The Essential Tech Guide to Starting a Hedge Fund

Transcription

1 The Essential Tech Guide to Starting a Hedge Fund About Eze Castle Integration Eze Castle Integration is the leading provider of IT solutions and private cloud services to more than 650 alternative investment firms worldwide, including more than 100 firms with $1 billion or more in assets under management. The company s products and services include Private Cloud Services, Technology Consulting, Outsourced IT Support, Project & Technology Management, Professional Services, Telecommunications, Business Continuity Planning and Disaster Recovery, Archiving, Storage, Colocation and Internet Service. Eze Castle Integration is headquartered in Boston and has offices in Chicago, Dallas, Hong Kong, London, Los Angeles, Minneapolis, New York, San Francisco, Singapore and Stamford. Visit us at

2 TABLE OF CONTENTS INTRODUCTION..3 TECHNOLOGY PRIORITIES BASIC IT CHECKLIST CLOUD IS A NO-BRAINER HEDGE FUND CYBERSECURITY Technology... 6 Processes People..7 DISASTER RECOVERY AND BUSINESS CONTINUITY INVESTOR DUE DILIGENCE COMMON IT MISTAKES...9 CONCLUSION APPENDIX A.. 11 APPENDIX B 12 ABOUT EZE CASTLE INTEGRATION Eze Castle Integration

3 INTRODUCTION If there s one certainty when it comes to launching a hedge fund, it s that success is not guaranteed. Navigating a successful startup is a challenging process and one that requires a vast amount of thought before the official launch. In today s rapidly changing environment, hedge funds and other alternative investment firms are faced with mounting regulations and regulatory guidance as well as growing investor expectations with regard to transparency, operational safeguards, security and data protection. With The Essential Tech Guide to Starting a Hedge Fund, we aim to identify and examine the key priorities for investment management firms with regard to technology and operations, notably infrastructure planning, cybersecurity protections and business resiliency. We ll also share some common IT mistakes we see many new startups succumb to and share advice on how your firm can avoid them. TODAY S TECHNOLOGY PRIORITIES Technology was historically an afterthought for many hedge funds and a check-the-box item at that. Many startups took the approach that they could get away with the bare minimum on the technology front, often overlooking the reality that technology today is a critical component to a hedge fund s daily operations. Today s hedge funds are generally embracing the role technology plays in investment management operations. In fact, in today s competitive landscape and with investors expecting more than ever from funds, technology has really emerged as a competitive differentiator and an asset that can help grow a firm s business. 2015, specifically, has posed its challenges for hedge funds and investment firms, as the Securities and Exchange Commission (SEC) and the investor community as a whole have highlighted cybersecurity as one of the most critical areas of focus. Beyond security, hedge fund startups continue to face challenges as they look to keep pace with their established competitors and make their own impression on the marketplace. From a technology standpoint, we ve identified three top priorities for hedge funds and investment management firms looking to find startup success. 1. Select the right service providers. Experts will agree this is one of the most critical decisions a startup will make. When it comes to a firm outsourcing any of its needs whether that be technology, administration, accounting, etc. it is imperative that firms do their due diligence in choosing providers that can meet the unique requirements. In order to find success, firms should look to enter into trusted partnerships with key service providers engagements that offer open lines of communication, flexibility and ultimately trust and accountability. 2. Understand your firm s vulnerabilities and exposures. Cybersecurity is the single most talked about area of technology right now, not only for hedge funds, but for businesses of all kinds. At a minimum, an investment firm and not just its IT provider needs to understand the potential risks that could affect Eze Castle Integration

4 the business and what safeguards are in place to protect those assets. With both regulators and investors asking thoughtful and intelligent questions with regard to cybersecurity, funds must have a thorough understanding of the threat landscape and employ comprehensive strategies to mitigate risk across the firm. 3. Employ an infrastructure solution your firm can grow with. This is one of the most common mistakes new launches make. Many funds assume since they are just starting out, they only require the bare minimum in terms of technology. They are thinking about now; but what they aren t thinking about is what will happen down the road in two, three or five years. Some might argue that thinking too far ahead could be detrimental to the firm and set them up for imminent failure. The reverse, however, is equally as concerning. Odds are, if a firm is performing well after the first couple of years, it is going to outgrow its current IT system and, therefore, require a much more complicated transition. By taking the time initially to think through what the firm s needs will be down the line and implement systems that can grow along with them, the startup is in much better shape to minimize the time and money they spend on technology in the future. BASIC IT CHECKLIST As a new firm, your to-do list is going to be lengthy: formation structures, legal requirements, service provider evaluation, etc. On the technology front, there are also a lot of items to think through. Below is a very basic IT checklist firms should put thought into long before the official fund launch. PCs, laptops, and mobile devices Access to , file services and storage Telecommunications and networking connections Voice services and phone hardware Disaster recovery and business continuity plans Information security and associated policies and employee procedures Compliance and archiving solutions (if regulatory requirements for data retention apply, for example) Access and integration with hedge fund applications (e.g. Order Management Systems, Portfolio Accounting solutions, etc.) For a more comprehensive IT checklist, see Appendix A. CLOUD IS A NO-BRAINER In order to support all of the systems and capabilities we mentioned above, a startup will first need to select the type of infrastructure platform to rely on. Five years ago, this stage of the planning process was probably a much longer consideration period, as firms would traditionally build out expensive Comm. Rooms or potentially weigh that option against what was then a relatively new idea: the cloud. Today, however, the Eze Castle Integration

5 cloud is essentially a no-brainer for hedge fund startups. Most new launches are looking for a simple yet complete solution, inclusive of disaster recovery and cybersecurity protections, to support operations on Day One, and 99.9% of the time, that s a private cloud. While not all cloud platforms are created equal, hedge funds typically select private cloud solutions that deliver key benefits including: Cost Predictability The cloud provides a fully managed, all-inclusive IT solution, reducing CapEx & OpEx and giving firms increased visibility and predictability when it comes to IT budgeting. Infrastructure Reliability It s built on a robust, high-performance infrastructure that is professionally managed and maintained. Managed Security The private cloud is extremely redundant and secure, featuring built-in security, antivirus, anti-spam and advanced monitoring systems. Increased Flexibility Clients only pay for the resources needed to meet current needs and can add more resources on demand to support growth. Application Integration Additionally, third party add-on services/applications can be added to customize the overall cloud experience. A quick note on public vs. private clouds: At Eze Castle Integration, we ve written a lot of pieces comparing the two, and obviously each have their own inherent benefits. We have seen some startup firms opt for a public cloud infrastructure, but our recommendation is always that a private cloud is better suited for the hedge fund industry and the unique demands of investment firms. To validate that point, we held a webinar in 2015 focused on The Investor Perspective on Cloud, and the investor we interviewed clearly remarked that she felt the public cloud was not appropriate for enterprise-caliber hedge funds. Clearly, investor expectations should also be considered as startup firms are making informed decisions around technology. HEDGE FUND CYBERSECURITY As previously noted, cybersecurity is one of the key priority areas hedge fund startups should focus on as they are building their businesses in 2015 and beyond. The SEC has released multiple communications and guidance recommendations around security expectations and is examining registered firms to evaluate their preparedness for security incidents. Additionally, other regulatory bodies and investors, especially, are following suit in terms of setting higher expectations for mitigating cyber risk. When thinking about cybersecurity, firms should focus on three key components: technology, processes and people Eze Castle Integration

6 TECHNOLOGY Arguably, technology is the simplest of the three security pillars to implement and maintain. If a hedge fund can employ robust and comprehensive systems to enable itself to prevent, detect and respond to immediate security threats, the firm is then in a position to be successful both in avoiding damage as a result of cybersecurity incidents and with respect to securing investor attention and assets. On the technology front, here are a few areas to keep in mind. Intrusion detection and prevention systems (IDS/IPS) are essential. IDS/IPS tools in the marketplace are extremely sophisticated and can detect and respond to threats before they ever get the chance to affect a firm s data. Regular penetration tests are also critical. Funds should aim to conduct vulnerability assessments on their environments at least annually, if not more often. Some other systems to think through include: data encryption, firewalls on both the hardware and software levels, application filters, physical security mechanisms such as biometrics to protect infrastructure stored at a data center and audit and logging systems to monitor unauthorized access. PROCESSES Beyond technology, firms also need to establish comprehensive security policies to support their IT efforts and ensure proper procedure is followed before, during and after an incident. Following are recommended policies a hedge fund should develop and employ: WISP: A written information security plan (WISP) is one area the SEC called out specifically during their April 2014 cybersecurity questionnaire as something firms should consider implementing. More recently, the SEC mentioned WISPs again as part of its April 2015 guidance update, released by the organization s Investment Management Division. A WISP contains both administrative and technical safeguards regarding a firm s confidential systems and data and also outlines many of the policies listed below. Access Control Policy: This should outline what systems and data firm employees have access to and what s expected of them while accessing those systems. Acceptable Use Policy: This provides direction for managing and granting access to systems. Personal Information Security Policy: This outlines policies and procedures designed to protect confidential information keep in mind, some states have implemented specific data privacy laws to protect such information, including Massachusetts (MA 201 CMR 17). Visitor/Contractor Policy: This policy provides guidance for visitors to a firm s office facilities regarding access and acceptable behavior. Mobile Device Agreement: Such an agreement describes requirements for policies such as bring your own device (BYOD) and outlines acceptable behavior with regard to company-owned and approved smartphones and tablets. Incident Response Plan: One of the most critical policies a firm can employ, this outlines the procedures for responding to a security-related incident, including internal and external communications, mitigation of risk and exposures, and handling of evidence Eze Castle Integration

7 PEOPLE The last piece of the cybersecurity trilogy is people. A firm s employees are generally considered to be its biggest weakness, but they can also serve as the first line of defense against security threats. That s why it s absolutely imperative that employees are properly educated and trained around security threats and best practices. A multi-faceted approach that makes employees aware of the threats they could be exposed to and empowers them to act wisely and contribute to preventing such exposures is going to be the most effective for hedge funds and investment firms striving to mitigate security risks. Typical employee training practices may include: Annual information security awareness training that details a wide variety of potential threats, such as general Internet safety, identity theft and phishing attacks Periodic reminders and assessments communicated to employees in an effort to keep them fresh on security risks Drills and tabletop exercises are also a great way to get management involved and conduct scenarioplanning and role-playing exercises to simulate cybersecurity incidents and response plan logistics DISASTER RECOVERY AND BUSINESS CONTINUITY In sync with information security planning, the primary objectives of a business continuity plan and disaster recovery system are to minimize potential financial loss, allow for continued service to clients and partners, and diminish negative effects of disruptions on a firm's strategic plans, operations, market position, and reputation. Investors are becoming increasingly more stringent in vetting a firm s business and IT practices; they are expecting firms to have comprehensive and tested plans and procedures in place and requesting to see a firm s plans and practices during routine pre-investment due diligence audits. It is important to understand the difference between a Business Continuity Plan (BCP) and Disaster Recovery (DR), as they deliver complementary yet unique capabilities to a fund. DR encompass the steps taken to implement and support the infrastructure necessary to make recovery of mission-critical services and applications possible. The steps to access up-to-date information and applications are established with DR. A business continuity plan makes use of the infrastructure addressed in the DR Plan, but focuses on business operations and understanding such items as: What are the mission-critical processes? Who are the key personnel? Eze Castle Integration

8 How are they going to be notified of an emergency? Where/how will they continue to operate? Years ago, DR and BCP were nice-to-haves, but in today s environment, you ll be hard-pressed to find an investor willing to invest in a firm without a DR system and BCP plan in place to protect firm assets. INVESTOR DUE DILIGENCE Speaking of investors, they are becoming more technology-savvy than ever before, and their expectations in terms of what new launches should have in place from an IT and security perspective are extremely high. During the due diligence process, investors typically expect to see information related to: Company background information; Access control and physical security practices; Network security and intrusion detection systems; Disaster recovery and data protection; and General systems and information security practices. For startup fund managers without technology backgrounds, these areas might seem intimidating. And for firms leveraging outsourced IT providers, yes you can count on them to help you answer these questions, but ultimately, someone at the firm itself needs to understand the answers as well. Some frequently asked technology questions investors seek answers to during the due diligence process include: When was the last date on which the Company tested its internal policies and procedures? Please provide a summary of the results. Describe the Company s process for (i) reporting violations that directly affect the services provided to the client and (ii) reviewing and assessing the adequacy and effectiveness of its policies and procedures. Please include an explanation of how the Company determines the materiality of violations as well as the process for identifying and reporting violations of policies and procedures internally. What IT upgrades occurred in the last 12 months? What upgrades are planned for the next 12 months? How do you stay current with technology? Provide details on relationships with third-party IT integrators and support providers, including an overview of their credentials and length of the relationship. Describe the Company s security measures with respect to systems access, including who has access (and at what level). Describe the security procedures (e.g., locked filing cabinets) for the protection of physical documents. Are ongoing vulnerability assessments performed against the Company s systems? If so, are the assessments performed by internal personnel or third-party service providers? How does the firm manage employee remote access? Are procedures in place to ensure remote access is delivered securely? Does the firm have a robust firewall in place at the network level? Are policies configured to defend against external security threats? Are the firewall logs monitored regularly? Eze Castle Integration

9 Describe the Company s physical security, disaster recovery and backup plans and procedures. Has the firm determined its crucial recovery point objectives (RPOs) and recovery time objectives (RTOs)? Does the DR solution meet these guidelines? How often is the Company s disaster recovery plan tested? Due diligence questionnaires require a significant amount of time and thought invested into them, and hedge funds should take them seriously and work with outsourced technology providers to craft clear and comprehensive responses to adequately demonstrate their technology preparedness. For a complete list of the top hedge fund technology due diligence questions to expect from investors, see Appendix B. COMMON IT MISTAKES When new startups are grappling with the technology requirements discussed thus far, it s not unlikely to assume they may stumble once or twice. When confronted with the vast number of choices available to hedge fund startups, it is easy to understand how firms can become overwhelmed and end up with a less than optimal technology choice. But some mistakes can be more detrimental than others. Here are five common mistakes that new fund managers often make and how firms can avoid them. Mistake #1: You want the perfect solution, and you will not rest until you find it. Your business life would certainly be a lot easier if you could buy a solution that met 100 percent of your technology needs. Undoubtedly, you will meet a vendor or two who will promise you such a thing. The truth is, a successful approach to technology planning usually means negotiating, purchasing and deploying systems from multiple vendors and service providers. And the more complicated your business, the more technology providers you may require to fulfill your needs. Be wary of the small, new providers offering all-in -one solutions. Consider if they will be around in the years ahead to stand behind the promises they make today. Mistake #2: You are so focused on today s to-do list, you have not considered the future beyond your launch. Today, you have a new fund a young company with what are perhaps modest needs. If you select your technology for the business you have today, you will likely find yourself re-making these decisions within three years. Before you commit to any technology solutions, envision how your fund will look in the long term. An important question to consider today is whether the decisions you make for your firm pre-launch will support your business as it grows Eze Castle Integration

10 Mistake #3: You haven t fully considered the multiple roles technology plays in your current work environment. In your current or previous working life, perhaps you had the luxury of an IT department or professional who made sure technology completed all of the functions you needed it to. You didn't have to think about solutions in the way you do right now. Consider the work you do or did as an employee and take note of which systems supported that work. You will need , phones, quote feeds and other technology support in your new hedge fund, and perhaps, additional systems you did not encounter in your previous situation. Mistake #4: You believe you can manage a new hedge fund AND all of its technology needs on your own. If professional tech support is not on your list of needs before launching your fund, add it now. Your new firm will require IT assistance to support users, manage applications and answer IT-related questions from investors. With movement to the cloud, firms increasingly rely on their technology partners to handle most items including user support and ongoing maintenance. Consider what makes the most sense for your firm: hiring an internal IT staff or leveraging an outsourced solution to meet your growing technology needs. Mistake #5: You ve relinquished complete and utter control and responsibility to third parties. Relinquishing control of technology in-and-of-itself is not a negative. An outsourced IT provider is far more qualified to manage your technology environment than you are as a portfolio manager. But if you re forgetting the part about managing your providers, then you re making a critical mistake. Trust but verify. You can place all the faith in the world in your IT provider, but if you fail to do your due diligence and ensure they are implementing and maintaining systems and polices that support your business and meet investor expectations, then you re at fault. The SEC specifically called out this area as a weakness of registered investment advisers during their initial cybersecurity exam sweep, and we expect third party oversight and assessments to continue to make headlines to prompt firms to shore up their due diligence practices. CONCLUSION As we ve established, there s a lot to think about when starting a hedge fund, especially from a technology perspective. Startups today are held to a higher standard than in years past, as investors and regulators set greater expectations and foster the competitive marketplace we ve come to know across the industry. Hedge fund startups should perform thorough and comprehensive due diligence evaluations of cloud providers before launching in order to ensure all systems, infrastructures and service provider relationships will meet the unique needs of the firm and its investors. Success is not a guarantee; in fact, it is unlikely unless fund managers go above and beyond to compete in the changing investment environment. Learn more at Eze Castle Integration

11 Networking & Infrastructure Define networking requirements Voice circuits Data circuits featuring N+1 redundancy APPENDIX A: BASIC IT CHECKLIST Wireless and Local Area Network (LAN) capabilities Delivery Design network infrastructure: Cloud, On-Premise or Hybrid Workstations (PCs, monitors, laptops, servers) Peripherals (printers, phones, etc.) Delivery Software/Applications Business applications File services Storage Other resources Evaluate front, middle and back office solutions Trading and order management system Accounting and/or portfolio management system Market data and analytics tool(s) Installation, maintenance and upgrades for all software Telecommunications/Mobility Internet connectivity Voice systems (traditional or VoIP) FIX connectivity to brokers Mobile devices, BYOD plans Business Resiliency & Security Disaster Recovery Business Continuity Plan, including written processes and procedures Security layers including anti-virus software, host-based and network intrusion detection systems, firewalls, encryption and application filters WISP (See Security Policies) Archiving solution to meet investor/legal requirements (e.g. Dodd-Frank) Eze Castle Integration

12 Security Policies & Documentation Written Information Security Plan (WISP) Access Control Policy Acceptable Use Policy Incident Response Plan Organization APPENDIX B: IT DUE DILIGENCE QUESTIONS TO EXPECT Provide an organization chart for the Company, its affiliates and key personnel. Provide the physical address and general contact information for each of the Company s office locations. Provide the name and contact information of the Company employee(s) assigned to the client s account. Provide a list of compliance personnel, their roles and qualifications, the date of his/her appointment and position within the Company s organizational structure. Annual Assessment/Audit When was the last date on which the Company tested its internal policies and procedures? Please provide a summary of the results. Describe the internal controls that ensure conformity with the Company s policies and procedures concerning confidentiality of client information. Describe any material violations of the Company s policies and procedures that relate to the services provided to the client in the last twelve (12) months. If any occurred, please describe the violations and the corrective action that was taken. Describe the Company s process for (i) reporting violations that directly affect the services provided to the client and (ii) reviewing and assessing the adequacy and effectiveness of its policies and procedures. Please include an explanation of how the Company determines the materiality of violations as well as the process for identifying and reporting violations of policies and procedures internally. Do you conduct annual external or internal technology audits? If so, please detail auditor, frequency, areas covered, date of last audit and key findings. General Hedge Fund IT Due Diligence Questions Who handles your IT strategy and oversees the day-to-day IT function? What is your IT strategy (i.e. outsource, in-house, hybrid model)? What types of challenges has your firm faced with its IT operations in the last 12 months? What IT upgrades occurred in the last 12 months? What upgrades are planned for the next 12 months? How do you stay current with technology? Provide details on relationships with third-party IT integrators and support providers, including an overview of their credentials and length of the relationship Eze Castle Integration

13 Information Security Has the organization developed a formal and well-documented network security policy? Is the policy regularly reviewed to determine whether the controls are operating as intended? Are changes and enhancements to the policy implemented when necessary? Does the firm have a robust firewall in place at the network level? Are policies configured to defend against external security threats? Are the firewall logs monitored regularly? Does the firm employ an intrusion detection system (IDS) to prevent unauthorized access? Are ongoing vulnerability assessments performed against the Company s systems? If so, are the assessments performed by internal personnel or third-party service providers? Have you had any security breaches or security related issues in the past 3 years? Is a solution in place to protect systems against spam? Is a solution in place to ensure mobile devices and laptops are secure in the event of loss or theft? Are messages encrypted and archived? For how long are messages archived? Access Control Policy Does the organization have a formal and well-documented access control policy in place? Is the policy regularly reviewed to determine whether the controls are operating as intended? Are changes and enhancements to the policy implemented when necessary? Does the firm s IT staff (or technology partner) ensure appropriate access control to applications and sensitive company data? Are there robust procedures in place to grant or deny access to applications? How does the firm manage employee remote access? Are procedures in place to ensure remote access is delivered securely? Has a password policy been implemented throughout the organization? Have all employees been trained on best practices for password security? Are procedures in place to create and disable user accounts? Are active accounts reviewed on a periodic basis? What is the process for disabling accounts of terminated employees? Are policies in place to force password changes periodically? How do you screen employees prior to employment? What background checks are undertaken? Physical Security Policy Has the organization developed a formal and well-documented physical security policy? Is the policy regularly reviewed to determine whether the controls are operating as intended? Are changes and enhancements to the policy implemented when necessary? Are access controls in place for the Server Room? How does the firm ensure only authorized personnel gain access critical systems? Are procedures in place to manage visitors in the office? Are steps being taken to ensure visitors do not have the ability to observe or access sensitive employee systems and documents? Disaster Recovery & Backup Describe the Company s physical security, disaster recovery and backup plans and procedures. Please describe the communication chain related to the firm s business continuity/disaster recovery plan. Is the policy regularly reviewed to determine whether the controls are operating as intended? Are Eze Castle Integration

14 changes and enhancements to the policy implemented when necessary? Has the firm tested the BCP from both a technical and operational perspective? How often are these tests performed? Has the firm established a dedicated location to retain backup copies of all critical data? Is offsite data encrypted and stored securely? Has a secondary working location been established to which employees should report in the event of a disruption or outage? Do all employees clearly understand the BCP procedures? Have appropriate training and documentation been established and shared with all personnel? Has the firm determined its crucial recovery point objectives (RPOs) and recovery time objectives (RTOs)? Does the DR solution meet these guidelines? Please provide a copy of the Company s disaster recovery plan. How often is the Company s disaster recovery plan tested? Eze Castle Integration

15 ABOUT EZE CASTLE INTEGRATION Eze Castle Integration is the leading provider of IT solutions and private cloud services to more than 650 alternative investment firms worldwide, including more than 100 firms with $1 billion or more in assets under management. We provide one global financial cloud platform that is complimented by exceptional service and operational excellence. Our Eze Private Cloud is built to deliver the high performance, applications and exceptional user experience demanded by the hedge fund and investment industry. Complete Managed IT Software as a Service Eze Managed Suite is a fully managed IT solution that provides flexibility and simplified IT operations. The hosted IT solution combines a robust, highly secure private infrastructure via the Eze Private Cloud with key business applications and professional IT management. Application Hosting Infrastructure as a Service Eze Managed Infrastructure provides clients easy access to an enterprise-grade private environment with the latest hardware and software without capital expenditures, expensive upgrades or ongoing maintenance and monitoring. It is ideal for hosting applications used by hedge funds and investment firms. Disaster Recovery as a Service Eze Managed Data Availability delivers a full range of business resiliency services including Disaster Recovery, Online Backup and Message Archiving. Via the Eze Private Cloud, your critical data and applications will be available and protected 24x7x365. To learn more about Eze Castle Integration, contact us at or visit Eze Castle Integration