If your firm hasn’t had to cope with the aftermath of a security breach, you’re probably one of the lucky ones. According to an analysis conducted by Ponemon Institute and Symantec in 2013, human errors and system glitches caused nearly two-thirds of data breaches globally in 2012.
With the threat of security incidents at all all-time high, we want to ensure our clients and partners have a system in place to cope with any threats that may arise. Here is a step-by-step guide to follow in the event your firm suffers from a security breach.
1. Establish an Incident Response Team.
Choose a select group of individuals to comprise your Incident Response Team (IRT). Assign each member a predefined role and set of responsibilities, which may in some cases, take precedence over normal duties. The IRT can be comprised of a variety of departments including Information Technology, Compliance and Human Resources.
2. Identify the type and extent of incident.
Before your IRT can alleviate any incidents, it must clearly assess the damage to determine the appropriate response. For example, if the incident is a computer virus that can be quickly and efficiently detected and removed (and no internal or external parties will be affected), the proper response may be to document the incident and keep it on file. This task could effectively be handled by the IT department.
For years, the role of the chief information officer (CIO) has been to acquire and maintain cost-effective IT services for the organization. Technology was viewed as a basic necessity, so managing costs and ensuring systems were running smoothly were the primary areas of focus for corporate IT leaders.
Today, technology is much more than a commodity. In fact, for many investment management firms, it has evolved into a source of competitive advantage. This change, combined with stagnant IT budgets, has caused the role of the CIO to move away from basic IT management to become more of a forward-thinking innovator for the organization. Here are a few strategies to help ease this transition.
We spend a lot of time here on Hedge IT making suggestions about what hedge funds and investment firms should do when it comes to their technology. But today, we’re not going to tell you what you should do. In fact, these are things we definitely DON’T want you to do!
Plan your infrastructure only for the short-term.
A crucial mistake often made by funds is not planning for the future. Even at launch, you should be thinking about what your firm will look like and what technology you will require down the road. Planning out two to three years in advance is recommended in order to reap the most benefits when it comes to your infrastructure. Plus, if you don’t plan ahead, you may wind up incurring more costs if technology decisions need to be made unexpectedly.
Ignore the importance of a business continuity plan.
It has become commonplace for hedge funds to employ disaster recovery strategies to protect mission-critical data and applications (due to a number of reasons including investor expectations, new regulations and the effect of unexpected natural disasters, e.g. Hurricane Sandy). But firms often overlook the equally important business continuity plan, which provides guidelines for what employees need to do in the event of a disaster. Yes, focusing on your infrastructure is essential to keeping your business afloat, but that business also cannot survive without its employees. Don’t forget to test that BCP plan once you’ve developed it – a good plan will only work if people know how to follow it.
Big changes are coming in the form of European Union data protection mandates. In January 2012, the European Commission announced a proposal to reform the current European Union's data protection framework, currently known as the 1995 EU Data Protection Directive, to better protect the personal data of EU citizens and update the current legislation to fit in with the 21st century requirements and rapid evolution of technology (including the prevalence of social networking and smartphones).
The EU proposal will give individuals more control over their data while also serving to promote the importance of data protection in a globalised world. The European Commission expects the rules will go into effect two years after they have been adopted by the member countries - officially around 2014 or 2015.
While some of the current proposals will undoubtedly be amended over the course of this lengthy process, let’s look at some of the practical steps companies should be considering now.
To quote PC World, “A high-end SSD is the pinnacle of computer storage today. Ditching your hard drive for one of the latest SSD models is like dumping your go-kart and hopping into a Formula One car.”
But what is SSD?
SSD is a storage device that stores persistent data on solid-state flash memory, using integrated circuit assemblies as memory. SSD has no moving parts, which is one of many distinctions between SSD and traditional hard drives that have spinning disks.
SSD offers huge performance gains over other commonly used storage drives including SAS (serial attached SCSI) drives. For perspective, the typical enterprise spinning disk is a 15K SAS drive, which offers approximately 200 IOPS. Mainstream enterprise SSD on the other hand can offer 10,000-100,000 IOPS.
Why should I care?
Investment management firms are presented with an increasing amount of data, much of which holds the potential to uncover new investment opportunities. For some strategies (think high frequency trading and algo), the speed at which the data is processed is linked to the size of competitive gain.
We hosted a webinar earlier this week, App Hosting 101: Managing Your Essential Applications in the Cloud, in which Steve Schoener, Eze Castle Integration’s Vice President of Client Technology, and Martin Sreba, Senior Director at Advent Software, discussed topics such as industry trends in application hosting, key drivers of application solutions, common myths about the cloud, and the right time to put an application into effect. Continue reading for an overview of the webinar.
Industry Update: What’s Going On?
Increasing demands from hedge funds’ current and target investors are driving a variety of trends. Due diligence requirements are more advanced, as investors expect to see candid looks into a fund’s systems, disaster recovery capabilities and more. The increasing complexity of investments is also driving the need for more complex systems to handle these instruments.
Firms are starting smaller in today’s environment, with many starting with under $100mm in assets under management. Startup funds are looking for technology solutions to complement their size and give them the tools to efficiently run their businesses.
We were recently asked by a COOConnect member about the best sources for information about the strengths/weaknesses of the various hedge fund applications including front, middle and back office. Since we know many folks have this same question, today we are going to expand on the answer given by our expert, Mark Coriaty.
Now the way a hedge fund uses an application will vary based on its investment strategy, and therefore the perceived strengths and weaknesses may vary as well. However, there are multiple ways to establish a baseline of strengths and weaknesses.
Service Provider Reports: Balancing Bias with Value
First up are free reports from hedge fund service providers such as Eze Castle Integration. Each year we publish a benchmark study that outlines top applications used in select front, middle and back office categories by hedge funds. This report will provide a baseline of the top three application vendors used in each category, but doesn’t dive into specific feature sets. The report can be downloaded HERE.
Vendor reports can be helpful in getting an initial understanding of the most frequently used applications and top features used by firms. You should always consider the source, as some vendor reports or whitepapers will be biased.
Tomorrow, we are co-hosting an exciting seminar in New York City with our friends at KPMG on the topic of launching a hedge fund. The half-day event, Hedge Fund Launch 2.0: Navigating the New Environment, will feature expert panel sessions on variety of topics including technology, regulations, capital raising, application platforms and more.
One panel we’re particularly interested in – beyond the technology panels, of course – is Corporate Essentials, a program focused on the often forgotten-about aspects of launching a new business. These aspects include human resources, compensation, insurance and real estate. Here’s a sneak peek at some of the content our panelists will be discussing at tomorrow’s event:
In case you missed it, this week the Pentagon released its Annual Report to Congress looking at the military and security developments involving China. According to the New York Times, the report is virtually the first time “the Obama administration has explicitly accused China’s military of mounting attacks on American government computer systems and defense contractors, saying one motive could be to map 'military capabilities that could be exploited during a crisis.'"
The report states that cyberwarfare capabilities could serve Chinese military operations in three key areas.
- First and foremost, they allow data collection for intelligence and computer network attack purposes.
- Second, they can be employed to constrain an adversary’s actions or slow response time by targeting network-based logistics, communications, and commercial activities.
- Third, they can serve as a force multiplier when coupled with kinetic attacks during times of crisis or conflict.
It is becoming cliché to say, but the investor due diligence process has truly evolved from a ‘check the box’ activity to a detailed and analytical process. Today, hedge fund investors want to see a tested investment strategy coupled with institutional-grade business processes.
Here at Eze Castle Integration, each year we help more and more hedge fund clients complete the Technology portion of investor due diligence questionnaires (DDQ). So we thought it would be helpful to share some of the more common technology related questions we are seeing. Not surprisingly you’ll see security and disaster recovery questions on the list.
As you consider your responses to these questions, keep in mind that in some cases investors are more concerned with your decision process as opposed to seeing the “right” answer. The reality is that often the “right” answer varies from firm to firm and depends on a number of factors, including investment strategy.
- A Step-By-Step Guide to Dealing with a Security Breach
- The New CIO: From IT Manager to IT Innovator
- New Infographic: Criteria for Evaluating Colocation Providers
- What Not to Do When It Comes to Your IT
- Data Protection Changes Coming to EU Firms
- business continuity planning
- cloud computing
- data loss prevention
- disaster recovery
- eze castle milestones
- hedge fund due diligence
- hedge fund marketing
- hedge fund operations
- hedge fund regulation
- help desk
- high frequency trading
- launching a hedge fund
- privacy compliance
- project management
- real estate
- startup & relocation
- trends we're seeing
- videos and infographics