On our recent Emerging Manager Trends in Operational Due Diligence webinar, we looked at how today’s emerging managers face a number of challenges from fierce competition to the rapidly evolving investor IT due diligence process, especially in terms of scrutiny on technology processes and security safeguards.
The reality is that investors have a greater understanding of technology, are asking more probing due diligence questions and care about the responses they receive. In recent years the depth of DDQ questions around information technology and security has expanded as investors become increasingly savvy about IT and headlines around IT risks have grown.
Here at Eze Castle Integration we regularly assist our clients in completing the IT portions of investor due diligence questionnaires. The wording of questions varies but here is a handy list of 51 common IT due diligence questions we see.
- Provide an organization chart for the Company, its affiliates and key personnel.
- Provide the physical address and general contact information for each of the Company’s office locations.
- Provide the name and contact information of the Company employee(s) assigned to the client’s account(s).
- Provide a list of compliance personnel, their roles and qualifications, the date of his/her appointment and position within the Company’s organizational structure.
During a recent webinar on operational due diligence, we explored the changing ODD environment for emerging managers, and our guest speaker, Frank Napolitani of EisnerAmper, helped shed light on some critical missteps that could cause ODD teams to veto an investment.
>> Click here to listen to our full conversation with Frank and hear more about operational due diligence trends
At the highest level, investor due diligence experts see the following as the most egregious red flags:
Dishonesty: Demonstrated in the form of failing to disclose or withholding information. This shows a lack of integrity.
Belligerence: When managers exhibit an ‘I’m never wrong’ attitude and are unwilling to listen to objective advice.
Incompetence: When a firm or manager’s skillset doesn’t align with the expertise required for a particular function.
More specifically, there are a number of red flags that can give investors pause and lead to either increased due diligence or an outright rejection. From a recent Deutsche Bank survey, keep reading for a few reasons:
Categorized under: Operational Due Diligence Cloud Computing Security Outsourcing Launching A Hedge Fund Private Equity Disaster Recovery Hedge Fund Operations Infrastructure Business Continuity Planning Trends We're Seeing
October is Cybersecurity Awareness Month, and since we've written A LOT about security over the last few years, we thought it would be helpful to share some of our favorite articles. Here are some of Eze’s latest and greatest cybersecurity articles - happy reading!
20 Cybersecurity Dos and Don'ts Your Employees Should Follow
What’s the Difference Between Next-Generation Firewalls and Traditional Firewalls?
Six Myths about Hedge Fund Cybersecurity
Is “Smart” Technology Invading Your Privacy?
Top 10 IT Security Audit Gaps and How to Avoid Them
An Achievable Calendar for Cyber Security Plan Implementation
Will Outsourcing Shield You from Cyber Threats?
Here Are Investment Managers' Biggest Cyber Security Fears
We all make mistakes, but when it comes to technology and investment operations, mistakes aren’t an option. So let’s look at seven common cloud mistakes we see financial and investment management firms make and talk about how to avoid them.
Mistake #1: Not Sizing Bandwidth to Business Needs
Determining the right amount of bandwidth comes down to the types of services being delivered and user expectations. Nothing ruins a cloud or really any computing experience like sluggish application and Internet performance.
Beyond bandwidth, firms must also consider latency. While latency issues don’t impact all applications (i.e. email is relatively insensitive) for others it is a killer. Latency has little place in trading applications or voice over IP services. When moving to the cloud, have a realistic conversation with the hedge fund cloud provider about the amount of bandwidth your firm really needs.
Mistake #2: Not Planning for Applications
Not all cloud platforms are equal especially when it comes to supporting hedge fund specific applications such as Order Management Systems or Portfolio Accounting Systems. While a hedge fund may not launch day one with one of these applications, there is a good chance they will require one in the future. To help mitigate future growing pains a hedge fund should plan for the future when evaluating cloud providers. Being shortsighted can result in future disruptions and integration pains.
Risks are everywhere, particularly in today’s cyber-focused environment. But the risk a financial firm undertakes when outsourcing a function of its business to a service provider is enormous. Not only is the firm relinquishing control to an outside vendor, it also takes on the added burden of managing that company, in addition to its own.
I recently interviewed Eze Castle Cybersecurity and Data Privacy Analyst, Matt Donahue, and we spoke about how hedge funds, private equity firms and other alternatives can roll out and improve third party risk management programs.
Within an organization, where does the accountability for risk live and how do third parties fit into that structure?
Typically, when firms think about where responsibility and accountability live within their organization they mention compliance or information technology – when, in reality, there should be a sense of responsibility at almost every level. As we’ve noted before when talking about establishing a culture of security, tone should be set from the top down – and in this case, risk management responsibility starts at the top also.
If you’re making decisions with only a single lens on technology or cybersecurity or any one area – you’re missing the big picture. Senior execs bring a high-level view point that will help the risk management program align throughout the entire organization.
Today’s emerging managers face a number of challenges: fierce competition and demanding investor expectations tops among them. With operational due diligence processes evolving rapidly, how can emerging managers differentiate themselves and make an impression on suspecting investors?
During a recent webinar, speakers from Eze Castle Integration and EisnerAmper discussed the current environment for emerging managers and examined the following topics:
Key Qualities Investors Look For
Red Flags for Emerging Manager Investors
Investors IT Expectations
Why Firms Look to Outsource
Hackers are tricky. And one common phishing attack trick is registering domain names similar to those of the targeted organizations with the goal of capitalizing on typos or fast readers. It is a modern day sleight of hand.
Here’s an example. You search for West Hamilton Capital and www.westhamiltoncaptal.com pops up. If the phishing site looks similar to the real website, there is a good chance a visitor could be fooled. Additionally, the domain can be used in phishing email scams.
That is why it is important for firms to keep an eye on their company’s domain name variations. Some firms may even wish to proactively register variants or block similar domains to reduce the risk of them being used in social engineering scams against employees.
How Do Firms Monitor Domain Registrations?
DNStwist is a domain name permutation engine for detecting typo squatting, phishing and corporate espionage. Another option is the domain name permutation service, DNStwister, which generates a list of domain names that are similar to the one that is inserted, checking to see if any of them are registered.
According to the DNStwister website, you can subscribe to receive alerts if a new domain is registered like yours, if an existing domain has changed IP address or has even been unregistered.
Here’s a sample DNStwister report for the fictitious West Hamilton Capital.
The most vital asset of a business is their data, and protecting your data is becoming more and more challenging. In our recent blog, Is Your Data Dirty? Data Hygiene Best Practices for Financial Services, we talk about securing your data and eliminating data that is no longer of appropriate use for your company. In doing so, you can help safeguard your firm.
“Dirty data” can include forgotten data, old reports, archived emails, and more. Duplicate data is similar to that of forgotten data because it is sometimes unknown that the copy exists. Not having a firm handle on the data within your organization can increase storage costs, complicate IT environments and ultimately make your firm vulnerability to cybersecurity events.
Beyond Internal Data Hygiene
Going beyond understanding where your sensitive data lives and practicing good internal data hygiene, firms need to understand where it is overexposed, how it is being accessed and how to protect it.
To help clients take control of their data, we encourage firms to take advantage of file auditing tools such as Varonis’ DatAdvantage, which provide insight into when and by whom corporate files are opened, edited or shared. DatAdvantage, which is included with our Eze Cloud Solutions, also aids in identifying stale (i.e. dirty) data that is no longer accessed by actual humans.
Additional benefits of DatAdvantage include:
Monitoring All Real-Time Access: Varonis monitors every open, create, delete, and move event, every email sent and received that any individual generates. You see who accessed data, the action they performed, the name and type of the accessed file or email, the folder the file is stored in or moved to, and when.
In Part 1 of our hybrid cloud whitepaper excerpt, we reviewed the primary benefits to public, private & hybrid cloud infrastructures, and reviewed a number of considerations including service & support, availability and uptime, and proximity. In Part 2 below, we dive into additional factors to contemplate, specifically: security, application hosting and cost. Remember, to download the full whitepaper, Is Hybrid Cloud Right For Your Firm?, click here.
While your public cloud provider may provide world-class security for its services, your company is still on the hook for certifying all aspects of information security. For compliance-driven businesses, there are still countless vulnerabilities and exposures that public clouds often fail to address. Advancing security features such as multi-factor authentication, targeted attack protection and managed phishing simulations are gaining traction among private/hybrid cloud users who benefit from their providers’ extensive managed security services.
Multi-factor authentication requires at least two authenticating factors to log into a system or network (e.g. strong passwords, security tokens, fingerprint scanning) and can add an additional layer of security for users across email, applications, etc.
Since email often serves as a gateway for hackers to surreptitiously penetrate networks, it’s become essential for firms to employ targeted protection tools and advanced email precautions to ward off these threats. That’s one of the many advantages a private cloud provider can bring to a firm. For example, next-generation security technology can protect private cloud users from attacks delivered through email, social media and mobile applications, prevent advanced attacks, and minimize compliance risks.
Categorized under: Cloud Computing Security Operational Due Diligence Outsourcing Launching A Hedge Fund Private Equity Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Trends We're Seeing
Below is an excerpt from our whitepaper, Is Hybrid Cloud Right For Your Firm?. If video is more your style, scroll to the bottom and watch our 30-minute webcast on hybrid cloud considerations for financial and investment firms.
With its security, privacy, and performance, the private cloud has been the go-to option for financial and investment firms that require enterprise-caliber IT infrastructure. In most cases, that private cloud is professionally managed by a service provider solely focused on monitoring, managing, and maintaining that infrastructure to meet business requirements and compliance directives. Thus, firms benefit from seasoned, industry-experienced professionals who live and breathe financial IT.
For many firms, so-called public cloud infrastructures offer compelling opportunities and advantages. For many smaller and younger firms in particular, the flexibility and ease of deployment are persuasive drivers. What’s more, the initial costs appear to be lower for certain feature sets (although an analysis of the total cost of ownership indicates that advantage is less clear-cut).
Hybrid Cloud: Bringing Them Together
Fortunately, investment firms needn’t take an “either/or” approach to their IT infrastructures. With a hybrid cloud approach that combines many of the most compelling features of public and private clouds, firms can leverage a uniquely flexible platform that meets a broad range of needs.
Which Cloud Has the Edge?
The decision regarding your IT infrastructure has significant implications on the ability of your investment firm to gain and maintain a competitive advantage. As you weigh your options – public, private or hybrid – it can be beneficial to consider the following aspects of cloud architectures and weigh their importance as unique to your individual firm.