Since the Madoff investment scandal and the 2008 financial crisis, there has been an increase in investor-led changes to the role of hedge fund service providers and what they should be providing their clients. In the case of IT, it is argued that this influence is now greater than the changes being implemented by regulatory authorities.
Investor and regulator due diligence is redefining the way the alternative investment market operates. Post-2008, over 70% of hedge funds’ assets under management (AUM) now come from the institutional sector. Investors are now driving increased transparency, tighter internal controls and monitoring of not only the investment managers and their funds but also the service providers to whom they outsource.
Security of data in the cloud
One of the hot topics at the moment for investors, and consequently hedge funds, is security and control of data. This is becoming more apparent as cloud services are becoming adopted within the alternative investment marketplace. Capital Support has seen an increase in the amount of managers taking on cloud technology, with more than 95% of start-ups adopting the technology.
Security isn’t a new subject for any fund manager who is looking to take on cloud services; however, IT providers are now finding these concerns being driven by investors who are demanding transparency across the board.
Although the cloud is becoming more widely accepted and doubts over the security of it are becoming less frequent, there is still an increase in due diligence from investors to ensure that the cloud is a safe and secure environment for fund management operations. Tangible evidence needs to be available to investors, demonstrating the measures which are taken to ensure their data is secure.
Demonstrating the security of a cloud environment is steadily going beyond traditional tests and checks that would have sufficed a year ago. In particular, the larger funds managing in excess of $1 billion are being driven to ensure that the service providers they are working with can prove their technology can pass rigorous security checks. All elements of a cloud platform must be checked and the security verified. This includes penetration tests of the hosted platform which will analyse and establish how possible it would be to gain access into the platform using technology. Additionally, the physical security of the data centre is regularly monitored and protected by security readers, only allowing authorised personnel access.
Investors are now requesting that background checks on the service provider’s key personnel are provided to ensure that nothing underhand is being hidden from the fund and their investors. Investors need to be reassured that if the fund is using a hosted platform, then all measures of security have been taken into consideration, and complete transparency is imperative.
How the transparency of the data is handled also relates to any backed-up data. Strict data retention requirements mean that service providers need to be able to show what data has been backed up, how frequently this has happened and how long this has been retained for. Adequate reporting must be provided to the fund manager so they are able to provide investors with audit trails on the data and full reports demonstrating that data is being handled correctly and complies with regulations.
With such a large part of a fund manager’s operation being driven from the technology and the infrastructure that is in place, it is no wonder investors want to feel assured that there are measures in place to sustain operations should a technical failure occur. Investors are becoming more aware that the main benefits of a private cloud is that disaster recovery (DR) is built in to the infrastructure as standard and this enterprise-level technology has the resiliency and redundancy which is normally expected from the larger investment banks.
Technology providers should be responsible for ensuring that the fund has a viable and functioning disaster recovery plan in place. Most providers will assist and maintain all elements when it comes to DR so that managers can provide their investors with the information they require. Testing of DR plans and being able to provide proof of testing is critical. Investors need to know that not only the correct infrastructure is in place to deal with any possible downtime that should occur, but also that this infrastructure is fully functioning and has been tested to show proof of this.
DR is now reaching beyond the constraints of technology as investors are requesting to see that the fund has an adequate workplace recovery plan in place. If approached in the correct manner, this can be facilitated and managed by the technology provider as part of the overall DR service.
Many technology providers will already have contracts in place with workplace recovery providers that will have nationwide locations available. So no matter what happens, all technology and personnel within the business can be fully operating in a matter of hours.
Liability and contract negotiation
As well as business continuity and knowing that data is protected in the event of an outage or disaster, investors are keen to know how data can be accessed in the event of a contract termination, or if the service provider ceases to trade. There are ways funds can ensure data is not only secure but can be accessed if needed. Contract negotiation plays a significant part in this. After a private cloud provider has been selected and it has been agreed what will and will not be included as part of the service, there should be a discussion surrounding exit strategies, terminations and any costs surrounding this. These items should be managed and negotiated as part of the overall contract.
As part of the contract negotiation process, where the liability lies and who manages it is also increasingly being discussed. In previous years, liability terms between fund managers and service providers were around 10% of contract value. This has since risen to the full contract value and, in some cases, multiples of the full contract value.
Investors need to feel reassured that the fund manager has looked at all areas of liability and that this has been built in to the terms and conditions of any contracts in place with third-party providers.
Managers need to be reassured they can prove to their investors that their service providers adequately cover any damages or that the contract that is in place is able to cover this. With the larger cloud providers such as Amazon, while they are able to cover the liability requirements as their size allows for this, the chance is they won’t be willing to negotiate a contract to cover it. Contracts with many large cloud providers are static in most cases and will be offered from a ‘what you see is what you get’ perspective.
In summary, it is clear to see that although regulators are outlining the requirements fund managers should be adhering to, it is the investors that are determining how this is managed and the extent of transparency which should be expected.
Service providers are becoming more aware of this fact and are increasingly working with managers to ensure that this level of transparency is achievable whilst adhering to the correct regulation.
Nigel Brooks has over 20 years’ experience in the IT industry with extensive experience within the financial services sector.