A Hedge Fund’s Guide to Technology Decisions: From Cloud to DR
As part of our Emerging Managers Article Series, today’s article looks at technology considerations for launching a hedge fund. The technology landscape is changing quickly, especially with the adoption of cloud services and the heightened regulatory focus on cybersecurity. So we’ll dive into these two topics as well as touch on preparing for the inevitable disaster and common technology mistakes to avoid. Read more articles from the Series HERE.
The Cloud: Every Hedge Fund is Doing It
Here at Eze Castle Integration, we see that 9 out of 10 hedge fund startups are selecting a cloud-based solution versus a traditional on-premise solution. If you aren’t already sold on the cloud, here are a few reasons we typically see clients select the cloud:
Easy and Complete IT Package: Cloud computing can support front-, middle- and back-office functions – everything from business applications and client relationship management systems to data management solutions and accounting systems
Cost Containment: CapEx to OpEx: While building out a Comm. room or data center requires capital expenditures, using an external cloud service that offers a pay-as-you-go service falls into ongoing operating expenditures. The transition to a cloud service provides many cost-savings beyond just eliminating the need to purchase and refresh equipment.
Improved Flexibility and Scalability of IT: Cloud computing is uniquely flexible and scalable, operating on a utility basis - allowing firms to pay as they go and only for the resources they will use.
Simplified IT Management = Less Maintenance: With cloud services, firms no longer need to handle server updates, patches, hardware installs and other computing maintenance issues. This saves firms from having to hire dedicated IT resources or allows them to focus IT staff on higher value projects.
Meeting the SEC's Cybersecurity Expectations
Regardless of whether your firm opts for an on-premise solution or the cloud, security is fundamental when considering a fund’s technology setup and network infrastructure. It is so important that the SEC this month issued a risk alert providing additional clarity into how it will examine registered investment firms regarding their cybersecurity practices (Download the sample SEC security questions here.).
All financial firms are at risk because hackers see value in gaining a firm’s business secrets and intellectual property - such as business plans, trading programs, market forecasts and investment strategies. Therefore, a multi-layer security approach is essential to protecting the critical information that passes through the organization’s system every day.
This strategy, known as Defense in Depth, recommends that investment firms maintain up-to-date anti-virus and anti-malware software as well as network firewalls, deep inspection proxy and intrusion detection/prevention (IDS/IPS) to reduce the amount of traffic on the network, thereby decreasing opportunities for an intrusion. In addition to these technical layers, firms should also implement the following policies and procedures to ensure their critical systems and data do not fall into the wrong hands.
Acceptable Use Policy. Define what acceptable behavior is for your employees as it relates to their technology usage. It is best to be specific within this policy regarding what activities and programs employees are or are not permitted to access. Firms can employ web filtering practices to block access to identified websites. They can also use third-party software to log activity around which employees are accessing what and what other actions they are taking (e.g. printing, copying, forwarding, etc.).
Principle of Least Privilege. This involves restricting access to only those employees who need it. Keep access control lists on all applications and data and inbound/outbound Internet access to keep track of who can gain access to what. Also, log the use of audited one-time passwords and minimum privilege shared accounts.
Secure User Authentication Protocols. Secure user authentication protocols include assigning unique domain user IDs to each employee, implementing strong domain password policies, monitoring data security passwords and ensuring that they are kept in a secure location and limiting access to only active users and active user accounts.
Information Management Security Policy. Develop a plan that details how the firm will handle a security incident. The plan should outline who is in charge of managing a security incident, the required reporting and investigation procedures, communications policies for contacting clients and the post-incident remediation procedures.
Visitor/Contractor Premise Access Policy. It is essential that firms keep track of all people who have visited the site through the use of physical security checkpoints and surveillance.
Mobile Device Policy. Develop guidelines for the use of personal mobile devices in the workplace, and train staff on mobile device security practices. Employ security measures such as requiring passwords, having the ability to remotely wipe devices and employing encryption tools.
Preparing for the Inevitable Disaster
Disaster recovery and business continuity plans are crucial for sustaining operations during outages or disasters. A disaster recovery plan addresses how the business will resume normal operations in the event of a catastrophe. A business continuity plan is somewhat broader in nature and deals with sustaining normal business operations during periods of disruption.
Both disaster recovery and business continuity planning are essentially means of systematically assessing the potential impacts of various unexpected incidences and determining the organization’s preparedness to deal with such events. During the planning process, firms should aim to ensure little to no business and project interruption during either a planned or unexpected event. In this planning phase, be sure to take the following steps:
Assess the business risk and impact of potential emergencies.
Prepare for possible emergencies.
Document a disaster recovery plan.
Outline the business recovery phase.
Train staff for the business recovery phase.
Test the plan with a realistic dry run.
Keep the plan timely.
Avoiding Common Technology Mistakes
Finally, following are five common technology mistakes that new funds make and what you can do to avoid them.
Looking for the perfect solution. During the planning phase of your new fund, the idea that there may be one or more solutions that can meet 100% of your technology requirements can be an appealing thought. Some vendors are attempting to develop a turnkey platform to deliver on this promise. However, unless your business is narrowly focused, the chances that a single vendor will meet every aspect of your needs are very slim. Realistically, you will likely need to negotiate, purchase and deploy systems from multiple vendors and service providers. Selecting a single vendor and relying on it to be around in the years ahead may cause your firm to assume more concentrated business risk than you are willing to accept.
Insufficient planning for the future. Without envisioning how your practice will look over the longer term—in three or five years—you may be setting yourself up for some short-sighted solutions. Despite your intense focus on completing the immediate tasks of launching your fund, understanding what your firm will look like in the future is important as well. If your fund grows significantly, will you have the necessary technological systems to support that larger business?
Failing to understand how much you rely on technology today. Think about the work you currently do today and write down some notes on which systems you use to complete that work (email, reports, phones, quote feeds, etc.). Now, consider the work that will need to be done in your new hedge fund and what systems you and your team will require to complete it. More than likely, you will need most – if not all – of the same systems, with some additional ones as well. Use this list as a shopping guide when building out your technology platform.
Overestimating your capacity to manage technology. Managing technology is a profession unto itself. Unless you spend most of your free time building servers and managing networks, you will need help managing technology at your new firm. For project-related work (“one-and-done” jobs), you can use consultants and contractors. For ongoing interaction and maintenance of the technology, you can contract with a third party. Also, be sure to consider hiring support or administrative personnel that is skilled with technology.
Shortchanging the training options and resources. Once you have all of your new systems lined up, you need to learn how to use them. Most vendors provide some sort of onsite or web-based training options. If it is reasonably priced, you will most likely want to take advantage of it. Often, the vendor’s professional services arm will know all the quirks of the software package so well that many important details are glossed over during the sales process. They can help you develop the correct workflow to maximize your investment, as well as get you past some of the inevitable challenges. Also, ask the vendor whether there are any established user groups for their software and systems. Often, these communities can be invaluable resources for getting up and running more quickly and with less frustration. Avoid rushing the installation in order to make a set deadline and address any subsequent issues that may arise.