; 32 percent fell between $101 and $500 million; and 38 percent reported over $500 million in assets under management.
On Tuesday, we began our webinar recap by looking at Form PF requirements and recommendations and other essentials for maintaining an effective compliance program. The second half of our webinar focused on technology compliance, specifically around message archiving, email security and mobile device management. Let’s take a closer look at some of the content that was covered. If video is more your style, you can watch a replay of the webinar here.
Record Retention & Message Archiving
The SEC currently requires investment advisers to retain all internal and external electronic business communications. Rule 204-2 mentions the following specific measures:
In order to meet the requirements of the SEC, firms must retain and archive more than just email. Instant messages, Bloomberg and Thomson Reuters messages and other electronic communications are also considered required archival material.
Is your firm registered with the SEC? Do you manage one or more private funds with assets of at least $150 million? If you said yes to these questions, then you have some homework to do. Under SEC regulations, your firm is required to file Form PF.
During a recent webinar, we asked ACA Compliance Group to talk us through the requirements and recommendations for filing Form PF as well as some additional compliance program recommendations. Below is a short recap of ACA’s presentation. To listen to the full replay of our event, click here.
Form PF: Requirements & Recommendations
Depending on your firm’s fund type and assets under management (AUM), the deadline for your Form PF filing may be sooner rather than later. Larger funds - including hedge fund managers, liquidity managers and private equity managers - will need to file sooner, while the majority of registered investment advisers won’t need to file until early next year.
Cloud computing has gained popularity over the years and is now fast approaching a global scale as hedge funds around the world leverage this innovative technology to help improve efficiency and cut costs. However, cloud computing raises unique data regulation and jurisdiction considerations as cloud environments span multiple geographic locations and data is not tied to one physical location. In today’s article we will look at data regulation and jurisdiction considerations for UK companies utilising US headquartered cloud providers.
Many cloud service providers are increasingly serving customers outside their home markets and using service delivery models that require the transmission of data across borders, which has led to a great deal of fear about the rights of access under the USA PATRIOT Act and the geographical extension of those.
Beyond the US, in December 2011 the European Commission published results of its cloud computing consultation, which showed a lack of understanding about the EU legal framework that cloud computing should be implemented within. It also signaled that there is still a widespread need for clarification on rights, responsibilities, data protection and liability in the cloud, especially in cross-border situations.