With 252 days until the biggest change to the data protection regime in the EU since the 1995 Data Protection Directive comes into force, many firms operating in Europe are just starting to get ready or still trying to understand the gaps they need to address to comply with the General Data Protection Regulation (GDPR).
The GDPR represents a substantial overhaul of data protection legislation: the accountability principle will mean firms will need to examine how they hold and use data and take steps to demonstrate compliance with the data protection principles; implied consent is no longer going to be acceptable, nor will opt outs; the heavily publicised right to be forgotten will become a reality; and fines for breaches will be significantly higher - up to 20 million euros or 4% of global annual turnover, whichever is greater.
With so much information to digest and with only eight months left to prepare, Eze Castle Integration’s Chief Compliance & Security Officer, Bill Tan, and Director of Service, Simon Eyre, hosted a webinar to walk through the preparations required for GDPR as well as the implications & preparations for EU-based firms.
Categorized under: Hedge Fund Regulation
The most vital asset of a business is their data, and protecting your data is becoming more and more challenging. In our recent blog, Is Your Data Dirty? Data Hygiene Best Practices for Financial Services, we talk about securing your data and eliminating data that is no longer of appropriate use for your company. In doing so, you can help safeguard your firm.
“Dirty data” can include forgotten data, old reports, archived emails, and more. Duplicate data is similar to that of forgotten data because it is sometimes unknown that the copy exists. Not having a firm handle on the data within your organization can increase storage costs, complicate IT environments and ultimately make your firm vulnerability to cybersecurity events.
Beyond Internal Data Hygiene
Going beyond understanding where your sensitive data lives and practicing good internal data hygiene, firms need to understand where it is overexposed, how it is being accessed and how to protect it.
To help clients take control of their data, we encourage firms to take advantage of file auditing tools such as Varonis’ DatAdvantage, which provide insight into when and by whom corporate files are opened, edited or shared. DatAdvantage, which is included with our Eze Cloud Solutions, also aids in identifying stale (i.e. dirty) data that is no longer accessed by actual humans.
Additional benefits of DatAdvantage include:
Monitoring All Real-Time Access: Varonis monitors every open, create, delete, and move event, every email sent and received that any individual generates. You see who accessed data, the action they performed, the name and type of the accessed file or email, the folder the file is stored in or moved to, and when.
What is the GDPR and Who is Affected?
The General Data Protection Regulation (GDPR) was adopted and approved by the EU parliament in April 2016 and will supersede the UK’s Data Protection Act 1998.
The GDPR directive will come into force Friday 25th May 2018, and will apply to organisations located within the European Union (EU) but also to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
The main intent of the GDPR directive is to give individuals more control over their personal data, impose stricter rules to companies handling it, and make sure companies embrace new technology to process the influx of data produced.
From 25th May 2018, penalties for failing to abide by the GDPR’s principles will lead to fines of up to 20 million euros or 4% of global annual turnover, whichever is greater. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.
Since 2014, the Securities and Exchange Commission (SEC) has made it clear that cybersecurity risk is a top priority, and now via their second round of examinations, the regulator has issued key observations to educate and inform financial firms and investment advisers of their growing expectations.
And while the SEC noted that, overall, firms demonstrated more preparedness than their first round of exams in 2014, gaps remain within cybersecurity programs, notably around employee training, patch management and vulnerability assessments.
Following are noteworthy takeaways from the SEC’s cyber exam sweep observations:
Cybersecurity Gaps Observed:
Many firms’ policies & procedures were considered too vague or generic and failed to include specific safeguard examples or implementation procedures.
The SEC observed a failure by firms to ensure employees complete annual information security training as well as a failure to take action with employees who did not comply with said requirements.
Unlike broker-dealers, the majority of advisers do not have incident response plans in place, which include plans for notifying customers and counterparties of breaches.
This article appeared in its entirety in HFMWeek Magazine in August 2017. Part 1 is featured below. Part 2 will appear on Eze Castle Integration’s blog in the coming weeks – stay tuned!
The security risks we face are ever changing, and it’s a full-time job trying to keep pace. Attacks can spread quickly (think: WannaCry) and disrupt systems, networks and operations to the point of disaster. And social engineering scams – e.g. sophisticated, well-timed phishing emails – are targeting users more frequently, meaning your guards need to be up, technology and otherwise.
Unfortunately, many firms often fall short when it comes to their cyber-security protections – and they don’t often realise it until it’s too late. These 10 common IT security gaps highlight areas where investment firms can take steps now to avoid risk in the future. These gaps are preventable, and when the next phishing email hits your inbox or ransomware attack strikes, you can rest easier knowing you’ve plugged these common security holes.
Risk management and governance
Who owns the risk at your business? Cyber strategy and programmes start at the top, so your leadership team/executive board should be involved in discussions around cyber-security preparedness. You should also appoint a Chief Information Security Officer (CISO) to oversee the firm’s security posture. Oftentimes, this individual holds a dual-role within the firm, also operating as the Chief Compliance Officer or Chief Technology Officer.
Risk management does not end with the CISO, however. There should be broad support and input across the firm with regard to cyber-security practices and governance policies.
In Part 1 of our hybrid cloud whitepaper excerpt, we reviewed the primary benefits to public, private & hybrid cloud infrastructures, and reviewed a number of considerations including service & support, availability and uptime, and proximity. In Part 2 below, we dive into additional factors to contemplate, specifically: security, application hosting and cost. Remember, to download the full whitepaper, Is Hybrid Cloud Right For Your Firm?, click here.
While your public cloud provider may provide world-class security for its services, your company is still on the hook for certifying all aspects of information security. For compliance-driven businesses, there are still countless vulnerabilities and exposures that public clouds often fail to address. Advancing security features such as multi-factor authentication, targeted attack protection and managed phishing simulations are gaining traction among private/hybrid cloud users who benefit from their providers’ extensive managed security services.
Multi-factor authentication requires at least two authenticating factors to log into a system or network (e.g. strong passwords, security tokens, fingerprint scanning) and can add an additional layer of security for users across email, applications, etc.
Since email often serves as a gateway for hackers to surreptitiously penetrate networks, it’s become essential for firms to employ targeted protection tools and advanced email precautions to ward off these threats. That’s one of the many advantages a private cloud provider can bring to a firm. For example, next-generation security technology can protect private cloud users from attacks delivered through email, social media and mobile applications, prevent advanced attacks, and minimize compliance risks.
Categorized under: Cloud Computing Security Operational Due Diligence Outsourcing Launching A Hedge Fund Private Equity Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Trends We're Seeing
Below is an excerpt from our whitepaper, Is Hybrid Cloud Right For Your Firm?. If video is more your style, scroll to the bottom and watch our 30-minute webcast on hybrid cloud considerations for financial and investment firms.
With its security, privacy, and performance, the private cloud has been the go-to option for financial and investment firms that require enterprise-caliber IT infrastructure. In most cases, that private cloud is professionally managed by a service provider solely focused on monitoring, managing, and maintaining that infrastructure to meet business requirements and compliance directives. Thus, firms benefit from seasoned, industry-experienced professionals who live and breathe financial IT.
For many firms, so-called public cloud infrastructures offer compelling opportunities and advantages. For many smaller and younger firms in particular, the flexibility and ease of deployment are persuasive drivers. What’s more, the initial costs appear to be lower for certain feature sets (although an analysis of the total cost of ownership indicates that advantage is less clear-cut).
Hybrid Cloud: Bringing Them Together
Fortunately, investment firms needn’t take an “either/or” approach to their IT infrastructures. With a hybrid cloud approach that combines many of the most compelling features of public and private clouds, firms can leverage a uniquely flexible platform that meets a broad range of needs.
Which Cloud Has the Edge?
The decision regarding your IT infrastructure has significant implications on the ability of your investment firm to gain and maintain a competitive advantage. As you weigh your options – public, private or hybrid – it can be beneficial to consider the following aspects of cloud architectures and weigh their importance as unique to your individual firm.
We spend a lot of time making suggestions and recommendations about what financial and investment firms should do when it comes to their technology. And while it might sometimes seem obvious, we also think it wise to remind firms what not to do from time to time. In fact, the following technology pitfalls are prime examples of what not to do with respect to your firm’s IT.
Set IT and forget IT.
Technology isn’t evergreen, and it certainly isn’t infallible. With so many investment firms today reliant on managed service providers to support their IT operations, vendor management has become a critical area of importance. IT outsourcing provides great opportunity for firms to rely on experts to manage infrastructure updates, maintenance windows and network upgrades, but the onus remains on your firm to ensure your technology is up-to-snuff and meets not only your demands but those of investors and regulators as well. A “set IT and forget IT” strategy won’t work here; even via outsourcing, your IT management responsibilities fall on you.
Plan your infrastructure only for the short-term.
A crucial mistake often made by funds is not planning for the future. From the earliest pre-launch meeting, you should be thinking about what your firm will look like and what technology you will require down the road. Planning out two to three years in advance is recommended in order to reap the most benefits with regard to your infrastructure. Plus, if you don’t plan ahead, you may wind up incurring more costs and dealing with a much bigger headache if technology decisions need to be made unexpectedly (e.g. cloud and data migration).
Categorized under: Hedge Fund Operations Cloud Computing Security Operational Due Diligence Outsourcing Disaster Recovery Hedge Fund Regulation Infrastructure Business Continuity Planning Trends We're Seeing
As your firm evaluates moving to the cloud – as most firms today will inevitably do – your list of priorities will likely include:
Regulatory and investor impact
Migration plans and operational effects
Hardware disposal and infrastructure changes
But another critical business area your firm should put some thought into is the effect of the cloud movement on your internal IT department (assuming you have one). What exactly happens to a firm’s IT team once it moves operations into a cloud environment? Is there still value in maintaining an in-house staff?
The simple answer is ‘yes,’ but the day-to-day responsibilities for those staffers may not look quite the same post-cloud. Outsourcing to the cloud continues to grow in popularity among firms small and large. With a fully managed service provider, everyday management is typically taken care of – leaving internal resources with a lot more time on their hands. But that doesn’t mean there’s no longer a need for an IT department. And it certainly doesn’t mean IT managers should be left to twiddle their thumbs.
In fact, according to our Private Equity CTO Survey, 93 percent of firms believe their Chief Technology Officer is becoming more important to their business. As the role of the CTO evolves, particularly in light of cloud adoption, many firms expect their CTOs/IT Directors to take on additional responsibilities.
In today’s market, the pressure from both investors and regulators is at a steady incline. Reporting obligations have grown complex, transparency is in high demand and compliance technology has become a vital component to a firm’s success. With various demands tug-o-warring hedge fund managers in multiple directions, a Client Relationship Management (CRM) platform could be the solution your financial firm has been searching for.
That is why firms are increasingly adopting Ledgex CRM, the revolutionary, stand-alone Client Relationship Management solution offered by our sister company, Ledgex Systems. Ledgex CRM is ideal for managing and tracking investor communications, sales pipelines, client relationships and capital movements. The highly configurable, centralized platform is tailor-made for hedge funds, family offices and asset allocators.
The product offers the sophisticated Client Relationship Management capabilities necessary to raise and retain more assets, maintain and grow clients, provide outstanding client service and meet heightened reporting requirements. Out of the box, the web-based solution delivers efficiencies, transparency and flexibility without increasing headcount or costs. By streamlining investor relationship management and capital activity, Ledgex CRM enables managers to optimize their time and focus on fostering relations and growing business.