The following is an edited transcript of a seminar hosted by Simmons & Simmons and Eze Castle Integration.
Andrea Finn – Simmons & Simmons (AF): In terms of the issues which I think are key for hedge fund managers and which we’ll touch on through the questions today are questions of status: employees and members and how managers make decisions as to whether an individual should be a member or an employee. Issues of remuneration are a very hot topic because it affects people very personally, as everyone will be aware. There’s a lot of regulation on this, primarily from a European standpoint but also being implemented into the UK.
Then thirdly, there’s business protection. There’s a lot of effort and money that goes into building up businesses and generating revenue and that sits in the heads and hands quite often of individual employees. So when we look at how hedge fund businesses can protect themselves from employees when they move on, we look at things like their contractual arrangements, but also practical things around how the business is operated and with a slight tie-in to what Simon and Alex might talk about, IT protection, and what I’m told are called ‘Intrusion Detection Systems’ which allow you to pick up misuse of IT.
Alex Brown – Simmons & Simmons (AB): We have a dedicated group that deals just with technology and outsourcing contracts. But also advisory areas like data protection. We do a lot of work in the financial sector and also for our funds clients.
I think it’s a very interesting area to work in, because it’s a constantly evolving set of factors that we have to think about. Current hot topics of course are things like cloud computing and how you reconcile those technologies with data protection legislation, which in the UK stems from about 12 or 13 years ago, very much before the inception of these sorts of technologies.
There are some difficult balancing acts to be done to stack up your compliance obligations against these new technologies and how you deal with those in the contracts, but also the processes that you put around those contracts and in your business.
Colin Leaver – Simmons & Simmons (CL): To start with Simon, you mentioned disaster recovery services. Clearly disaster recovery services have come to the fore recently, particularly in the US with the issues caused by Sandy. What are you recommending at the moment as best practice around disaster recovery for hedge fund managers?
Simon Eyre – Eze Castle Integration (SE): Obviously being quite a global organisation, we have offices in New York and Boston. Hurricane Sandy represented a pretty big challenge for us. It’s not the first, but it’s certainly the largest that we’ve seen. It was very interesting to see the best practices that we deploy and that really are industry standards being put to the test.
It was generally a very successful showcase of how organising a company for business continuity, for disaster recovery, really can help your business get through these types of events. We had several hundred clients in New York, something close to half of them with power issues.
It really highlighted the benefits of having these plans in advance: the remote connectivity; having your equipment in data centres as opposed to office buildings, where you gain the benefits of things like generator power being supplied to your computers; avoiding the reliance on power grids; multiple points of entry into the building, so if one Telco goes down, another one is able to support you.
The interesting thing about New York, for all its size and infrastructure, is that there are actually only two major hubs in the New York City area where all the circuits tend to end up crossing through. One of them, 1-11th Eighth Avenue did get a flooded basement; it did take the generators out for four or five hours. There was a noticeable drop in the amount of traffic we were able to push through New York in terms of internet and connectivity.
Even if it wasn’t necessarily New York as the final destination, traffic circuits go out to Chicago, to Pennsylvania, to New Jersey, to Boston, there’s a very large knock on effect when something like that happens. Having these multiple paths was very, very important.
In terms of the actual planning, you have to make sure that your systems are going to meet your expectations of when you’re going to be able to recover data. We’re very often asked by traders, portfolio managers, that they need it up instantly. And very often that’s not realistic.
Certainly if your personnel may have issues getting to equipment, if some of the systems are quite complex, you have to reach a certain balance between cost and really the ability to turn these devices on. What we call our ‘recovery time objective’ (RTOs).
You really want to make sure that you’re making use of the best of the technologies as well. We find that technologies from Microsoft, from VMware, do have quite a lot of built in resiliency for the capabilities in DR, for the ability of data protection, prevention of loss.
Not everybody makes full use of these facilities. They often look for third parties for additional support there. If you are able to make the best use of some of the products that you may already own, you can certainly build up your systems.
CL: Thank you for that. I certainly think that as a result of what happened in the US, disaster recovery will move to the fore of due diligence questionnaires from experienced investors. Clearly this is something that all hedge fund managers need to have thought about and have a plan for, and be able to articulate in due diligence meetings.
SE: We’re seeing that as well with our due diligence. We find the investors are starting to become more IT savvy. Those questions are coming down to us. Institutional investors especially are much more concerned with what your DR plans are – it used to be that you would simply check a box.
Nowadays investors want to visit data centres, they want to know what your recovery time objectives are. They want to know what your back up plans are for personnel. Do you rely on one person? Does that person have all his knowledge in his head? Is it documented somewhere? Is your documentation saved on the same system that could go down? Do you have hard copies kept somewhere else? Investors are very, very aware of what they’re looking for these days.
CL: Alex, you mentioned in your introduction cloud computing. Now what issues does that throw up from a data protection/IT/legal perspective?
AB: It’s always a slightly difficult one to talk about in the abstract because the term cloud computing is so amorphous, covering a huge variety of different things. You’ve got software as a service, platform as a service, infrastructure as a service. That’s just the different nature of services available.
You also have different types of cloud computing. You can have a spectrum between a private cloud, which is just for your business, right through to a public cloud where you’re effectively sharing that IT resource with a variety of other people. Your data may be commingled with other people’s data.
The first thing that we always say if we’re talking to in-house lawyers when they are asked to draft or advise on a cloud computing contract, you really need to understand where on that spectrum you sit, because it fundamentally changes the data protection considerations.
You also need to know what data you’re talking about, because in terms of data protection compliance we’re only worried about information that identifies individuals and is personal to them. Of course there is all sorts of data in businesses that does not fit into that category. If you don’t fall into that personal data bucket, you don’t worry about data protection compliance.
But assuming that you do, there are really just two key things you’ve got to think about. The first is security of the data. The Data Protection Act says that you must have a written contract and the contract must say that the provider will take all appropriate technical and organisational security measures to protect the data.
The security that is adopted has to be commensurate to the nature of the data and the harm that could result if there’s any unauthorised processing or access to that data. It’s a bit of a moving standard depending on what data we’re talking about.
Secondly, in the context of cloud computing, the EU has rules about moving data outside Europe. These are rules that the EU thought were a great idea in the early 1990s, but which are fairly problematic in the current world of international data flows.
It’s not entirely problematic: there’s an approved Data Transfer Agreement. You can put one of those in place between you as the entity in Europe, and the entity outside of Europe. Or, if they’re US-based – and a lot of the cloud service providers are US-based – if they’re a member of the US Safe Harbor regime, then that’s also fine. For instance, I know Eze Castle US Division are in the Safe Harbor.
The challenge is that the more commoditised that the cloud product gets, the more it’s a public cloud service, the less willing the providers are to listen to your concerns about data protection. They’re not particularly willing to help you greatly when it comes to dealing with those, particularly the overseas transfer issue.
CL: But if they’re not prepared to help, what do you do?
AB: Some people will move and change model. Other people in truth, will just take a punt. They’ll just say, this is a big established provider. We’ve got a high degree of confidence in their operation and the security. Yes, the contract doesn’t say exactly what we’d like it to say, but in practice we think it will be fine.
CL: I find it quite surprising that there are problems with EU regulation in that area! IT issues, now what do they throw up from an employment perspective, Andrea? What would you say are the two key issues that IT throws up that you need to deal with through the employment relationship?
AF: Following on from what Simon has said, looking at disaster recovery, protecting the business from things going wrong externally is actually fairly similar to the need to protect the business from things going wrong internally. And you can use IT to ensure that individual employees or members, or indeed consultants who might be on the premises who have access to your systems, are not able to take information/data which belongs to the organisation and send it elsewhere.
Very obvious things include banning the use of USB sticks so people can’t upload things or identifying unusual patterns of email traffic, unusual attachments to emails. There are lots of systems which will flag up when someone’s attempting to send something to a personal email account. Or indeed if you’re not going to go into that level of detail, will prompt a warning to your IT manager that somebody is sending a very large volume to that personal email account.
You can’t always see what people are doing. When you’ve got a professional group of employees you’re not observing what they’re doing every minute. You can put in place IT systems which enable you to track things which make you wonder whether what they’re doing is not what they’re meant to.
AB: I’m just going to add into that there’s of course the data protection angle to doing all of that, which varies around Europe. In some jurisdictions it’s a lot more complicated than others. Germany, for instance, is particularly complicated.
AF: That’s not to say you ought to be going in and poking around their email system to read their emails. As Alex has said, there are data protection issues around how you do that. I think quite often looking at volume, looking at trends is a good way of not causing issues with data protection, in the way that you might be if you were just in fact reading your employee’s emails in order to know what they were doing.
SE: There are written policies as well. IT systems will cover so much and there’s always that clever person that will find a way around all the systems that you’ve put in place.
AF: I generally look at the IT options for protection at the end rather than the beginning. But yes, of course, you don’t want to rely on your IT systems to pick up bad behaviour, you want your people to behave properly because (a) they are quality employees who aren’t planning on pinching your stuff; but (b) because they know that that’s not in their contract and if they do anything contrary to that, there’s a risk to their career, to their remuneration and if they’re regulated people, to their FSA status.
CL: What about the other angle where your new portfolio manager turns up on day one, with three USB sticks. What do you do about that?
AF: Historically this was quite a common phenomenon. I think my experience is that it is changing, driven partly out of the US. There was a view that people would just move around and take their stuff with them and their strategy, and everyone would accept that that worked at both ends of the employment relationship.
Employers put time and lots of remuneration into developing people, while they develop particular strategies, and they feel a little bit miffed at the idea that they could walk off to a future employer holding a USB stick with some software on it. I think if you are the recipient of that USB stick and feeling rather tempted to see whether you could just plug it into your systems and get going with that new strategy immediately, the obvious caution is not to, because it’s extremely likely that the content of that will belong to the previous employer, and that if you do indeed start doing business on the basis of the same strategy they might notice because they will have spotted where the individual has come from.
There’s a whole world of litigation out there. In the UK we’re perhaps not thus far as litigious as you’ve seen in the States, but the United States has vast amounts of litigation in relation to these kinds of issues. It’s very high value because people spend so much time and money developing it.
AB: I think the challenge is that so many teams have IT as such an integral part of what they do. We have been looking at that in the context of an analyst team that moved from one bank to another. But part of this analyst team was an IT chap whose job was basically to write the code that supported the models and the algorithms.
It was deeply complicated stuff and, of course, what should have happened was that the team would move and the IT guy would move and he would code it absolutely from scratch. But that’s not what IT guys often tend to do, because they don’t particularly like reinventing the wheel. That is highly problematic. That all got sorted out without there being a real punch-up, but they had to scrap everything that had been done. It put that team back several months. They effectively had to mothball them whilst a fresh set of IT guys, so not even the original IT guy, a fresh set of IT guys, re-wrote the code to support this team.
AF: That’s not necessarily always a safe approach. The fundamental strategy might nonetheless remain proprietary information belonging to the previous manager. Rather than just saying, we can get round this altogether if we just have new code, I think you dig a little bit deeper with your new person.
If you’ve got somebody new coming in and they’re saying I’ve got this great idea, rather than just say, fantastic let’s go with it, a bit of due diligence on that individual just to confirm the extent to which they can say it is genuinely their skill and knowledge, may be needed.
In that regard, consider the relevant provisions of the contract that they have with their previous employer because on the flip side, if you’re looking at contractual arrangements for your people, you want to define what you view as confidential. Define it in such a way that if you say, if you think that the time an employee spends developing this particular strategy means that that strategy, the detail of it, how that operates is yours, then you want to have that in their contract. When that person goes to their new employer, the new manager will have to think very carefully about bringing the strategy in wholesale.
It’s one of those things that works at both ends of the relationship. At the beginning of the relationship, you might think it’s fantastic, you’ll take the benefit of what they’ve done before. But at the other end of the relationship I think you’ll be thinking, you’re not that keen that they take what you’ve been paying them for, for the last 10 years, walking in somewhere else and do the same thing.
Q (Audience): Is there any restriction of just demanding to see an employee’s previous employer’s contract?
AF: Certainly there’s no restriction in asking to see it. Some employment contracts will say that their terms are confidential. But others will require individuals to show certain terms of their contract to the new employer. I don’t think I’ve ever seen an issue where somebody has said, I can’t show you what my contract says in relation to particular things like confidential information and restrictive covenants and notice period, which are actually the things you want to look at.
If somebody’s coming in and your concern is to see whether there are any restrictions on what you do with them which could cause me problems, then those sorts of provisions of the contract it makes sense to get to look at. People can be a bit more cagey around sharing remuneration information and if you’re particularly cautious, you could ask the previous employer for permission to look at the full contract. If you’re minded to do that it would likely put the former employer’s mind at rest that you’re not planning to breach those obligations. [Since the session, there has been a High Court decision which touched on exactly this issue – in that case (Imam-Sadeque v Bluebay Asset Management) where it was found that Mr Imam-Sadeque was in breach of his duties of confidentiality by handing over (amongst other things) his contract of employment to a new employer. This doesn’t mean that it will cause issues asking to see the clauses of particular relevance but is clearly something to be sensitive to.]
CL: We’ve talked a lot about employees taking confidential, proprietary information away with them. What about stopping people coming in from the outside to access confidential information, software etc. What are we seeing there at the moment Simon?
SE: There is a certain amount that we can do on a technological level. There are intrusion detection systems; there are firewalls that are designed to block people coming straight into your systems. That’s not necessarily the easiest way to gain proprietary information, your personal information.
A lot more of the attacks that we see are on the social engineering side of things. You’re seeing people responding to emails that your bank has been compromised and you need to resubmit your information. You are seeing people receive phone calls, claiming to be Technical Support. People very willingly volunteer their passwords and things like that over the phone.
Immediately, of course, in today’s systems, particularly when you talk about things like software as a service, about hosted applications, cloud products, you tend to have multiple logins and multiple passwords. Now the one thing that we all do is recycle our passwords. We’re maybe using the same password that we feel is quite complex, but we’ll use it on 10 different websites.
We’re using it on Salesforce, we’re using it on our personal Gmail account, we’re using it on our Fantasy Football teams, all sorts of things. It really only takes one of these systems to go down for the person to log in, spot your email address, try your email address with the same password, and see all the emails that you’ve had. They realise that you work on Salesforce, realise that you work on any of these other sorts of cloud products, go to those, reset those passwords, and boom, they’re in. The cycle continues.
Training of your employees is extremely important. You really have to get them to know – to be really their own warden in some sense. That’s extremely important. Certainly on the data loss prevention, a lot of people think that hackers are going after large corporations: You have the break-ins with things like Sony, but really they’re not going after Sony’s information. It’s another way of them to access the clients of Sony. They use those details to go after your banks, your personal information. I think the awareness of really how important it is for you to keep yourself secure is very important.
CL: Are you finding that hedge fund managers are bringing outside providers in to provide this training, or trying to do it themselves internally or writing policies? What are people doing?
SE: At Eze Castle we work with a third party ourselves to really make sure that we’re doing it right. It’s amazing, when you talk about portfolio managers, hedge fund managers, how a lot of them are quite strong personalities and perhaps don’t necessarily want to be shown this type of thing.
It can be very difficult for their employees to try to train them on something. They don’t necessarily feel that they’re the type of person that’s going to get caught out by this. Unfortunately, in our experience, that’s not true. In those instances a third party that perhaps will be able to approach that person is certainly the best approach.
CL: Alex, anything from a purely legal perspective?
AB: We’ve been called in to help with various data security issues after the event. All of those have been the lost laptop, the lost piece of IT equipment, USB stick, whatever it may be. Actually they’re not really an IT problem. It’s a failing in organisational security or that sort of culture of security that Simon was just talking about. That’s really what you’ve got to try and engender. Information security gets lumped into being a sort of IT problem, and in many ways it really isn’t.
The other thing that I’d say is that my experience of dealing with the clients when they’ve had these incidents, is that every single one of them has underestimated the sophistication of the people that ultimately get hold of this information and how well ordered the process is of the information getting into the wrong hands. We had one incident, a lost laptop incident, where all that was lost was a postcode and national insurance number. Those were the only identifiers. We advised the client to bring in some external security consultants and they said that the laptop that was stolen in a pub was essentially going up a spiral. In about a couple of weeks’ time, it can have been resold and resold and resold, and it’s going to end up in the hands of people who can do stuff with that data.
Sure enough, about three weeks later, one of the client’s employees got a phone call at home. Very clever stuff, they just said, hello, Mrs Smith. We’re calling from XYZ Corporation, HR Department. We’re just checking our records. Can you confirm that your National Insurance number is AB 12 34 56? It was the correct National Insurance number. Yes that’s right. Now, if you could just confirm your date of birth etc. etc.
Fortunately she was smart enough to spot that it was slightly odd that the HR Department was ringing her at home and not at work. So she canned the call there and then. But it just goes to show you that even with a very small linkage in terms of personal identifier, there are people who can get hold of this information and can do very sophisticated things with it.
CL: Andrea, I assume from an employment law perspective, or a contractual perspective, there’s really very little you can do about this. You can’t fire people because they’ve lost a laptop. Or can you?
AF: Well actually, to be fair in some circumstances you might be able to. I think we’re in an industry where in some cases the data is particularly vital. If you had set in place very firm rules in relation to how people dealt with it, I think you could take very seriously somebody’s decision to ignore those.
Taking the classic laptop in the pub situation, there are organisations where having the laptop in the pub in the first place would in itself be a gross misconduct issue. Because it is so self-evidently vital that you don’t do that.
AB: From the perspective of then dealing with the regulators, you really want to show after the event that you’ve taken this all very seriously. I can think of a couple of examples where it’s happened where the relevant clients have taken disciplinary action. I don’t think they fired them, but they went through the process in relation to the relevant employees, because they wanted to show that this is a serious issue and they’re responding in a serious manner.
AF: There are two sides to it. There’s the setting things up in advance to make it clear how you take information security and security of physical items, including IT, very seriously. Then follow up consistently after the event, so that people understand that if this goes wrong, it’s not going to be a rap on the knuckles.
SE: Talking about mobile devices as well, particularly from an IT Department’s perspective, everyone in the past maybe three or four years has had a BlackBerry at some point. That was very manageable for the IT Department. BlackBerry devices were very good with their security, the devices were generally encrypted and we had remote administration tools to kill them, to wipe them if anything was lost.
There’s a big push in today’s business to move to bring your own device. This means IT departments are now managing Androids, iPhones, Windows Mobile, as well as BlackBerry devices. They’re all very, very different products. There are management tools coming to market now, but it is still in its infancy, particularly if you want one portal to manage them all.
When looking at data protection on lost devices, it’s very important that your IT staff or your outsource provider is truly skilled in managing all these devices and that they know the risks that some of these different mobiles will have if they are lost. It may not necessarily be as simple as what you had with BlackBerrys.
CL: Andrea, you mentioned in your introduction that one of the key issues at the moment in the employment space for managers is the whole issue of remuneration and the restrictions being placed on remuneration. What’s the current status?
AF: The current status for managers is generally the FSA Code, which at present is relatively light touch for asset managers. And I think there has been an experience in the last few years of it not changing things that greatly. However, the Alternative Investment Funds Management Directive (AIFMD) is coming into force next year. And there is an ongoing process of consultation in relation to how that’s going to affect asset managers.
There is a lot of debate and discussion around the asset management community, with very different views between institutional managers and smaller hedge funds in relation to who should see the brunt of that, or indeed whether there should be a brunt at all. There’s an open question at the moment as to whether it will be possible under the AIFMD for asset managers not to apply some of the trickier things which the Directive talks about and which are already in place for banks.
I mean primarily the requirement to defer large portions of remuneration, and secondly the obligation to pay in non-cash instruments. There are fairly loud views amongst the industry in relation to how difficult some of these things might be, and those views have gone through to ESMA to explain why these cause issues, not least from a tax perspective, for those of you who are operating LLPs.
There’s lots of difficulty if you have to defer large portions of your remuneration while a lot of the rest of it gets paid not in cash. You would end up with a situation where members have a bigger tax bill than they’ve received. That’s a big issue and we’re awaiting the result of that to see whether it will be possible to dis-apply some of those criteria in relation to some kinds of manager.
In the meantime the key is to ensure that you’re in a position, at least with new employees, to impose these kinds of conditions if you have to. The assumption needs to be that these things are coming at some point, unless it’s possible for the FSA at least to take a slightly more comforting approach. But we don’t really know that yet.
What you can do at the moment is to ensure that your contractual documentation gives you powers to impose these things, rather than have a battle with your employees at the point in time when the regulations change. Not only is there AIFMD, there is a host of other regulations coming down the pipeline in relation to remuneration. There’s a pretty definite body of opinion in Europe at least about controlling the activities of asset managers through remuneration.
CL: Like many things surrounding European regulation it would be a great help if they actually wrote the regulation before they tried to bring it into effect. This is one of the problems with the implementation of AIFMD where we are still waiting for many of the regulations that we’re going to need to properly advise on what one should and could do.
AF: We’ve talked about business protection in the context of IT systems and the context of confidential information, and identifying your confidential information and treating it as such. Business protection has a wider meaning in terms of people – how else you can protect yourselves from individuals who move on?
The standard way of doing this is via restrictive covenants after the end of employment. The easiest way of achieving it is through gardening leave. Most organisations who want to protect themselves from individuals who are particularly significant to the business will put them on garden leave for a period of time after they hand in their notice.
In a way that’s the easiest way of keeping people out of the market as long as it’s enforced and they’re aware of their obligations during that time period. There have been a few big decisions this year from the Court of Appeal in relation to this, which suggests to me that it’s something that people are litigating. If these cases get as far as the Court of Appeal then there are people who are fairly heavily invested in what the answer is.
In two cases this year, organisations have tried to rely on implied duties of confidence to stop former employees going to work in other organisations. There’s been a pretty strong message from the court system that if you want to do that, if people will cause that level of damage to your business if they walk off and join a competitor, or indeed in these cases join a supplier, then you need to think about that up front.
The first thing is really trying to rely on implied obligations to protect your business – when people go it is too late. You need to think about it when you’ve got them. I think it’s a real easy thing to do when you’re starting up a business, in particular to use an off the shelf employment contract. But the individual who you hire as a relatively junior person, may become somebody who is quite significant to the business. You want to think about them upfront: what, exactly what, risk do they cause to the business, what do you need to protect?
Does that mean they’re going to be key in setting up a team? You need to make sure they cannot poach other members of the team at any point. Or it might be you need to make sure they don’t work for a competitor. Or you need to make sure they don’t go off and work for an investor. That could cause real issues to you, given what they know about how your operation works.
You very rarely see covenants which say an employee must not work for an investor, because it’s not very usual. But there may well be cases where that’s the right thing to do.
The second thing which has come up very recently in a case is a question about the point in time at which you look at a restrictive covenant. It’s been fairly clear that the appropriate test is at the time when you enter into the contract, so in principle when somebody starts employment with you. But some people think that if an employee is promoted they can just get them to re-state that they agree to their existing terms and conditions.
There was a case a couple of months ago where the court ruled that the test remains when the employee entered into the employment contract. The fact that this person is now very much more senior and does indeed cause lots of issues to your business by them moving to work for a competitor, is beside the point. The courts assess its enforceability at the beginning.
And the learning point from that is, if you have covenants that you want to enforce, if somebody’s going to cause a lot of damage to the business if they move to a competitor, if they move to an investor, if they try and poach your staff, then you need to think about them on a periodic basis. Because you will not be able to rely on what you did five years ago when they were in a different job.
CL: One of the questions I get regularly, particularly at the start-up phase of a manager is, what’s the difference in enforcement between an employee and a member of a LLP, assuming a LLP structure has been adopted, or a partner in a limited partnership, if a limited partnership structure has been adopted? Have the courts said anything about the differences between partners/members and employees?
AF: The cases which have made decisions on this, are fairly supportive of the ability of members and partners as between themselves to agree with much more freedom, how to restrict themselves. The idea being thatthese obligations are mutual. Everybody has the advantage of them. If you looked at the decisions that are out there, you would say, yes to members, you can have something which is quite a lot more extensive.
I think I would add a slight note of caution to that before you go off and say you’ve got a five year non-compete. I wouldn’t want someone to assume that you could enforce that at all. Not least because there’s been again, a raft of decisions – not in the same context, but about members who are members of an LLP, but perhaps don’t have a particularly significant role in the running of the business, or a particularly huge share of the profits.
These individuals, through a couple of cases in relation to discrimination, in relation to unfair dismissal, in relation to whistle blowing, are pushing the employment status argument and looking for ways to say, “Actually although I’m a member, I’m not really a partner.” In other words, they say that they have got membership status but it’s not really the same thing. The courts so far have been fairly reluctant to interfere with individuals having set themselves up as members in an LLP or partners.
There is a trend of people pushing that. It wouldn’t surprise me to see members who feel that they are economically subordinate. They are more in a junior capacity and start arguing that actually they were in no position to negotiate these covenants. They’re not mutual from their perspective, they were told to put up with them, and therefore they want to challenge them because they are keeping them out of the market. I think the answer is, yes probably easier but be careful.
CL: Arguing you’re an employee is a difficult one though.
AF: It’s very difficult. I think at the moment you need effectively to say that it is a sham.
CL: For no other reason than you’re defrauding the Revenue. Because you’ve been telling them you’re not an employee.
AF: Well I have to say you would say that, but there are people who have run the argument and they have clearly felt that the upside in other regards makes up for that downside.
CL: Simon and Alex, perhaps I could just ask you, is there anything we’ve not covered that’s hot out there at the moment that we should have talked about?
AB: The whole ability for customers to try and pass on liability to the service provider: if there’s storage of data that historically you carried out internally or some piece of IT support function, whatever it may be, and now you’ve passed that out to a service provider. To what extent can you now fix the service provider with all of the attendant liability that goes with that?
It’s always a very difficult debate. Because of the nature of these businesses, a lot of the systems are supporting very high-value flows of data or transactions or processes. And the parties just have an understandably very different perspective on how that should work. A supplier’s perspective on it will be their risk under this contract should match their reward – i.e. it should be linked to what they’re being paid to provide this service.
Of course, the customer’s viewpoint is very much different. Their perception, understandably, of the risk associated with that service failing, is very much higher, particularly if it’s supporting transactions and trades. There can just be a fundamental mismatch between the two parties. It’s sometimes difficult to close that gap. Customers will have to think more creatively about how they’re going to close that gap, whether it’s insurance or whether it’s internal processes that mitigate the risk, that sort of thing. The final thing I’ll say is that it probably ought not to be forgotten that in that migration scenario that I described, as a customer you have the same risk that you always had, whether it is internal or external. It’s just now you’ve paid someone to take some of that risk for you.
SE: When choosing an outsource provider I think it’s interesting what a company is looking for. Perhaps they’ll ask a few references and we’ll provide very good ones. They will maybe ask around the industry with some of their friends. There’s an enormous amount of information out there, be it public records, or speaking to your prime brokers, to really learn about the companies that you’re going to be working for. I think when searching out for a new outsource provider, take advantage of those sorts of things.
It’s interesting that we may fill out DDQs for our clients, but very few of our clients actually audit us. I genuinely think that for those that do, it’s a worthwhile exercise, you really get to learn a lot more about the business and we can really prove when we do that that we are actually practicing what we preach. We’re employing the same business continuity planning that we’re suggesting to our clients.
Our disaster recovery plans are in place, our employee plans in terms of our own internal redundancy, ensuring that there is no single point of failure in our staff. We like to prove that those sorts of things are really in place and working. We’ve just had the major event in New York with Hurricane Sandy. London had a major event this summer. It was a positive one for a change, the Olympics. And there was a lot of fear around what was going to happen to London’s infrastructure during that event. Public transport, power grid issues, and generally I think we came through very, very well.
Certainly we didn’t have any issues in terms of our client base with power or data centres being restricted access or anything like that. We were quite lucky there, but that’s not to say that something else couldn’t happen in London and I hope that people do take heed of these very unexpected events that can happen and really look at beefing up their disaster recovery plans, practicing them, testing them whether it be quarterly, or bi-annually. It’s great to have a packaged DR product, but it’s another thing to actually put it to the test.
CL: One thing the SEC has been saying recently and it is coming through more and more in the US, is that investment managers need an internal audit function. If that gets pushed through, and obviously what happens on the other side of the Atlantic doesn’t generally take too long to arrive in London, we may find internal audit functions will be needed. They’ll be looking not just at the accounting side but they’ll be looking at the whole service provider dimension and whether or not people are actually able to provide what they say they’re able to provide.
SE: We do it to our own suppliers as well. There’s quite a long chain to this. The data centres that we use, the circuit providers that we’re working with. We’re doing it to our carriers to our hosted centres.
Q (Audience): The rapid development of the cloud and perhaps the lag that most of us experienced in terms of understanding exactly how it works: on the one hand you can see the advantages and the resilience it gives you in terms of not needing to have a separate data centre.
But I think a lot of us wouldn’t know how to specify the level of security you would want or expect within the cloud. Is that an issue in terms of people like you who are providing, if you like, outsourced services. Because you might understand it, but your client base probably doesn’t.
SE: That’s a very valid point. In fact we have recently been involved with a takeover, if you will, of another client that was using a very small cloud provider. In our audit of the systems, in order to know how we’re going to migrate them over to us, we realised we had access to almost their entire client base. It’s a real fear ofbeing on a cloud product that your information is out there and other people can see it.
You really need to look at whether this company is an established company. You really do need to look at what their record is. There is certainly a lot of research you can do about them. Has their service been around for a lot of years? Are they seeing a lot of clients come and join the cloud and then leave?
We’re very well-known to the prime brokers. They are going to know when a client is coming and leaving our services or our competitors. There are also quite a few third-party security firms out there that do specialise in working with outsource providers and hosted applications. There’s quite a few times where we’ve had to demonstrate our security package if you will, to one of these third-party security firms.
AB: I think one of the key things is to understand the model but understand also how your data is stored by the provider. Is it physically separate from other people’s data? So in other words is it sitting on an entirely different piece of hardware? Or is it just logically separate, i.e. you could have data all sitting on one piece of hardware just with IT separation if you like, software separation on the hardware.
That might change your perception of the security that’s applied to the data. It might change your perception of business continuity and disaster recovery. It might also change your perception of how easy it might be to extract yourself from that service. If you wanted to move away from that provider, what the process would need to be in order to extract the data and shift it to a new provider.