During a recent webinar on operational due diligence, we explored the changing ODD environment for emerging managers, and our guest speaker, Frank Napolitani of EisnerAmper, helped shed light on some critical missteps that could cause ODD teams to veto an investment.
>> Click here to listen to our full conversation with Frank and hear more about operational due diligence trends
At the highest level, investor due diligence experts see the following as the most egregious red flags:
Dishonesty: Demonstrated in the form of failing to disclose or withholding information. This shows a lack of integrity.
Belligerence: When managers exhibit an ‘I’m never wrong’ attitude and are unwilling to listen to objective advice.
Incompetence: When a firm or manager’s skillset doesn’t align with the expertise required for a particular function.
More specifically, there are a number of red flags that can give investors pause and lead to either increased due diligence or an outright rejection. From a recent Deutsche Bank survey, keep reading for a few reasons:
Categorized under: Operational Due Diligence Cloud Computing Security Outsourcing Launching A Hedge Fund Private Equity Disaster Recovery Hedge Fund Operations Infrastructure Business Continuity Planning Trends We're Seeing
Natural disasters often strike with little to no warning, but their operational and economic impact to an organisation can be devastating. On average, we see 12 tropical storms, but this year, we’ve seen 13 (so far!). These natural disasters highlight the importance of business continuity planning and a reminder for firms to leverage the calm before the storm to ensure that business continuity plans address key impacts of a disaster event to help ensure they can continue with operations.
Following are some key business continuity preparation questions you should consider:
With hurricane season fully upon us and Irma bearing down on Florida, firms must ask "Would my firm be ready if there were an emergency today?" and "Would your employees know what to do?" September is National Preparedness Month (NPM) which is sponsored by the Department of Homeland Security and FEMA’s The Ready Campaign in an effort to increase awareness for individuals, businesses, families and communities. NPM aims to encourage the public to make preparedness a part of their daily lives and stresses the importance of being ready for the unknown.
Why should you focus on being prepared?
By teaching your employees why to prepare, your firm will not only demonstrate its importance, but employees will also maintain this knowledge and expertise that will help keep the business operational. Preparation can mean the difference between a successful and failed recovery, both personally and professionally. Educating your employees on what they’ll need at home, where to go, who to contact, etc. will equip them with the right information they’ll require at the time of an incident. With the proper information readily available, employees can focus on helping resume business operations more quickly.
Recently, Eze Castle Integration moved office locations in London. In fact, we had just finished moving into our office, and minutes later the London Bridge attack occured. Fortunately, all of our employees were safe, but the next day our office was closed due to the ongoing investigation. WIth an updated business continuity plan in place, Eze Castle employees were still able to run business operations as usual.
Take our real-life scenario as a lesson that even if you have security in place, disaster scenarios can still happen either directly or indirectly, so it is best to be prepared.
What does developing a business continuity plan entail?
Step 1: Identify by utilizing risk assessments
Step 2: Analyse the effects on your business (Business Impact Analysis)
Step 3: Design, execute and implement a strategy
Step 4: Measure- Plan testing, training and maintenance
We spend a lot of time making suggestions and recommendations about what financial and investment firms should do when it comes to their technology. And while it might sometimes seem obvious, we also think it wise to remind firms what not to do from time to time. In fact, the following technology pitfalls are prime examples of what not to do with respect to your firm’s IT.
Set IT and forget IT.
Technology isn’t evergreen, and it certainly isn’t infallible. With so many investment firms today reliant on managed service providers to support their IT operations, vendor management has become a critical area of importance. IT outsourcing provides great opportunity for firms to rely on experts to manage infrastructure updates, maintenance windows and network upgrades, but the onus remains on your firm to ensure your technology is up-to-snuff and meets not only your demands but those of investors and regulators as well. A “set IT and forget IT” strategy won’t work here; even via outsourcing, your IT management responsibilities fall on you.
Plan your infrastructure only for the short-term.
A crucial mistake often made by funds is not planning for the future. From the earliest pre-launch meeting, you should be thinking about what your firm will look like and what technology you will require down the road. Planning out two to three years in advance is recommended in order to reap the most benefits with regard to your infrastructure. Plus, if you don’t plan ahead, you may wind up incurring more costs and dealing with a much bigger headache if technology decisions need to be made unexpectedly (e.g. cloud and data migration).
Categorized under: Hedge Fund Operations Cloud Computing Security Operational Due Diligence Outsourcing Disaster Recovery Hedge Fund Regulation Infrastructure Business Continuity Planning Trends We're Seeing
Keeping up with the myriad of cyber security requirements expected of today’s financial firms is a daunting – and sometimes unachievable – task. This list continues to grow in size and scope, and remembering how often to perform tests or when to change passwords is a growing challenge for CTOs and business execs responsible for technology.
To assist in guiding your firm with its cyber plan implementation, we’ve outlined a basic calendar of security reminders to help you stay on track. Listed in order of frequency, here’s how often you should plan to take these security steps:
3 months: Change your passwords.
At least every 90 days, we recommend changing your network, system and application passwords to prevent intruders from gaining unauthorized access. Remember: password creativity is critical, and password re-use is a big no-no.
3-6 months: Conduct a simulated phishing exercise.
Phishing is one of the most effective, and thus dangerous, social engineering scams in use today and threatens to deceive and manipulate users into opening gateways, sharing confidential information or, in many cases, making financial transactions. Simulated phishing exercises (whether conducted by your firm itself or via a managed service provider) are the most effective way to test users’ knowledge of email threats and train them to be cyber aware. Most firms opt to perform quarterly phishing tests, but semi-annual exercises are commonplace also.
We recently sat down with Matt Donahue, Security/Data Privacy Consultant and Steve Banda, Senior Product Manager, to discuss cyber security trends in the family office space, as well as what steps these and other wealth management firms can take to prevent cyber-attacks. NOTE: This article originally appeared in MarketCurrents' Technology Trends - Family Office Series 2017.
What are the biggest cybersecurity threats investment management firms face?
There are constant threats facing organizations internally and externally, especially within the financial industry. One of the biggest issues is that the cyber threat landscape is continuously evolving. Hackers are trying to compromise firms in a number of ways – from phishing and social engineering to ransomware. It’s becoming much like an arms race, where both sides (hackers and criminals vs. security firms and CISOs) are diligent, organized, and well-funded, each gaining and losing the upper hand on a daily basis.
From an internal perspective, threats emerge as a result of employees being inadequately trained, falling prey to social engineering scams or not following corporate policies. They also come from technology gaps including outdated IT systems, lack of patch management and other shortcomings that could have been addressed by vulnerability assessments.
Building on the importance of vulnerability assessments, firms should recognize that hackers are always scanning to identify holes and gaps that may provide an opportunity to breach an environment. This risk reinforces the importance of technology security defenses including next-generation firewalls, intrusion detection and prevention systems (IDS/IPS) and penetration testing. Ultimately firms want to close gaps and make IT environments unappealing to hackers.
The recent tragic attacks that occurred in London remind us all that we can never be too prepared for an emergency situation. Therefore we are republishing this article that provides some key reminders to help ensure the safety of your employees and the business continuity of your firm during these types of disaster scenarios.
Assessing the Scenario
Every scenario is different and lends itself to a certain degree of impact, whether it’s confined to an office building or a broader regional impact. Start with ensuring that your employees are accounted for and in a safe location. Then consider: will the events at hand impact their ability to continue with their jobs? Obviously, if the office space is affected, a secondary location may come into play, or firms may opt to allow employees to work remotely. Next, review critical business systems, data and resources. Are your data and assets up and running so employees can continue business functions? Are phone systems or email functioning properly?
Internal and External Communication
Depending on the severity of the situation, you’ll need to determine the level of communication to both internal and external parties. If the event or disruption will impact employees getting to or from the office or if the building is inaccessible, obviously you’ll need to notify personnel. If there may be an impact to the business itself (trading, for instance), you may want to communicate with external parties such as investors, business partners, and/or regulators. It’s helpful to have a communication plan in place to guide this process. And remember: all communications should be reviewed and approved by the individual(s) overseeing the business continuity program and the plans associated with it.
Categorized under: Business Continuity Planning
When it comes to cybersecurity there are many factors that you need to be conscious of. During a recent webinar, speakers from Eze Castle Integration and Wolf & Company shared 10 of the most common cybersecurity gaps identified during an IT audit/risk assessment. We’ve listed the top 10 below and shared some particulars on a few of the most critical (in our opinion). For more detail on how these gaps are presenting themselves – and also best practices for avoiding them – click here to listen to the full webinar replay.
Top 10 IT Security Gaps
Risk Management and Governance
IT Asset Management
Social Engineering & User Training
Business Continuity Planning
Third Party Vendor Management
User Provisioning and Management
Incident Response Planning/Procedures
Post-launch, many hedge funds and investment firms struggle to gain ground and attract the institutional capital needed to succeed in today’s competitive market. As firms grow – and bandwidth and budget are less likely to be roadblocks – it can be a challenge to reinvent the wheel and position your firm to capture institutional dollars.
During a recent webinar, speakers from EisnerAmper and Eze Castle Integration explored trends in hedge fund operational due diligence and technology operations and offered advice for asset managers looking to grow out of their startup boots and achieve an institutional grade operation. Some areas they explored during the 40-minute webinar include:
How institutional investor expectations have changed for firms at the pre-launch and post-launch phases;
The importance of (and detriment to not) passing an operational due diligence examination;
How cyber security expectations are evolving to increase standards across both technology infrastructure and policy planning;
If the public cloud is suitable for investment management firms looking to solidify institutional investments; and
Top mistakes emerging managers make that prevent successful ODD exams and institutional evolution.