I love a good Throwback Thursday, and for today's post, I want to throw it back to five years ago this month. It was April 2012, and we were hosting one of our biggest and most ambitious events: a Hedge Fund Cloud Summit. At the time, cloud computing was widely discussed and adoption was certainly growing, but there were still a number of lingering questions heard across the industry with regards to financial and business impacts of the cloud, effects on in-house IT staffs and, of course, security.
We still answer many questions related to these topics today, so I thought it might be fun to take a look back at the four panel topics we addressed back in the 2012 event and examine how much the conversation has really changed - or in some cases, how perhaps it's stayed the same.
Making the Business (and Financial) Case for the Cloud
For hedge fund COOs and CFOs, the business impact of a move to the cloud is still a critical consideration for established firms. But many of the myths and common questions that were prevalent back in 2012 are now pretty easy to explain. How do investors feel about the cloud? In 2017, investors are generally comfortable with the cloud if not in favor of it over legacy, on-premise IT infrastructure setups. Is the cloud really more cost-effective? This question was a long-standing 'myth' that's been debunked; for some firms, yes, costs may be lower depending on their previous infrastructure and personnel situation, but for all, the predictability of cost is what has become a primary driver for cloud adopters.
I just finished Season 1 of Showtime’s ‘Billions’ and can’t resist calling out the horrible IT security on a key character’s laptop. ‘Billions’ centers on a multi-billion dollar CT hedge fund and federal prosecutors looking to take them down for financial crimes. [Spoiler Alert] As season 1 nears an end, US Attorney Chuck Rhoades easily logs into the laptop of his wife, who is also the hedge fund’s in-house psychiatrist. On the laptop he finds the incriminating evidence necessary to potentially take down Mr. Billions (aka Bobby "Axe" Axelrod).
From an IT security perspective, there were so many things wrong with this scene, but I’ll highlight three that any hedge fund, regardless of AUM, should consider:
First up: password security.
In ‘Billions’ they broke the golden rule of NEVER sharing your password, but beyond that, multi-factor authentication should have been implemented. Multi-factor authentication is established by requiring at least two authentication factors that are knowledge based (password), possession based (something you have – token, mobile phone) and/or inherence based (something you are – fingerprint or eye scan).
Eze Castle Integration’s Eze Managed Suite offering includes two-factor authentication via a tool called Duo. Duo combines knowledge based (password) with possession based (smartphone) authentication factors.
Hedge fund outsourcing is not a new trend, as buy-side firms have long dispersed the responsibility of many functions to third-party service providers more adept and accomplished at said functions. Technology, for example, is an area where many firms choose to leverage outsourced providers to manage complete or partial infrastructures, support projects or supplement on-site IT staffs. The benefits to outsourcing are numerous, but the true measure of a successful service provider relationship comes when an investment firm’s level of risk in using that provider is low.
Risks are everywhere, particularly in today’s cyber-focused environment. But the risk a hedge fund undertakes when outsourcing a function of its business to a third-party is enormous. Not only is the firm relinquishing control to an outside company, it also takes on the added burden of managing that company, in addition to its own.
It’s one thing to put faith in your service providers to do their jobs effectively. It’s another to ignore your own firm’s responsibility to manage that third party as a means of protecting your own firm. Successfully managing risk associated with third-party service provider relationships is a full-time job, especially for financial services firms working with dozens of various parties. Here are a few tips to help your firm properly manage third-party service provider risk:
They say the more things change, the more they stay the same. Turns out it’s a pretty accurate assessment of the hedge fund industry then and now.
You see, back in 2011 we hosted a “State of the Hedge Fund Industry” event that yielded some interesting trends and perspectives, and we thought it might be fun to not only look back at those trends, but compare them to what we’re seeing in today’s industry – more than five years later.
Like I said: the more things change, the more they stay the same.
Hedge Fund Market Trends & Challenges
THEN (2011): It’s been an interesting year thus far for hedge funds and other alternative investment firms, as inflows have been high but performance low. In addition to performance challenges, hedge funds continue to deal with increased competition for investments, and thus asset-raising remains a hurdle for many funds – regardless of their size or strategy.
How much security protection is enough? That’s a tough question to answer and the catalyst behind our recently published whitepaper on selecting the right cybersecurity tier based on individual risk profiles (download it HERE). The paper outlines three common tiers including Tier 0 (the ‘must-have’ list) to Tier 2 (the ‘advanced’ list), however it only touches briefly on the human element of security.
The reality is that in today’s sophisticated cyber environment firms must go beyond physical or virtual firewalls firms and establish a ‘Human Firewall,’ because sometimes technology alone won’t stop some of the most damaging attacks. In many instances, employees are “holding the door open” to criminals or inadvertently “leaving the keys out.” At other times, disgruntled employees act with more malicious intent.
Building a ‘human firewall’ comes down to establishing a security-conscious workplace and culture where employees understand the risk landscape and know how to respond. So what goes into their ‘human firewall’? It has varying parts including policies, training, awareness and of course people(!).
Practical, User-Friendly Policies
Many firms create a 20+ page written information security plan that formalizes the definitions and policies that govern the creation, access, and deletion of confidential information and computing services. That can be everything from a definition of personally identifiable information (PII), a description of user access privileges and roles, or policies regarding data handling. What matters is that you’ve explicitly and unambiguously documented all aspects of your company’s at-risk assets and services.
While the plan should be comprehensive, firms should also avoid getting bogged down in “tech speak.” Employees need user-friendly policies that are straightforward to follow. For example, they want to know the implications of their actions (“If I read this on a mobile phone, am I creating a security vulnerability?” “What happens if I lose my mobile device?”).
2017 is quickly approaching and so are a plethora of new financial technology and operations articles here on Hedge IT. As we wrap up 2016, let’s take a look back and share some of our readers’ favorite articles from this past year.
Tips for launching a hedge fund are always popular on Hedge IT, and 2016 was no different. Earlier this year, Eze hosted a webinar featuring speakers Paul Schultz from Wells Fargo, Michael Mavrides from Proskauer Rose LLP, and Bob Guilbert from Eze Castle Integration. A few key takeaways from the 1-hour event include:
Understand that investors will expect enterprise-grade technology built in from Day 1.
Remember the advantages of the cloud: a predictable cost, flexibility and scalability (“tech on demand”), enterprise security, and professional management and monitoring.
Compare both the benefits and disadvantages of a “master fund” versus a “side-by-side” structure (e.g. the master fund allows for one set of books and trades, while the side-by-side structure allows for more tax flexibility)
Show investors that you have a 3+ year budget for working capital without any performance fees.
The following article was written and contributed by James E. Grand, Esq. of The Securities Law Group, a specialized boutique law firm dedicated exclusively to representing investment advisers.
We are often asked by advisers who are switching firms whether they can use in their own performance presentation or the predecessor firm’s performance record at their new firm. There are two separate questions here: First; if Jill Doe moves from one firm to another, can Jill use her own performance record while she worked at the old firm in the new firm’s advertising? Second, can Jill use the old firm’s overall performance record in the new firm’s advertising?
A number of SEC staff no-action letters address these questions. These no-action letters generally take the position that an advertisement that includes prior performance of accounts managed by advisors at their prior place of employment will not, in and of itself, be deemed to be misleading so long as:
1. The advertisement is consistent with SEC staff interpretations with respect to the advertisement of performance results.
2. All accounts that were managed in a substantially similar manner are advertised unless the exclusion of any account would not result in materially higher performance. For example, in one case we know of the SEC allowed a newly registered adviser solely owned by an employee to use performance data of several accounts managed by the employee prior to registration. In other words, Jill could advertise the performance of some but not all of her prior client accounts so long as such performance is not materially higher than her accounts’ overall performance.
3. The accounts managed at the old firm are so similar to the accounts currently under management at the new firm that the performance record would provide relevant information to prospective clients.
4. The person(s) managing accounts at the new firm are also those primarily responsible for achieving the prior performance results at old firm. In other words, the individual(s) primarily responsible for achieving the prior performance results must also be the individual(s) primarily responsible for the accounts at the new firm. To put in another way, it would be misleading for an adviser to advertise the performance results of accounts managed at her prior place of employment when she was one of several persons responsible for selecting the securities for the adviser’s clients. The question is whether she was actually responsible for making investment decisions without the need for consensus from other advisers (e.g., an investment committee, etc.).
5. The advertisement includes all relevant disclosures, including that the performance results were from accounts managed at another firm.
It’s no surprise that starting a hedge fund is no easy feat. In an increasingly competitive landscape challenged with evolving investor and regulatory demands, progressive technology and mounting cyber threats, emerging managers can become overwhelmed at the winding path that lay before them. Still, hundreds of emerging managers attempt launching every year due to the prospective monetary and fundamental rewards.
What sets apart successful startups from those that fail? In today’s post we will cover a few essential areas startupreneurs should consider during their launch journey.
Invest in People
Your greatest assets walk out of the door every day: Your team. Every hedge fund startup is backed by people, and the more dynamic and versatile this team is, the greater chance the firm has of achieving and sustaining a successful future. Why? Since capital is limited during the development phase, selecting people with skill sets in multiple arears is essential. Additionally, employees are ambassadors for your firm, and thus, critical to attracting investors.
There's a lot to learn about business continuity planning for investment managers. To help, you might want to watch our recent webinar highlighting the SEC's June 2016 business continuity guidance update. You can watch the full webinar replay here. The SEC not only highlights the importance of being able to access critical systems and applications during a disruption, but also the importance of effective communication.
It is vital to communicate with your employees about the procedures of your business continuity plan before, during and after an incident. By doing so, you set the wheels in motion by creating the guidelines for the firm’s recovery.
Effective communication should include, but not be limited to:
Accounting for employees;
Setting workload expectations; and
Providing employees with recovery status updates.
Let’s take a deeper look into those strategies.
Whether it is your summer interns heading back to school or a full-time employee moving on, an investment firm must have a detailed employee termination checklist for information technology (IT) that is diligently followed.
But what are the key items that must be on your employee termination checklist?
Here’s An Employee Termination Checklist Foundation:
Contact IT Department or IT Provider to terminate or change network or application logins
Ensure subscriptions are either cancelled or changed
Collect employee equipment such as laptops, monitors, mobile devices, etc.
Ensure employee has documented transition procedures
Reset user password and disabled account