Doing Your Cloud Homework: Answering Legal,Tech & Security Qs
Are you tired of talking about the cloud yet? Good. Neither are we. In fact, we recently devoted our first webinar of the year to the topic. A summary of the key topics discussed during the webinar is below.
Increased Adoption of the Cloud
According to our managing director, Vinod Paul, over 80 percent of the new clients we brought on board last year are utilizing the cloud in some way, shape or form. As hedge funds continue to battle for institutional dollars, the smaller firms, in particular, are able to leverage the cloud for enterprise-level technology at an often reduced cost.
Speaking of cost, it’s one of the main drivers for firms moving to the cloud. Three to five years ago, hedge funds typically had to pay $300-500K dollars to set up an initial IT environment. In today’s rapidly changing landscape, firms are looking to pay less money out-of-pocket, as well as decrease their initial deployment times.
With the cloud, resource deployment and allocation only take days or weeks instead of months. The increased flexibility with the cloud is an enormous driver, allowing firms to customize how they use this technology platform. The cloud can easily work on a different scale for small and large firms, with smaller startups outsourcing their entire IT landscape and larger firms having the flexibility to use a hybrid model and determine which aspects of their environment they want to manage in-house or outsource.
Is the Cloud Regulated?
To regulators such as the SEC and FINRA, the term “cloud computing” doesn’t really resonate. They tend to use the word “outsourcing” when defining rules for investment advisers and broker-dealers. Broker-dealer rules, in particular, have become more specific in recent years, and there is currently a proposed rule which would prevent BDs from outsourcing arrangements that involve moving cash or securities. Additionally, BDs are required to provide advanced notice to FINRA and the SEC about outsourcing their recordkeeping.
Under the Dodd-Frank Act, investment advisers (including most hedge funds) are required to maintain records of all activites related to their business, but the rules are not as specific in regards to if those records are outsourced. Firms must also complete Form ADV, which requires the disclosure of firms’ service providers and their level of involvement. In the coming years, we may see changes in regards to how regulatory bodies govern the cloud, but for now, there is a lot of ambiguity.
Cloud Security Best Practices & Evaluating Your Service Provider
The threat of a cyber attack is a reality for all organizations, whether they are using the cloud or not. Regardless of a firm’s IT infrastructure, it should take all measures to protect the firm and its sensitive information. For both on-premise and cloud technology, where data is stored in a colocation facility somewhere, you’ll want to ensure that proper physical security procedures are in place, including biometric screening and authentication, monitored cabinets and cages and 24x7x365 surveillance. On the cloud level, you’ll also need to ensure your service uses proper virtualization security, meaning your data needs to be isolated from that of other firms using the same cloud.
It’s also important to consider the type of cloud you are leveraging. Security practices and principles may differ between public and private clouds. Consider the following:
Who can access your data and at what level? Not every employee needs access to everything on the network.
Can your service provider share an audit trail which logs who has accessed what?
What is the viability of your firm’s cloud service provider? Can they provide audited financials? Can they sustain business in the long run?
Does your provider offer a Service Level Agreement (SLA) and what is the agreed upon uptime? In the hedge fund industry, in particular, downtime is not an option.