There’s a lot hackers can do to wreak havoc for private equity and other investment firms – and it extends far beyond forcing users to change their passwords. In fact, with their roguish hands on the right information, the consequences can be downright destructive for a firm’s business operations and integrity.
Systems & Network Access
Of course, with stolen passwords and login credentials, hackers can gain access to company systems and networks – not an insignificant feat. Unfortunately, we’ve seen many cases over the years where users rely on reused passwords across multiple systems – meaning when a hacker deciphers a password, it’s a profitable gateway beyond a user’s individual email account.
That said, within that email account alone, a number of critical dangers await. For example, inside your email, a hacker can access, send and delete communications at will, potentially intercepting company sensitive material, financial data or personal details they can use to further infiltrate your network.
They can also easily decipher the corporate hierarchy and capitalize on relationships with those responsible for company payments and financials. For instance, they may send a phishing email to your CFO, posing as you, requesting a fund transfer to a provided bank account number – and depending on your role within the firm, this could be considered routine and easily executed upon.
Beyond email, if a hacker gains entry to your firm’s network, they may also get their hands on company files, personnel information, financial reports, and more.
As your firm evaluates moving to the cloud – as most firms today will inevitably do – your list of priorities will likely include:
Regulatory and investor impact
Migration plans and operational effects
Hardware disposal and infrastructure changes
But another critical business area your firm should put some thought into is the effect of the cloud movement on your internal IT department (assuming you have one). What exactly happens to a firm’s IT team once it moves operations into a cloud environment? Is there still value in maintaining an in-house staff?
The simple answer is ‘yes,’ but the day-to-day responsibilities for those staffers may not look quite the same post-cloud. Outsourcing to the cloud continues to grow in popularity among firms small and large. With a fully managed service provider, everyday management is typically taken care of – leaving internal resources with a lot more time on their hands. But that doesn’t mean there’s no longer a need for an IT department. And it certainly doesn’t mean IT managers should be left to twiddle their thumbs.
In fact, according to our Private Equity CTO Survey, 93 percent of firms believe their Chief Technology Officer is becoming more important to their business. As the role of the CTO evolves, particularly in light of cloud adoption, many firms expect their CTOs/IT Directors to take on additional responsibilities.
In today’s market, the pressure from both investors and regulators is at a steady incline. Reporting obligations have grown complex, transparency is in high demand and compliance technology has become a vital component to a firm’s success. With various demands tug-o-warring hedge fund managers in multiple directions, a Client Relationship Management (CRM) platform could be the solution your financial firm has been searching for.
That is why firms are increasingly adopting Ledgex CRM, the revolutionary, stand-alone Client Relationship Management solution offered by our sister company, Ledgex Systems. Ledgex CRM is ideal for managing and tracking investor communications, sales pipelines, client relationships and capital movements. The highly configurable, centralized platform is tailor-made for hedge funds, family offices and asset allocators.
The product offers the sophisticated Client Relationship Management capabilities necessary to raise and retain more assets, maintain and grow clients, provide outstanding client service and meet heightened reporting requirements. Out of the box, the web-based solution delivers efficiencies, transparency and flexibility without increasing headcount or costs. By streamlining investor relationship management and capital activity, Ledgex CRM enables managers to optimize their time and focus on fostering relations and growing business.
Following is an excerpt from our whitepaper, Outsourcing Point-Counterpoint: Examining C-Level Perspectives at Hedge Funds and Private Equity Firms. If you want, click here to jump ahead and download the paper in full.
Outsourcing IT can be controversial across the C-suite. Your firm's CFO may see the move as financially responsible and a long-term strategic solution. Your CTO may have concerns about retaining control of the IT environment. Both sides have unique perspectives.
Just because CFOs/COOs and CTOs have different views into IT operations, outsourcing and the cloud, doesn’t mean there is no common ground. After all, both leaders ultimately want what’s best for investors and the firm. When you dig a little deeper, there are far more areas where CFOs/COOs and CTOs agree than where they differ when it comes to outsourcing IT. For example:
The outdated due diligence argument against going to the cloud has been turned on its head in the current regulatory environment. CTOs may feel they’re doing the appropriate due diligence to manage all the risks themselves. However, assessing your own risk is incredibly challenging. To thoroughly evaluate risk as well as address investors’ five, 10 or even 20-page due diligence questionnaires about technology, partners, vendors, cybersecurity and operations, CTOs need to devote enormous amounts of time – repeatedly. Risk assessments are not one-and-done tasks. Vulnerabilities, particularly cybersecurity weaknesses, should be assessed in depth every six months, and remediation of identified issues must be addressed.
Social engineering tools and tactics have transformed in recent years, and we often stress here on Hedge IT the importance of IT security, particularly when it comes to sophisticated phishing and spear-phishing campaigns via email.
One tactic we haven’t touched on is voice phishing (also known as ‘vishing’), which works towards the same ultimate goal – prompting an end user to take some kind of action that causes an exploit in the user’s system or a fraudulent wire transfer – except this time it’s done over the phone.
Voice phishing scams are growing in popularity, often catching busy users at the end of their work day with their cyber defenses down, hoping they’ll ignore the best practices they’ve learned and instead provide sensitive information to the person on the other end of the phone.
Here are a few recent examples of voice phishing scams we’ve seen:
IRS Robocalls. At the end of tax season earlier this year, many people found themselves fielding threatening calls from scammers posing as Internal Revenue Service employees insisting they’re owed money. Unfortunately, these robocall scams worked. According to the Treasury Inspector General for Tax Administration, more than 10,000 victims have paid a collective $55 million since October 2013. TIP: The IRS almost never contacts taxpayers via phone (or text, email or social media). If they want to get in touch, they’ll send you a letter.
Department of Motor Vehicles. Of a similar nature, vishing schemes have popped up across the US with victims receiving phone calls from supposed DMV employees requesting payments, social security numbers and debit card information. Texting and social media have also become popular avenues for these scams.
The WannaCry ransomware attack is slowing as IT teams across the globe work to deploy patches, disable SMBv1 and recover files, but we are still very much in the midst of the situation. Here’s a look at what we know and what we can do in an effort to prevent future attacks.
What is the WannaCry Ransomware?
On May 12, 2017, a new strain of the Ransom.CryptXXX (WannaCry) ransomware began spreading globally, affecting a large number of organizations. WannaCry encrypts data files and asks users to pay a ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, the encrypted files will be deleted.
We have learned that the bitcoin accounts have been abandoned, and there never was an automated decryption process, so victims should not pay the ransom. Recovery from backups are the best course of action.
How Did WannaCry Spread?
WannaCry has the ability to spread itself within corporate networks, without user interaction, by exploiting a known vulnerability in Microsoft Windows. Computers that do not have the latest Windows security updates applied are at risk of infection.
According to Microsoft, “A month prior, on March 14, Microsoft had released a security update to patch this vulnerability and protect our customers. While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally. As a result, hospitals, businesses, governments, and computers at homes were affected.”
How is WannaCry Stopped?
Applying the most recent Microsoft patches to environments will help protect computers from WannaCry infections. Another immediate remediation plan is to disable the specific system protocol known as SMBv1 to mitigate the risk of infection in relation to WannaCry.
Lessons Learned from WannaCry?
Experts warn the WannaCry may not be over just yet so we’ll tread lightly on ‘lessons’ learned but there are a few we can share:
Voice over IP has come a long way, especially in the business world, but many financial services firms still have hesitations about making the switch. To assist hedge funds and private equity firms in making a decision about voice solutions, we're debunking some common myths.
MYTH 1: Poor Call Quality – Everyone Will Know I’m on VoIP
A main concern of VoIP is call quality, which can be impacted by a number of features including the network, available bandwidth and even the type of phones being used. However, a well-designed business-caliber VoIP system can deliver quality of service comparable to an in-house phone system. In business settings, where calls are made over private IP connections, Quality of Service (QoS) can be monitored and guaranteed because the entire IP connection is controlled by the party making the call.
When evaluating VoIP for financial firms, it is important to inquire about the underlying network and how voice traffic is prioritized and routed. You want a provider that has full control over network traffic and can ensure high quality of service. For added confidence, ask to speak with existing VoIP customers (over the phone!) to hear about their experiences first-hand.
Regulatory expectations and financial markets continue to evolve. Ensuing from these shifting landscapes are heightened pressures on the shoulders of investment firms to deliver greater transparency, manage complex relationships, improve the overall due diligence process and utilize mass data in a more interactive and intelligent way.
In this article, let's explore some common questions around how Research Management Software (RMS) and Portfolio Management Systems (PM) work together.
What are the key benefits of utilizing a Portfolio Management (PM) solution?
It likely goes without saying, but portfolio management systems are core to the investment operations of an investment firm. In the age when transparency is the rule, these systems allow managers to fully understand and manage portfolios and share that transparency with investors or other interested parties. The features of these systems continue to evolve.
For example, a Portfolio Management solution that incorporates models (i.e. Yale model) for cash forecasting enables users to easily forecast future asset values and cash flows of illiquid alternative assets, such as private equity investments. This forward planning capability enables planning for future cash requirements and enables firms to avoid a crisis of liquidity.
What can hedge funds and private equity firms learn from the Google Phishing Attack?
Employees can either be your firm’s biggest strength or biggest threat when it comes to phishing. It is critical that your employees receive regular information security awareness training to better understand the types of security threats with the potential to hit their inbox.
Beyond annual training, managed and simulated phishing exercises (like Eze Managed Phishing & Training) are reliable, cost-effective tools to train users to identify red flags in emails and avoid succumbing to malicious attacks.
What Netflix Reminded Us about Vendor Risk Management
The Netflix security breach highlights the critical importance of managing third-party vendors for firms and businesses who rely on outsourced providers to support their operations. A few key reminders on vendor due diligence and risk management:
Understand who your outsourced providers are, what functions they provide and what data/systems they have access to
Consider sending regular requests for proposals (RFPs) and DDQ documentation requests to any third parties you are evaluating or those you are already engaged with
Continuously evaluate and monitor to ensure all parties are achieving their end goals and meeting expectations
Conduct regular vulnerability assessments and/or penetration tests to have a clear understanding of your IT security weakness
Remember: It’s one thing to put faith in your service providers to do their jobs effectively. It’s another to ignore your own firm’s responsibility to manage that provider in an effort to protect your own firm.
If there’s one thing we’ve learned over the years when it comes to security, it’s that there’s a whole lot more to creating a secure investment firm than robust technology. Before identifying infrastructure components and implementing operational policies, a firm must first be clear on what its attitude is toward security. This attitude will filter through the company from the top down, and will therefore dictate how employees and the business as a whole operate on a daily basis.
To give you a clearer understanding of what we mean, we’ve created three security profiles that cover a wide spectrum in terms of security attitudes and practices.
Under the Radar: Low Security
If you’re attitude toward security is low, odds are you’re barely scraping the surface in terms of what practices and policies you should be employing to maintain proper security firm-wide. You likely rely on quick fixes to solve problems instead of looking at the bigger picture and thinking strategically about how security can both benefit and protect your business. You’ve employed minimal preparedness efforts and could be in for a difficult task if faced with a serious security incident. You probably take a “it won’t happen to me” attitude and don’t take security seriously enough – a stance that could endanger your firm in the long term.