Cloud Computing and Cybersecurity

New technologies offer opportunities and challenges

THFJ TALKS TO BOB GUILBERT, MANAGING DIRECTOR AT EZE CASTLE INTEGRATION
Originally published in the December 2014 | January 2015 issue

THFJ: Cybersecurity couldn’t be much more topical in light of the recent Sony hack: my first question is simply why is cyber security a concern for hedge funds? I mean both for large businesses, and for hedge funds in particular?

Bob Guilbert: So the idea basically is that it’s protection of information that hedge funds contain, or large businesses contain, whether it be personal information (PI) or information pertaining to the hedge funds, the trading strategy, where the assets are located, their investors, anything along those lines. So if you think about it, physical security is one aspect that typically hedge funds are less concerned about, because they operate in class A type buildings. There’s security, 24-hour manned desks, things along those lines. However, access to the information is really through a cyber connection, and protecting against people wanting to gain access to that information is really a concern. So basically they want to be able to protect themselves from anyone – hackers, activists – that are trying to get into their funds to either obtain information or coerce them into sending money from one of their accounts to a different location, that the hacker could then redirect to another location.

THFJ: So from your point of view, do you think that the most salient threat is literally cash transfers? Is it a level playing field of threats, if that makes sense?

BG: Most of the things that we have observed have been associated with wire cash transfers, as opposed to going after PI. But if you think of it, hedge funds have a number of private wealth investors, institutional investors, endowments, things along those lines. So that information, some of it is public in a sense: for instance, where funds of funds invest into and where hedge funds are invested in the marketplace – backwards looking. However, they have information that’s probably viewed as less important by the hackers and more important to viewers online. How can I get to the money? We haven’t seen the sophistication of hackers who truly understand the mechanics and operations of a hedge fund – to do things on the front line, if you will, with trading strategies. So I think it’s really more, “How can I get the cash?” If they can laboriously go through the process of trying to get into a fund and manage to get someone to wire, say, $150,000 out, probably, if you look at the hourly rate of doing that, they would be making very good money for a little effort.

THFJ: And are regulators focusing on cyber-security issues when they carry out inspections or examinations? Obviously, it seems to me that people are trying to catch up. What’s your view on that?

BG: I think it’s beginning quite heavily right now. From March of last year, the SEC had an initiative with 27 questions that were issued to, I think, 50 funds that they had targeted, where they were trying to get a baseline of level of protection put in place. And it was pretty broad if you looked at the questions. But it was broad in the sense that it covered areas from physical security to having business continuity plans, having a written information security policy. They were trying to gauge the gamut of how well these funds are protected. And once their findings come out, which we hope will be in the first half of this year, with their recommendations, I think you’ll see a more thorough cybersecurity diligence by the examiners as they look at funds and it will be part of their due diligence.

THFJ: So are there specific standards, or is this SEC process part of setting up these standards?

BG: The SEC process now will be putting in place the standards. I can’t speak on behalf of the SEC, but based on the questions that were asked, broadly my expectation is that they will come back with standards and recommendations as to what funds should be doing to protect themselves from a cyber security perspective.

THFJ: So it is really an undeveloped space at the moment?

BG: Correct. But if you think of it, you know, many of the funds use outsourced service providers like ourselves, and we have put forth our own best practices from a cybersecurity perspective and how funds should be locked down, so that they’re not threatened.

THFJ: How are investors in due diligence inspections addressing cybersecurity arrangements?

BG: I have identified this as one of the trends that we think will become more prevalent in 2015, with not only the breadth of the DDQs, but also the depth of them. And one specific area will be, in fact, security. In this case of the questions that are now being asked, we are seeing specifically with our clients (where we assist in filling out the DDQs) concerns all around cybersecurity in multiple dimensions. One dimension is obviously, “What protection mechanisms do you have in place from a cybersecurity perspective?” That is very important, but also, “What are your mediation steps that you take in the event that something does happen, regarding communication to the investors, regarding how you’re going to remediate against the breach, if there is one?” So the questions are very, very pointed on cybersecurity and I think that will be a continued push for 2015.
THFJ: AIMA has recently updated its sample DDQ. What would you have recommended had you been part of that? What areas need specific focus?

BG: From a DDQ perspective it’s interesting. A couple of months ago, we issued a blog about the top 51 DDQ questions that we see that have come across, what the investors are asking of our hedge funds clients. And when I think about cybersecurity and the depth of those questions, and where they’re going, it really is around putting in place multiple levels of defence at the hedge fund level. And the questions should be centred around how deep you go in terms of your level of defense. That goes from everything from education of your employees and your staff (not picking up USB sticks that are labelled confidential in the hallway, plugging it into your PC), to having put in place IDS (detection systems), IPS (intrusion protection systems), proactive annual mobility assessments, proactive penetration tests of the environment – things along those lines. So the idea is basically, put in place multiple levels of security and the DDQs would be driven in that sense around such security, asking questions like, “Tell us about the levels of security, tell us what you’re doing from a physical level, where your equipment is located, at the data centre or the file provider, what’s installed there for physical protection?” and then take it up to the next level, to virtual.

THFJ: Right. And what are the range of solutions to these cybersecurity issues, particularly when hedge funds are moving towards cloud-based solutions?

BG: We’ve been providing services via the Eze Private Cloud for over six years now, with a large number of our clients in that cloud. We’ve taken, I’ll say, very deep measures to ensure that we have deep cybersecurity policies and practices in place. We’ve leveraged a company called eSentire, and their security operations centre, to monitor our product environment, and they have a very interesting product. It’s called AMP which, basically, is built for specifically the alternative management space, so with all the clients that they have across the hedge funds space, if they see any type of rogue activity at any one fund, they will apply across all their clients to prevent that activity from getting into any of their funds. So we get the benefit of a very wide net, working with them in the alternative assets space. They are the premier leader in cybersecurity, and we obviously take a number of measures that start at the client level from education, but also defence in depth principles. Things like strong password recommendations to our clients as well as least privilege with regards to access to information. So these are all recommendations from a policy perspective that our clients to adhere to. Then when you take that to the next level where they’re operating in the cloud, we’re using things like the eSentire suite of products to protect it. And of course we are performing, a couple of times a year, a vulnerability assessment to see how well our cloud is protected, with penetration testing, so I believe that funds operating in the cloud are probably more protected than if they’re going about doing it all themselves.

THFJ: Right, because they don’t have to develop the proprietary systems.

BG: Many of the hedge funds are smaller in nature; they’re start-ups, but yet they have the needs of an institutional-grade security environment. A cloud provider like ourselves can offer that to a small, five to 10-person shop, who might be just starting out.

THFJ: Is Eze Castle positioning itself to help funds in respect to cybersecurity in any other ways?

BG: Besides the fact the we utilize eSentire to protect our cloud environment, just two weeks ago we made a joint announcement with eSentire to deliver something called Eze Active Threat Protection. And that is a utility that will allow us to install at the client offices an appliance to protect that office from cyber threats. That will be in conjunction with eSentire to deliver that service.

THFJ: What kind of growth have you seen?

BG: I can tell you that in 2014 we will surpass 100 new clients. And out of that 100 new globally, around 50 are start-ups. Of the start-ups 100% are cloud. Of the other 50, which are really either competitive take-aways or a transition from using in-house IT to outsourced, probably 50% of those are still on premises, the other 50% are going to the cloud. They’re doing the migration, based on either a move or a technology refresh.

THFJ: Can I ask about when people do that migration, how difficult is it? Is it a case of completely redoing all their systems, and how much disruption is there to business?

BG: Well, we obviously want to make it the least possible for a client so what we would do is we would reproduce the environment in the cloud, so all the applications would get set up. We then would establish connectivity to the cloud from the client systems, replicate all the data from the client environment to a cloud environment, and then at a particular time on the weekend we would do what we call a “cut over”. And that is where we would validate the operation of the applications with its data in the cloud environment with the client and ensure everything is operational. So it’s fairly seamless.
One of the biggest challenges that we see is having adequate bandwidth. If you’re at the client site, you replicate all the information and data over to the cloud and that can sometimes be the longest timeline. It’s usually quite seamless.

THFJ: What’s the driving force behind this move into the cloud, would you say? Is it just ease of use, or is it investor-driven, or costs, or something else?

BG: You know we’ve been keeping an eye on this for the last three years and we’ve been conducting a number of surveys, one of them with an organization called IDG, and in our surveys it has shown that it’s really driven by a transition from capital expenditure to operational expenditure, as there’s no need to put money up for buying equipment when you can move to an “op ex” (operational expenditure) model to operate out of the cloud. And it’s predictable: per user, per month, very simplistic. Ease of management: of course. And, of course, there is the ability to scale. So we’ve also seen that the investors are very open with the hedge funds to basically leverage cloud technology.

It makes sense financially, and investors are very open to it. You get better management and scale. It has been a very high adoption rate. In fact, when we look at our clients that we brought on board this year, the start save is nearly 100% going on the cloud rather than buying their own – you know, go on premises, or a data centre. And the established ones, what drives them to the cloud is either they have a physical move and they have equipment in their office, and they have to decide if they want to build up a secondary comm room at a different location, or a technology refresh. Their equipment is three years old, it’s out of warranty, so “Do I spend another $150,000 on equipment, or should I consider going on to the cloud?” And those are really the two drivers for the established funds.

THFJ: What’s the main use of it? Is it front, middle or back office?

BG: It’s a combination of both. So their trading systems are typically located in the cloud and anything that you would think of as investor-focused, so their CRM system, their back office and accounting systems as well as their day to day operational needs. So, internet, file services, mobility, emails, things along those lines. Fund administrators, if you think about it, operate in a cloud environment themselves. But we are not typically hosting the fund admin applications in our cloud.

THFJ: At the moment it feels like funds see cybersecurity as an extra cost. Do you think that cloud technology is going to be seen as part of the basic cost of setting up a hedge fund?

BG: Yeah, it’s a great question. We haven’t had that question before but I think you’re absolutely right. I think it’s going to be part of checking the boxes and say okay, in the operation of the fund, how do you want to do it? Are you going to do it on premises, or are you doing it on cloud? And then, the benefit of the cloud is this predictability in terms of cost. But I think that model lends itself very well for a start-up or even an established business with budgetary planning. For their IT spend, they have the visibility on the cloud as to how much they want to pay. Because they checked the box, they get operating out of the cloud.

The adoption of cloud is here to stay in 2015. We’ve seen it and there’s no reason for that to change. We’ve talked about cybersecurity being a big focus. And then the other theme that we touched upon is the whole idea of how the due diligence process, we believe, is going to get broader and deeper and with a lot more scrutiny around cybersecurity. Those are trends that we see for next year, and I think the industry wants to do everything possible to ensure that it is a very secure environment from the protection of client information, to protecting the information pertaining to the strategies of the fund, investors in the fund and for their whole operation.