To wrap up and round out our 6-week Risk Outlook Webinar Series, we spoke with John Cotronis, Executive Director at JP Morgan, about hedge fund risk management and governance. Specifically, he addressed the following questions:
What have you observed in recent years in terms of changes affecting hedge funds – particularly at the startup phase?
Have you noticed a marked shift in the importance managers are placing on risk?
Do the firms you typically engage with have staff on hand to manage risk – compliance officers, etc.?
In terms of corporate governance, where do you see investment firms excelling when it comes to implementing risk management controls and also fostering a culture of risk management across the firm?
Let’s talk a little bit about counterparty risk. What kind of criteria are you looking for that indicates to you a provider has the right risk management framework and best practice structure to support your clients?
A lot has gotten tougher for firms, particularly on the investment side with capital raising, also with regulatory reporting, etc. What areas of operations do you think have gotten easier for hedge funds over the years?
What is your assessment of outsourcing risk – is it higher or lower than managing various functions in-house?
As financial firms become increasingly interconnected and globalized, their dependence on cyberspace has skyrocketed. While this amplified reliance on the infobahn has accelerated productivity and growth, it has also exposed firms to larger risks, such as hacking, malware, spyware and social engineering. The latter, which is the most disregarded element of an organization’s security program, is also the most dangerous.
Social engineering (e.g. phishing, pretexting, baiting, etc.) relies on the exploitation of human behaviors to breach an organization’s information security system. Hackers prey on propensities of human nature, including:
Trust: Some people are trusting to a fault; therefore, they do not question the intentions/identity of another person until proven to be false.
Ignorance: Disregard for the consequences of carelessness with sensitive business information.
Laziness: Willingness to cut corners, such as not filing away confidential paperwork and leaving it exposed for others to see.
Kindness: Employees want to feel that others can leverage them for their assistance and information because we’ve trained them to do so. However, this can lead to divulging too much information to the wrong person.
As our Risk Outlook Series continues, we recently spoke with John Araneo, Partner at Cole-Frieman & Mallon LLP in New York, about many of the regulatory risks facing hedge funds today, including compliance, expense allocations and cybersecurity. Continue reading for a brief synopsis or scroll down to watch our webinar replay below.
How would you describe the current regulatory climate for fund managers and investment advisers?
For hedge fund managers and investment advisers, the regulatory expectations have never been higher. Looking ahead to 2017, managers and advisers should expect the challenge of having to navigate potentially seismic regulatory changes - each of which has the potential to complicate business practices and add to the cost and complexity of compliance.
How should clients prepare to react to these changes?
It’s a top-down approach that all comes down to compliance. A culture of compliance is no longer a lofty goal or a cliché; it is now a regulatory expectation. There needs to be a robust compliance program, actual implementation, and accountability. Clients should be prepared and able to effectively manage the SEC examinations. Managers need to take time to understand regulatory priorities and expectations before an exam.
What is the current regulatory regime's appetite for outsourcing the compliance function?
There is no requirement for firms to employ a full-time person to service compliance. However, the worries about outsourcing certain functions, particularly the compliance officer function, may lead to weakened compliance culture. The opportunity of outsourcing creates a gap between the compliance function and the operations, decision makers and day-to-day activities. Outsourcing can be effective and sufficient, but management needs to resist setting it and forgetting it.
With October being cybersecurity awareness month it is an important time to ensure your firm and employees are aware of and using best practices, and security policies and procedures. Risk mitigation is needed to protect both the firm and its employees from savvy hackers and attacks. Data breaches continue to wreak havoc on businesses, and the cost is continuously rising. According to the Ponemon Institute, the total average cost of a data breach is now $4 million, up from $3.8 million in 2015. Hackers have everything to gain while your firm bears reputational and operational harm.
While companywide policies should reflect long-range expectations and corporate best practices, they should also include tactical recommendations that employees can follow to ensure they are complying with the company’s overall risk strategy. To get started here are just a few pieces of advice we offer our investment firm clients and remember to not only inform employees on what to do, but also what not to do.
In honor of October being National Cyber Security Awareness Month, we’ll be bringing helpful articles on a range of topics starting with this one on understanding malware.
We’re also debuting our first interactive game, FreEze!, where your challenge is to hit malware before it hits you (à la Space Invaders). Play the game below or keep reading for more on malware -- or do both!
Play FreEze and be a Malware Fighter
As of Wednesday, October 5, 2016, computer models continue to show Hurricane Matthew traveling along the southern eastern states starting in Miami early Friday morning and reaching Norfolk, VA early Monday morning. At this point, it’s too early to determine if Hurricane Matthew will head out to sea once it reaches Virginia or continue up to the Northeastern states.
Whether you’re in the south or north, now is the time to prepare your office and home for a potential impact of the storm. The following is a high level review of continuity steps you should consider:
Communicating with Employees
If you haven’t already, create a communication process to ensure you can notify your employees and/or clients. For internal communications, you can use an employee call tree which can be created in word or excel, create a distribution list in your mobile device or subscribe to an automated notification system. Firms must ensure messages are communicated to employees (or clients) properly and in a timely manner. Using a process will ensure all employees receive the same message immediately via email, phone call and/or text message. Whichever method selected, ensure there is a dedicated employee that is aware of their role and prepared to send the communication when appropriate.
Employees’ Work Locations
If your plan is to have employees work remotely should an incident occur, steps should be taken to ensure that employees will have access to all required resources for performing their daily tasks. This includes checking to see that the company has adequate Citrix licenses and having employees do a test run.
To avoid questions and confusion, work location procedures should be clearly communicated to all employees in advance to ensure that any unexpected challenges are dealt with before any disaster.
Employee Remote Access Test
Before Hurricane Matthew reaches your office or home, validate employees have all of the required resources to work remotely. You can validate this process by having key employees do a remote access test to ensure any issues are addressed before an incident impacts your office. Here are some recommended steps to have your employees follow as part of the testing process:
Validate successful communication to internal and external dependencies
Confirm full functionality of required applications
Perform all critical business functions
Confirm access to vital records (key files and documents)
Ensure employees can receive incoming calls, while working remotely, by activating phone recovery procedures or using phone redirect instructions
Disaster Recovery Activations
Depending on the impact of Hurricane Matthew, some firms may need to activate their disaster recovery systems. We recommend you review the activation procedures now to ensure a smooth transition of the systems, if needed.
In Part Three of our Risk Outlook Webinar Series, Michael Corcione, Managing Director of Cordium, spoke about compliance and cybersecurity trends in the investment industry. Although cybersecurity risks and struggles can vary from firm to firm, it is important to address a number of key areas.
Continue reading for quick takeaways or scroll down to watch the 30 minute video replay.
Good security can be achieved as firms move from reactive to proactive strategies. Firms usually start with the goal of checking the box for regulators, but they need to get beyond the 'check-the-box' exercises and test controls. The SEC’s 2015 cybersecurity guidance update provided more specific insights on cybersecurity focus areas for investment firms - governance and risk assessments, training and awareness, incident response, data loss prevention, access rights controls, and vendor risk management. Hedge funds and investment firms should use this as a framework, understand how they have addressed these areas and where they need to improve.
A good cybersecurity program starts with the leadership team, and they need to set the tone from the top down. This way everybody understands the impact of risk and its effects on the firm. Leaders should acknowledge risk, understand risk, and lead ongoing discussions firm-wide.
The recent explosions that rocked the Chelsea neighborhood of New York City and the town of Seaside Park, New Jersey remind us all that we can never be too prepared for an emergency situation. Following are a few reminders to ensure the safety of your employees and the business continuity of your firm during these types of disaster scenarios.
Assessing the Scenario
Every scenario is different and lends itself to a certain degree of impact, whether it’s confined to an office building or a broader regional impact. Start with ensuring that your employees are accounted for and in a safe location. Then consider: will the events at hand impact their ability to continue with their jobs? Obviously, if the office space is affected, a secondary location may come into play, or firms may opt to allow employees to work remotely. Next, review critical business systems, data and resources. Are your data and assets up and running so employees can continue business functions? Are phone systems or email functioning properly?
Internal and External Communication
Depending on the severity of the situation, you’ll need to determine the level of communication to both internal and external parties. If the event or disruption will impact employees getting to or from the office or if the building is inaccessible, obviously you’ll need to notify personnel. If there may be an impact to the business itself (trading, for instance), you may want to communicate with external parties such as investors, business partners, and/or regulators. It’s helpful to have a communication plan in place to guide this process. And remember: all communications should be reviewed and approved by the individual(s) overseeing the business continuity program and the plans associated with it.
Categorized under: Business Continuity Planning
During Part 2 of our Risk Outlook Webinar Series we spoke with Eze Castle Integration Director Dan Long about how investment firms should address evolving cybersecurity risks, third party service provider oversight and employee training and education. Many of the points Dan addressed highlight questions hedge funds and private equity firms should be asking themselves.
Read on or scroll to the bottom to watch the full, 30-minute replay.
What is our commitment to cybersecurity and what is our outlook on the future?
Regulators and investors continue to ask more questions about cybersecurity because they want to know that firms are effectively mitigating risk. To meet these growing expectations, firms must demonstrate that you take cybersecurity risk seriously and have implemented sound systems, policies and procedures to combat those risks. As the threat landscape and technology continue to evolve, investment management firms need to evolve accordingly and develop better ways to counteract threats. Firms don’t necessarily need to implement every available security technology, but they should be keenly aware of their options and have a plan to effectively mitigate as much risk as possible.
How are we addressing third party risk and oversight?
Investment management firms often rely on third party vendors to obtain functionality or capabilities that they need, want or can’t afford to produce on their own. But moving functions out of the firm's control can present challenges. With any outsourced function, the firm inherently takes on additional risks at the hands of the third party. But it's critical for investment managers to limit those risks through sufficient due diligence. To combat vendor risk, financial firms need to maintain strict oversight of all third party relationships and investigate security practices and protocols, particularly for those vendors who have access to the firm's confidential information. An outsourced vendor should be providing the same level of security (or better!) as your firm would if the function was under in-house control.