Getting Stronger Together: How Hedge Funds and Service Providers Can Tackle Cyber Crime
HFMWeek catches up with Eze Castle Integration’s managing director, Bob Guilbert, to discuss why so many funds are opting for cloud solutions and how the industry can work together to tackle cyber crime.
HFMWeek (HFM): What are the security implications of moving to a cloud system?
Bob Guilbert (BG): Firms looking to move to the cloud need to consider which provider is right for them and can service their operational and security needs. A firm needs to consider the security protocols in their office as well as in the cloud and work with someone that covers both sides, including the virtual and physical elements. It’s also vital that firms understand the ‘response and remedy’ services that cloud providers offer, the quality of which can vary hugely between public and private clouds.
HFM: Can the quality of security offered differ significantly between cloud providers?
BG: Absolutely, which is why IT due diligence is so important. At Eze Castle Integration, we’ve taken a defense-in-depth approach to cloud security starting right at the foundation. We have layers of security all the way through the infrastructure including access controls, continuous security monitoring, and intrusion detection and intrusion prevention systems. You are only as strong as your last defence. You must have all the right locks on all the right doors and multiple locks on those doors in order to thwart any hacker’s attempts to access your private information. You must also invest in employee training because even the best locks won’t help against many social engineering techniques. These can only be combatted with good due diligence and best practise regarding security awareness training for all staff and senior management. When evaluating a cloud provider it is also important to understand the security protocols followed within the provider’s corporate infrastructure. At Eze Castle Integration, for example, we’ve invested heavily in our own firm’s security to ensure there aren’t any backdoors to allow a hacker to access the cloud and data of our clients.
HFM: So outsourcing to a cloud platform gives more protection than an in-house product?
BG: I would say so, yes. We are offering enterprise level security, and we have a deep pool of specialists, which can be leveraged when needed for our clients. In-house deployments very often won’t have the same size of staff and also won’t have a budget that allows them to cover all areas of cybersecurity to the same degree. Small firms, especially, will never be able to enjoy the scope of security and technological power through their own means that they could by partnering with us.
HFM: Do you predict using cloud services will become the norm in the future?
BG: I think it’s actually reached that stage now. If you look at the number of start-up hedge funds that launch annually, I would say 95%+ of them consider launching on a cloud provider’s platform. One reason for this includes the capital expenditure difference between setting up the hardware and software in-house versus selecting an established private cloud provider. Firms get all the benefits of proper management and security to run the environment, and they have predictability in their monthly costs.
HFM: Are established funds, considering their historic investment in in-house IT infrastructure, slower to adopt a cloud solution than start-up funds?
BG: We find there are typically three inflection points where an established firm evaluates a move to the cloud. These are office relocation, technology refresh and adding a new application. A physical move of offices provides an opportunity as firms don’t want to invest in moving and setting up old-equipment at a new office. A technology refresh is another logical switching point as firms weigh the costs of a doing a whole system upgrade as opposed to moving to the cloud. In some cases very large funds are still inclined to invest in building their own infrastructure, however they will look to the private cloud for application hosting. This may be due to the CTO wanting to have the data within the premises of the office. However, Eze Castle Integration has several clients with multi-billion dollar AUMs on our cloud platform. At the highest AUM levels, it often comes down to personal preference and existing investments in internal IT staff and infrastructure.
HFM: What are ‘Written Information Security Plans’ (WISPs)?
BG: WISPs are plans that cover the administrative and technical safeguards a firm has in place to ensure data is protected. They include details on incident response, remediation and communication procedures should a firm be subject to a cyber breach. They answers questions such as: have you identified the chief information security officer in the organisation? In the event of a breach what action will you take and what communication paths will you follow? Having written information security plans is emerging as a requirement for firms. As part of its cybersecurity questionnaire, the Security and Exchange Commission (SEC) is asking about WISPs. And investors are increasingly asking to review WISPs as part of their due diligence. Overall the security questions being asked by investors and regulators are getting much broader and deeper. Both groups are asking for more details on whether there have been breaches in the past and the process that was taken. Investors are also beginning to ask these details from not only the remedial 3rd party but also all the providers they are using.
HFM: So investors have become much more sophisticated on cyber issues then?
BG: Yes, they have. With increasing numbers of successful breaches in the marketplace and more visibility around cybersecurity and cyber crimes, investors are becoming more savvy, aware and concerned
HFM: What do you expect from the SEC looking ahead?
BG: The SEC has already said cybersecurity is a top priority for them in 2015/16. They are planning to conduct much wider and deeper examinations of funds to ensure they have the best cybersecurity practises in place. They also want to see if a fund’s employees have been trained and tested on the firm’s WISP policy. I believe there is going to be a broader sweep in terms of who is looked at. A number of firms use outsourced functions, and the SEC will soon start to look at these third-party providers in a lot more detail. There is still a long way to go, but we all have a common enemy in keeping malicious activity outside of the hedge fund industry, and through effective dialogue between the public and private sectors, we can get stronger together.