As the costs of doing business have increased, more and more hedge fund managers are adopting the cloud; this has revolutionised the way all businesses operate, not just hedge funds.
But as technology improves and brings greater operational efficiency and data management capabilities to hedge funders, they are having to walk a tight line between bolstering security on the one hand, and justifying the costs on the other.
The arrival of cheaper and faster bandwidth means that everyone is always connected and as Andrew Flatt, CTO at Omni Partners LLP, a London-based hedge fund manager comments, “we are all ‘always-on’.”
“This naturally leads to wanting to be able to access data everywhere, be it photos of the grandkids or the latest financial figures from the office. The arrival of cloud services simply compounds this by making access to data more easily available. The headaches around securing, controlling, encrypting and auditing this data end-to-end should not be underestimated. Service providers appreciate this and are bolstering their offerings. We partner with Capital Support, for example, who offer a range of security products to compliment this requirement,” says Flatt.
Capital Support is a London-based provider of end-to-end IT services.
The manner and scope of cybersecurity attacks increases day by day. For COOs and CTOs, it’s an impossible task to keep on top of everything. Most are taking a pragmatic approach to assessing their systems and security measures periodically.
North Asset Management LLP (‘North’) is also a London-based global macro manager. North points out that most managers have protocols in place within the disaster recovery programme to take appropriate action were systems to be disrupted and/or fund data was compromised or corrupted.
“We have robust redundancy and we maintain our back-up systems offline or separate to our primary systems. This means that there is no immediate threat from one to the other,” says North, with the firm adding:
“In terms of somebody getting control of a user’s access, that is a threat because passwords are always vulnerable. We have policies in place that require staff to change their passwords regularly but that doesn’t mean access can’t be compromised. Any critical functions or critical systems are monitored carefully by appropriate staff so that all activity is reviewed on a daily or intraday basis to ensure it is normal and as expected.”
In addition, North has strict policies and procedures regarding transactions. Simply put, unless one person within the firm, and sometimes two depending on the nature of the transaction, approves it, it doesn’t get processed.
“The last component we are looking at is loss of data, which for us isn’t a primary threat. We don’t maintain any sensitive investor information as that is all held at our administrator.
“We still are very conscious of data theft. There’s obviously a reputation risk attached to having information breached so we take care to ensure that users are aware of the data they have under their control. The amount of data they have access to is applicable to the amount they need rather than allowing data to be accessed across the firm by all staff,” confirms North.
It really comes down to managers training staff on a periodic basis, making sure they are up to speed with what they should be doing to ensure that the integrity of the cybersecurity policy remains intact.
That’s all a manager can really do today. Adopt best practices are hope for the best.
Flatt has spoken to the media often on cybersecurity over recent months: a sure sign that the topic has taken on a life of its own. Go to any conference today and the chances are you’ll hear a panel talking about security issues and how to tackle the problem.
From his perspective there are five key points to address.
The first is understanding, in his role as CTO, exactly what it is that everybody wants. The problem with cybersecurity is that multiple parties are throwing their ten pennith in, from investors and government bodies to regulatory bodies, most notably the SEC and FCA.
“Security is a hot topic at the moment, however there are no official hard and fast standards on what to deliver,” says Flatt. “I would welcome the industry ratifying an agreed set of standards, but given that the industry is so diverse and complex, creating a model that fits all would be impossible. One firm could be running USD1 billion with a very simple strategy using one system and employing five members of staff, whereas another USD1 billion firm may have 30 staff and a myriad of systems and tools: the one size fits all model doesn’t work.”
The second problem is figuring out what fits the purpose of a fund like Omni Partners and then justifying the cost internally.
At the end of the day, implementing new security systems is akin to buying insurance: guarding against the possibility that something might happen.
Given the amount of media attention this subject is attracting, there are a plethora of technology companies in the market pushing their products saying managers should be doing this, that and the other. That is creating a lot of noise.
How does a CTO cut through all of that noise from the myriad of technology providers that want to speak to them and figure out the right solution to the problem; which is ultimately to make their company more secure.
“When we implement hardware and software, if we impose tight guidelines and security policies how do we prevent impacting users’ productivity, which in turn impacts PnL?” questions Flatt, who continues: “USB sticks are a prime example. These are used to back things up or to transfer large spreadsheets between the home and office. An often-quoted security measure is to simply ban USB sticks. However if you adopt this policy, how do you continue to support the trader to work with files that are oftentimes hundreds of megabytes in size?
“They can’t be e-mailed, and uploading and downloading them is too slow. This is where technology solutions can come into their own by maintaining workflow and making it secure. In my earlier USB example, this would include implementing automatic encryption of USB sticks so that the data they contain is encrypted and secure, and at the same time support the traders’ workflow.”
“Finally, third parties. From a systems perspective we only rely on them for smaller systems that are not critical. For example we use a firm to archive all our emails. For managers using multiple third parties, how is due diligence performed to the levels advised and how is maintenance of published security protocols ensured? If you secure your own business and you’re sending data to a third party, how do you get the right answers from the right people at those firms and sufficient evidence to have the confidence that it’s actually happening? It’s a massive juggling act,” says Flatt.
These are all valid points and serve to illustrate just how challenging it has become for hedge fund managers. They are so varied, and come in so many different shapes and sizes, that the prospect of implementing clearer guidelines is highly remote.
“I don’t think you can do this is a central manner and regulate away the risk,” says one manager who asked not to be identified. “It’s too slow moving. By the time the FCA, for example, have written something more concrete, rolled it out and monitored it, the landscape will likely have changed drastically. Firms need to be left to deal with this themselves.
“We use a company that handles all of our network administration; we rely on them to keep us up to date on new developments in the market. Because they are exposed to multiple managers and industries they have the expertise to inform us,” confirms the manager.
From a cost perspective, striking the right balance between security and capital outlay is critical. Managers can’t be seen to be cutting costs. The operational integrity of the firm comes before everything else so taking a myopic view on cybersecurity is ill advised.
“No matter how many technology partners you choose to work, the buck still stops with you. They might send you daily reports to review but it’s someone’s responsibility to review that report; it’s a massive balancing act on resource to perceived threat,” comments Flatt.
As with most security breaches, it is very often a result of internal failings.
Flatt confirms that Omni’s security and social media policies have recently been updated.
“We utilise Capital Support as our Infrastructure provider so Omni is reliant on them to manage our firewalls. We do snapshots of our servers on a regular basis to mitigate against potential malware issues and data corruption. Viruses are often the biggest threat to businesses. If our systems suffer a malware attack we can simply roll back to the previous system snapshot.
“We have an agreed “white list” of programmes that we control which prevents unauthorised programs. We use a third party product called Mimecast that filters out spam email. If the odd one leaks through, staff know to query with IT anything they are unsure about and to not double click; it’s critical that all staff are well trained, educated and kept up to date on IT policies,” comments Flatt.
Investors want to know a lot more from hedge fund managers in terms of how they address cybersecurity threats. ODD questionnaires now include questions around security, specifically addressing the steps that managers are taking to ensure that they are secure and how regularly they review their systems. If an investor turned up and found that a manager had one firewall that had been purchased from a high street vendor, it would create a fair degree of apprehension and could even lead them to divesting their assets.
There is no doubt that operational integrity – extending to security measures – has become a key criterion for today’s institutional investor.
“The fact that we have an internal team, plus a reliable partner in Capital Support means that we constantly have multiple sets of eyes on security. This reassures our investors,” concludes Flatt
