Minimising Security Risks

The ins and outs of data protection for hedge funds

Originally published in the September/October 2012 issue

On 13 September 2012 in New York City, experts from Eze Castle Integration, eSentire, Simmons & Simmons and DK Partners came together to discuss the current data security and protection landscape facing the hedge fund industry. This article reviews the advice provided by this expert panel.

A lot has changed in the hedge fund industry over the years. New regulations, increased investor operational requirements and challenging markets have led to transformations in the way funds do business. Arguably one of the most significant changes we’ve seen in the realm of technology operations is an increased focus on security and data protection. On a seemingly regular basis, we hear about high-profile security breaches by criminal and state-sponsored groups trying to gain access to sensitive information. The industry is engaged in an arms race as security risks and threats constantly evolve, while hedge funds and their investors advance their security postures.

Investors have gotten savvier when it comes to technology, wanting to better understand the systems and processes that firms have in place to support their daily operations. And with the prevalence of new public cloud tools, such as storage and sharing services like Dropbox, firms and investors alike are forced to take a closer look at their security profiles to ensure all necessary measures are taken to protect their information.

Security risks in today’s environment
The focus on security for a hedge fund – or any other company – cannot simply be external. In today’s world, breaches and threats are more likely to begin internally. The majority of these internal cases are not malicious. As employees gain more access to more information and public file sharing tools, the risk increases that sensitive information can somehow end up in the wrong hands. Beyond implementing firewalls and anti-virus programs, firms must look beyond perimeter defences to evaluate potential security risks.

Managing security threats
In order to properly manage security threats, firms must be proactive. Conducting a vulnerability assessment is a great way to gauge the threat level for your firm and thus gauge the necessary steps to combat the issues. They often expose malicious activity previously undetected.

Even simple security best practices can go a long way in alleviating troublesome and costly threats down the road. The most common security threats often stem from out-of-date network and anti-virus patches, application updates and Internet browser activity.

Properly educating employees is also a crucial step in the threat management process. Employees need to understand what impact their daily activities can have and how they can easily follow best practices and take steps to ensure their firm’s sensitive information is kept secure. It is likely that employees don’t fully realise the risk to a business if a security breach occurs or data is compromised. With proper education and training, firms can work directly with their employees to mitigate risks.

Part of what you’ll need to educate your employees on is the company’s policies and procedures relative to security. Access control and acceptable use policies are essential in setting boundaries for employees and limiting their level of access to sensitive information. Some firms like to restrict employees from visiting social media websites or accessing their personal email. In the past, firms created network drives that allowed access to practically anyone. These days, they should restrict access to need-to-know personnel and closely monitor activity. They can also disable local administrative rights to prevent employees from installing third-party applications.

It may seem obvious, but secure passwords are a must. The strength of a password should be carefully enforced (1234 won’t suffice!), and they should be changed frequently; typically recommendations for password changes are between 30 and 90 days.

Personal device and communication policies are also a necessity. Practically every hedge fund employee owns a smart phone or tablet, and many firms are now employing “bring your own device” or BYOD policies that allow employees to use their personal devices to access work email and other data. Firms must ensure their policies include the ability to remotely wipe the device in the event the device is lost or stolen or the employee leaves the company.

Working with service providers
While many firms will choose to manage their security and data protection in-house, for those who work with third-party service providers, it’s imperative that they do their due diligence and work with reputable and experienced vendors. In security, the old adage, a chain is only as strong as its weakest link, holds true; particularly in the investment world, where working with a company who understands your business and your unique requirements is paramount.

Firms should also evaluate the resiliency of the provider. Can they withstand an outage or disaster? Do they have a comprehensive disaster recovery (DR) and business continuity plan (BCP) in place? Do they have the bandwidth to respond to and work with multiple clients at the same time in the event of a disaster situation or security issue?

Additionally, they should look for service providers with SAS70 or the more recent SSAE 16 certified data centres which meet industry standard regulations around data protection and redundancy. Finally, a reputable service provider will also conduct regular testing around DR/BCP and security controls to adequately gauge threat levels and support a firm’s growth.

Looking ahead
As the landscape continues to evolve, we expect to see hedge funds and investment firms put more emphasis on security and data protection in order to meet growing investor demands and new regulations. User education will continue to remain an important factor, especially as firms adopt new technologies and implement new policies to manage and monitor access and behaviour.

Managed services and solutions will continue to remain popular, allowing firms to offload many technology responsibilities onto third-party providers and enabling them to focus on their investment management priorities. But how far will the security landscape stretch? Only time will tell.

Mary Beth Hamilton is Director of Marketing for Eze Castle Integration, provider of IT and technology to hedge funds and alternative investment firms. She has over a decade of technology and marketing experience and holds an MBA from Boston College. Mark Sangster is the Director of Marketing for eSentire, Inc., a managed security service vendor to hedge funds, protecting 25% of the global hedge fund market (by AUM).