Examining the Evolution of Investor IT Due Diligence
The below information is an excerpt from Eze Castle Integration’s 2016 webinar: The Evolution of Investor IT Due Diligence.
Investors have long been asking questions about firm operations and even technology. But with the way IT has evolved over the last 5-10 years, it’s no wonder investor inquiries have changed in both size and scope. Of course, in addition to technology evolution, we’ve also seen influences on the regulatory side, as the SEC continues to examine and evaluate firms’ security practices, which ties heavily into technology.
In looking back, it’s not unfair to say that 10 years ago, technology was what we’d call a “check the box” category. An investor due diligence questionnaire may have been one or two pages and focus mostly on firm investment history, performance, etc. On the IT side, it may have said “are you using an outsourced IT provider” or even “do you have a disaster recovery system” but beyond that, there was very little inquiry into the types of technologies being used at hedge funds as well as the protections in place to mitigate risk.
Of course, times have changed and now we see investor DDQ documents upwards of 5-10-20 pages in length and asking great levels of detail about technology, cybersecurity and operations. So let’s talk a little bit more about the influences for this due diligence evolution.
The way we see it, there are four primary influencers.
The first is the sheer rise in technology sophistication that has occurred. The reality is, you can’t operate a successful hedge fund with a couple of laptops and a Verizon FIOS connection. And hedge funds aren’t keeping track of investor assets in Excel files anymore. They are using a wide variety of systems and applications to track investments, communications, etc. as well as to support business operations. As these types of software platforms and infrastructures have developed, investors have had to re-frame how they view technology and spend more time learning about it in order to fully understand how their assets are being used and protected.
Secondly, there is a clear increase in how hedge funds and financial services firms are leveraging outsourced service providers. Years ago, most firms were operating their own Server Rooms and managing their own technology. It was basically all under one roof. Now, with the advent of the cloud, especially, funds are leveraging outsourcing to support all aspects of their business. Many firms today are not only outsourcing IT, but using tools or service providers for fund administration, portfolio accounting, investor relations, and so on. And each of those relationships then is something an investor is going to want to scrutinize.
Third. The prevalence and sophistication of cyber threats. We’ve seen high-profile breaches at major retailers, healthcare providers and financial services firms. Hackers today are savvy and have a wide variety of tools that they’re using to penetrate networks and access sensitive material and, in many cases, take control of assets. Naturally this is an area of concern to investors.
The last point here is with regard to some of the large-scale disasters we’ve seen in recent years. The one that comes to mind is Hurricane Sandy. 2012 wasn’t that long ago, but the reality is, many firms were unprepared for the havoc that storm wreaked on their businesses. Firms that didn’t have disaster recovery in place, for example, were severely impacted because they didn’t put the proper business resiliency policies and procedures in place to protect themselves. So again, events like this are impacting how investors are making their decisions.
What do these four points have in common? They have all, in and of themselves, led to one of the biggest influencers of all, and that’s regulation. In 2010, with the Dodd-Frank Act, firms were introduced to stern recordkeeping requirements as well as calls for enhanced disaster recovery and business continuity plans. And of course, now, the SEC has taken a keen interest in cybersecurity and is focusing their examinations on the level of preparedness firms have in place to thwart cyber-attacks.
So we know now that there has been an evolution, but what exactly does that evolution equate to? If investors are educating themselves more about technology and asking more probing questions in order to achieve higher levels of satisfaction, what exactly do they want to know?
At a high level, there are five major categories investors are going to expect to see information about: