We’ve all heard the saying, “there are no stupid questions,” but when it comes to technology it is easy to feel undereducated. Knowing what to ask a hedge fund technology provider not only makes you look smart (or smarter!) but also ensures you get the right solution.hedge fund tech guidebook
In this article we’ll look at questions around Staffing, Client Service Model and User Support for your hedge fund technology Request for Proposal. Next week we’ll give questions for DR Plans, Information Backup & Retention and Data Security.
Staffing and Skills
Provide the total number of employees (current year and past year). Please show numbers for overall staff as well as a breakdown by function (e.g., developers, client service, etc.).
Provide the number of employees gained and lost (current year and past year).
Describe the organizational structure of your company. Please detail the roles specific to your business (e.g., engineers, client managers, trainers, QA, etc.)
How many full-time employees are assigned to these particular roles, by functional and geographic split?
What is the anticipated project resource profile through the stages of the implementation process?
When it comes to cybersecurity, the list of haves and have nots is constantly evolving due to the changing regulatory and threat landscape. In case you missed it, we hosted a webinar this week on Cybersecurity Basics for Asset Managers, during which we uncovered various elements within three primary cybersecurity layers: from Tier 0 (Basic Protection) to Tier 1 (Industry Standard) to Tier 2 (Advanced Protection).
How does your firm stack up when it comes to your cybersecurity practices? Watch the replay below and find out where you fit in.
Tier 0: We call this level Tier 0 in part because, well, there’s zero chance your firm will have long-term success in thwarting cyber risks if you don’t employ these basic security measures.
I just finished Season 1 of Showtime’s ‘Billions’ and can’t resist calling out the horrible IT security on a key character’s laptop. ‘Billions’ centers on a multi-billion dollar CT hedge fund and federal prosecutors looking to take them down for financial crimes. [Spoiler Alert] As season 1 nears an end, US Attorney Chuck Rhoades easily logs into the laptop of his wife, who is also the hedge fund’s in-house psychiatrist. On the laptop he finds the incriminating evidence necessary to potentially take down Mr. Billions (aka Bobby "Axe" Axelrod).
From an IT security perspective, there were so many things wrong with this scene, but I’ll highlight three that any hedge fund, regardless of AUM, should consider:
First up: password security.
In ‘Billions’ they broke the golden rule of NEVER sharing your password, but beyond that, multi-factor authentication should have been implemented. Multi-factor authentication is established by requiring at least two authentication factors that are knowledge based (password), possession based (something you have – token, mobile phone) and/or inherence based (something you are – fingerprint or eye scan).
Eze Castle Integration’s Eze Managed Suite offering includes two-factor authentication via a tool called Duo. Duo combines knowledge based (password) with possession based (smartphone) authentication factors.
Hedge fund outsourcing is not a new trend, as buy-side firms have long dispersed the responsibility of many functions to third-party service providers more adept and accomplished at said functions. Technology, for example, is an area where many firms choose to leverage outsourced providers to manage complete or partial infrastructures, support projects or supplement on-site IT staffs. The benefits to outsourcing are numerous, but the true measure of a successful service provider relationship comes when an investment firm’s level of risk in using that provider is low.
Risks are everywhere, particularly in today’s cyber-focused environment. But the risk a hedge fund undertakes when outsourcing a function of its business to a third-party is enormous. Not only is the firm relinquishing control to an outside company, it also takes on the added burden of managing that company, in addition to its own.
It’s one thing to put faith in your service providers to do their jobs effectively. It’s another to ignore your own firm’s responsibility to manage that third party as a means of protecting your own firm. Successfully managing risk associated with third-party service provider relationships is a full-time job, especially for financial services firms working with dozens of various parties. Here are a few tips to help your firm properly manage third-party service provider risk:
They say the more things change, the more they stay the same. Turns out it’s a pretty accurate assessment of the hedge fund industry then and now.
You see, back in 2011 we hosted a “State of the Hedge Fund Industry” event that yielded some interesting trends and perspectives, and we thought it might be fun to not only look back at those trends, but compare them to what we’re seeing in today’s industry – more than five years later.
Like I said: the more things change, the more they stay the same.
Hedge Fund Market Trends & Challenges
THEN (2011): It’s been an interesting year thus far for hedge funds and other alternative investment firms, as inflows have been high but performance low. In addition to performance challenges, hedge funds continue to deal with increased competition for investments, and thus asset-raising remains a hurdle for many funds – regardless of their size or strategy.
Our friends at Ledgex Systems are doing some sweet things (obligatory Valentine’s Day reference!) with their portfolio and research management system that warrant a mention.
As a lookback, in 2016 Ledgex introduced new features and enhancements aligned to the needs of family offices, endowments and foundations, wealth advisors, consultants and other alternative asset allocators. These noteworthy features include:
Comprehensive Portfolio Visualization Tools
Ledgex’s visualization tools optimize the presentation of data and notification/alert capabilities, and innovative dashboards bring key information to launch pages via interactive charts and graphs. Ledgex’s data aggregation tools also allow users to drill down deeper into data that helps uncover actionable insights.
An Enhanced Portfolio Management Workshop
Building off the assumption that a well-designed Workshop has all the tools a person needs, Ledgex created its own Workshop within the portfolio management module. Ledgex Workshop is designed specifically to enrich portfolio monitoring and modeling functions including performance, attribution, contribution, analytics, PM modeling and peer group analysis. Workshop provides the features, tools and reporting capabilities users require in an efficient and intuitive interface.
Advanced Research Management Capabilities
These days the value of having a system that combines portfolio management with research management cannot be ignored – and Ledgex is exceling in this area. Ledgex’s advanced RMS features simplify gathering, management and input of manager information while surrounding data with process driven workflows and dashboards.
With the Ledgex platform, users can collect and input manager data via a secure questionnaire or utilize the sophisticated email ‘listener’ tool which vastly simplifies the intake of enormous amounts of manager emails and documents. Ledgex then surrounds the data with advanced work-flows guided by sound research methodology and presents the most important information.
Categorized under: Software
When evaluating a cloud services provider there are a lot of factors to take into consideration: features & functionalities, security protections, provider experience, and industry certifications just to name a few. We've identified some of the most important questions today's investment management firms should be asking cloud services providers during the selection process.
Five or seven years ago, these questions would probably be fairly basic in nature. Does the infrastructure isolate individual client environments? (Yes). Can the cloud environment scale to meet a firm's growing resource needs? (Yes). In 2017, we can safely assume you understand the basics of the cloud, so the questions we've identified move beyond the basic and focus on critical infrastructure, security and support questions your cloud provider should be able to address.
Top Ten Questions to Consider:
I'm most concerned about the security of my data. What types of security layers do you employ across the cloud platform and your broader organization to guarantee the safety of my firm's information?
Does your cloud leverage proactive security technologies such as intrusion detection and prevention, next-generation firewalls and regular vulnerability assessments and/or penetration tests?
We educate our clients all the time about how to keep their organizations secure and mitigate against insider and outsider threats. But one area of security often overlooked is that of the home office – and the home itself on a larger scale. With new technologies constantly being released – and many of today’s devices linked via the Internet of Things (IoT) – the likelihood of being hacked or having private information stolen also increases.
Emerging ‘smart’ technologies such as Amazon’s Echo and Google Home are making their way into many homes, making it simple to find for users to stay up-to-date on the latest news, ask for directions, or hear tomorrow’s weather forecast. The Echo’s voice assistant, Alexa, for example, can complete advanced tasks such as turning on lights and changing the temperature of your home.
But what if these technologies are jeopardizing the inherent privacy of your own home? Let’s take a look into the future.
How much security protection is enough? That’s a tough question to answer and the catalyst behind our recently published whitepaper on selecting the right cybersecurity tier based on individual risk profiles (download it HERE). The paper outlines three common tiers including Tier 0 (the ‘must-have’ list) to Tier 2 (the ‘advanced’ list), however it only touches briefly on the human element of security.
The reality is that in today’s sophisticated cyber environment firms must go beyond physical or virtual firewalls firms and establish a ‘Human Firewall,’ because sometimes technology alone won’t stop some of the most damaging attacks. In many instances, employees are “holding the door open” to criminals or inadvertently “leaving the keys out.” At other times, disgruntled employees act with more malicious intent.
Building a ‘human firewall’ comes down to establishing a security-conscious workplace and culture where employees understand the risk landscape and know how to respond. So what goes into their ‘human firewall’? It has varying parts including policies, training, awareness and of course people(!).
Practical, User-Friendly Policies
Many firms create a 20+ page written information security plan that formalizes the definitions and policies that govern the creation, access, and deletion of confidential information and computing services. That can be everything from a definition of personally identifiable information (PII), a description of user access privileges and roles, or policies regarding data handling. What matters is that you’ve explicitly and unambiguously documented all aspects of your company’s at-risk assets and services.
While the plan should be comprehensive, firms should also avoid getting bogged down in “tech speak.” Employees need user-friendly policies that are straightforward to follow. For example, they want to know the implications of their actions (“If I read this on a mobile phone, am I creating a security vulnerability?” “What happens if I lose my mobile device?”).
Public Wi-Fi networks are incredibly convenient and can be a great resource for airport layovers, coffee shop meetings or lengthy train commutes, but alongside convenience are a host of unnecessary risks. On open, unsecure networks, information is generally unencrypted, meaning with the use of a wireless network analyzer, it’s fairly easy to see what others are up to. What attackers try to do is intercept the communication between your computer and the computer you are sending information to so that they can gather useful information. A hacker, for instance, can see what webpages you’ve visited and what credentials you’ve entered into forms.
Common attacks that occur on public Wi-Fi include:
Man-in-the-middle attacks (MITM)
Attackers will set up their own network between your computer and the computer you are connecting to so that all the information you enter is first routed through their device.