On our recent Emerging Manager Trends in Operational Due Diligence webinar, we looked at how today’s emerging managers face a number of challenges from fierce competition to the rapidly evolving investor IT due diligence process, especially in terms of scrutiny on technology processes and security safeguards.
The reality is that investors have a greater understanding of technology, are asking more probing due diligence questions and care about the responses they receive. In recent years the depth of DDQ questions around information technology and security has expanded as investors become increasingly savvy about IT and headlines around IT risks have grown.
Here at Eze Castle Integration we regularly assist our clients in completing the IT portions of investor due diligence questionnaires. The wording of questions varies but here is a handy list of 51 common IT due diligence questions we see.
- Provide an organization chart for the Company, its affiliates and key personnel.
- Provide the physical address and general contact information for each of the Company’s office locations.
- Provide the name and contact information of the Company employee(s) assigned to the client’s account(s).
- Provide a list of compliance personnel, their roles and qualifications, the date of his/her appointment and position within the Company’s organizational structure.
There has been discussion for years about whether public or private cloud platforms were more suitable to financial and investment management firms. And that debate continues, but with the addition of a new player – the hybrid cloud.
While the public cloud receives praise for its flexibility and potential cost savings and the private cloud for its robust security and reliable performance, the hybrid iteration essentially marries these features to create a compelling package for firms who don’t fit naturally into the previous two categories.
As its applicability continues to surge, it is worth understanding the concepts and benefits behind the hybrid cloud. Let’s take a look at what makes hybrid environments appealing to some organizations:
Agility & Flexibility: A hybrid cloud model allows a company to combine public cloud assets with those in a private cloud to increase agility and availability. For example, combine Microsoft Exchange and file services via the public cloud with robust security layers and 24x7x365 managed support via the private cloud, and suddenly you’re benefiting from the best of both worlds (hint: we’re talking about the Eze Hybrid Cloud).
During a recent webinar on operational due diligence, we explored the changing ODD environment for emerging managers, and our guest speaker, Frank Napolitani of EisnerAmper, helped shed light on some critical missteps that could cause ODD teams to veto an investment.
>> Click here to listen to our full conversation with Frank and hear more about operational due diligence trends
At the highest level, investor due diligence experts see the following as the most egregious red flags:
Dishonesty: Demonstrated in the form of failing to disclose or withholding information. This shows a lack of integrity.
Belligerence: When managers exhibit an ‘I’m never wrong’ attitude and are unwilling to listen to objective advice.
Incompetence: When a firm or manager’s skillset doesn’t align with the expertise required for a particular function.
More specifically, there are a number of red flags that can give investors pause and lead to either increased due diligence or an outright rejection. From a recent Deutsche Bank survey, keep reading for a few reasons:
Categorized under: Operational Due Diligence Cloud Computing Security Outsourcing Launching A Hedge Fund Private Equity Disaster Recovery Hedge Fund Operations Infrastructure Business Continuity Planning Trends We're Seeing
Natural disasters often strike with little to no warning, but their operational and economic impact to an organisation can be devastating. On average, we see 12 tropical storms, but this year, we’ve seen 13 (so far!). These natural disasters highlight the importance of business continuity planning and a reminder for firms to leverage the calm before the storm to ensure that business continuity plans address key impacts of a disaster event to help ensure they can continue with operations.
Following are some key business continuity preparation questions you should consider:
Ransomware threats are on the rise – WannaCry and Petya are just the beginning. To prevent future cyber threats from causing harm, financial and investment firms should employ security practices that include deep layers of protection. Here are five suggestions to keep in mind:
Back up. Unfortunately, hackers initiating ransomware attacks aren’t exactly on the up-and-up. After they’ve stolen your files and demanded a ransom, they claim files will be decrypted and restored – but those promises are typically dishonest. Odds are, even if you pay a ransom (which you shouldn’t!), your files won’t be decrypted. That means backups are the only way to successfully recover your data. Ensure you leverage a secure and reliable backup and recovery tool that will de-duplicate, compress, encrypt and securely transfer your data to an offsite data center.
Scan. To construct appropriate defenses against external threats, including ransomware attacks, financial firms should conduct regular vulnerability assessments on their networks. These assessments are critical to detecting actual and likely vulnerabilities, including potentially outdated patches. Vulnerability assessments scan for malware, viruses, backdoors, hosts communicating with botnet-infected systems, known/unknown processes and web services linking to malicious content.
Recently, Eze Castle Integration moved office locations in London. In fact, we had just finished moving into our office, and minutes later the London Bridge attack occured. Fortunately, all of our employees were safe, but the next day our office was closed due to the ongoing investigation. WIth an updated business continuity plan in place, Eze Castle employees were still able to run business operations as usual.
Take our real-life scenario as a lesson that even if you have security in place, disaster scenarios can still happen either directly or indirectly, so it is best to be prepared.
What does developing a business continuity plan entail?
Step 1: Identify by utilizing risk assessments
Step 2: Analyse the effects on your business (Business Impact Analysis)
Step 3: Design, execute and implement a strategy
Step 4: Measure- Plan testing, training and maintenance
We spend a lot of time making suggestions and recommendations about what financial and investment firms should do when it comes to their technology. And while it might sometimes seem obvious, we also think it wise to remind firms what not to do from time to time. In fact, the following technology pitfalls are prime examples of what not to do with respect to your firm’s IT.
Set IT and forget IT.
Technology isn’t evergreen, and it certainly isn’t infallible. With so many investment firms today reliant on managed service providers to support their IT operations, vendor management has become a critical area of importance. IT outsourcing provides great opportunity for firms to rely on experts to manage infrastructure updates, maintenance windows and network upgrades, but the onus remains on your firm to ensure your technology is up-to-snuff and meets not only your demands but those of investors and regulators as well. A “set IT and forget IT” strategy won’t work here; even via outsourcing, your IT management responsibilities fall on you.
Plan your infrastructure only for the short-term.
A crucial mistake often made by funds is not planning for the future. From the earliest pre-launch meeting, you should be thinking about what your firm will look like and what technology you will require down the road. Planning out two to three years in advance is recommended in order to reap the most benefits with regard to your infrastructure. Plus, if you don’t plan ahead, you may wind up incurring more costs and dealing with a much bigger headache if technology decisions need to be made unexpectedly (e.g. cloud and data migration).
Categorized under: Hedge Fund Operations Cloud Computing Security Operational Due Diligence Outsourcing Disaster Recovery Hedge Fund Regulation Infrastructure Business Continuity Planning Trends We're Seeing
Keeping up with the myriad of cyber security requirements expected of today’s financial firms is a daunting – and sometimes unachievable – task. This list continues to grow in size and scope, and remembering how often to perform tests or when to change passwords is a growing challenge for CTOs and business execs responsible for technology.
To assist in guiding your firm with its cyber plan implementation, we’ve outlined a basic calendar of security reminders to help you stay on track. Listed in order of frequency, here’s how often you should plan to take these security steps:
3 months: Change your passwords.
At least every 90 days, we recommend changing your network, system and application passwords to prevent intruders from gaining unauthorized access. Remember: password creativity is critical, and password re-use is a big no-no.
3-6 months: Conduct a simulated phishing exercise.
Phishing is one of the most effective, and thus dangerous, social engineering scams in use today and threatens to deceive and manipulate users into opening gateways, sharing confidential information or, in many cases, making financial transactions. Simulated phishing exercises (whether conducted by your firm itself or via a managed service provider) are the most effective way to test users’ knowledge of email threats and train them to be cyber aware. Most firms opt to perform quarterly phishing tests, but semi-annual exercises are commonplace also.
We recently sat down with Matt Donahue, Security/Data Privacy Consultant and Steve Banda, Senior Product Manager, to discuss cyber security trends in the family office space, as well as what steps these and other wealth management firms can take to prevent cyber-attacks. NOTE: This article originally appeared in MarketCurrents' Technology Trends - Family Office Series 2017.
What are the biggest cybersecurity threats investment management firms face?
There are constant threats facing organizations internally and externally, especially within the financial industry. One of the biggest issues is that the cyber threat landscape is continuously evolving. Hackers are trying to compromise firms in a number of ways – from phishing and social engineering to ransomware. It’s becoming much like an arms race, where both sides (hackers and criminals vs. security firms and CISOs) are diligent, organized, and well-funded, each gaining and losing the upper hand on a daily basis.
From an internal perspective, threats emerge as a result of employees being inadequately trained, falling prey to social engineering scams or not following corporate policies. They also come from technology gaps including outdated IT systems, lack of patch management and other shortcomings that could have been addressed by vulnerability assessments.
Building on the importance of vulnerability assessments, firms should recognize that hackers are always scanning to identify holes and gaps that may provide an opportunity to breach an environment. This risk reinforces the importance of technology security defenses including next-generation firewalls, intrusion detection and prevention systems (IDS/IPS) and penetration testing. Ultimately firms want to close gaps and make IT environments unappealing to hackers.
Traditionally, private equity firms have allocated significant capital budgets to build out their own sophisticated Communication (Comm.) Rooms, which can take months to provision and bring online. With servers to buy and install, software to license and configure, and voice/networks to deploy – not to mention recruiting, hiring, and managing expensive and hard-to-find IT talent – it’s no wonder cloud solutions have emerged as the dominant choice for computing infrastructures at private equity firms large and small.
Not surprisingly, many firms – including those with well-established in-house infrastructures – are making the move to the cloud for a number of compelling reasons, most notably these five:
Timing. Understanding when the right time to move to the cloud might be is a smart first step. There are three typical inflection points: when you’re adding new applications, moving or opening a new office, or in need of an IT refresh. But even if you’re not under any of those circumstances, there are a lot of motivating factors (keep reading).
Cost Containment. You may not always be able to reduce the cost of IT in the long-run with the cloud (depends on your firm’s size and scope), but you will have a predictable budget to work with, which means you can contain costs and create greater predictability and smoother, linear cash flows. As an added bonus, you can better allocate funds to other strategic projects and areas more directly relevant to the business mission. Even within the IT discipline, instead of spending time on mundane, daily operation of commodity IT resources, the firm can focus on proprietary application development, application integration, cyber security protections or other strategic initiatives.