Cloud technology – The scale of a manager's IT infrastructure will largely depend on the type of trading strategy. A quantitative market neutral statistical arbitrage fund is likely going to spend more capital on front-office portfolio management, risk management systems and server storage capabilities than a specialist credit strategy that trades infrequently.
Either way, investors will expect the manager to have a well-oiled machine in place: well-established workflow processes, operational controls, and, as far as possible, front- to back-office system integration.
One of the most popular routes to establishing a sound technology infrastructure is to appoint an outsourced cloud provider. It is cost-effective, and it allows the manager to benefit from economies of scale; after all, a cloud provider that supports hundreds of different hedge fund strategies will be able to share insights that a manager running their IT operations internally could never hope to achieve.
Eze Castle Integration has become a pioneer in this space with its Eze Private Cloud. It consists of three core components: Eze Managed Suite, Eze Managed Infrastructure and Eze Disaster Recovery.
The Eze Managed Suite includes the fundamental email, file services and back-up capabilities that any organisation would expect to derive from a cloud provider. Managers can readily access emails from mobile devices and utlilise file services when on the road. It is, as Bob Guilbert, Managing Director at Eze Castle Integration explains, "a multi-tenanted cloud that allows you to operate anywhere seamlessly.
"We've also incorporated disaster recovery into Eze Managed Suite. The way we've constructed the cloud means it will continue to operate as normal, independent of any disaster that might occur at anyone of the data centres we operate out of."
The Eze Managed Infrastructure is essentially Infrastructure-as-a-Service. If the start-up manager has a specific application that they want to use it can be hosted within the cloud without issue. The manager may want to run a CRM package for example, or a risk package alongside Eze Managed Suite, and benefit from having one cloud provider offering the entire computing infrastructure.
"We have interwoven Eze Disaster Recovery into both our cloud offerings. We believe it's important, especially for Eze Managed Suite. With Eze Managed Infrastructure, however, we give clients the option of having disaster recovery because the manager may not choose to make an application highly resilient," says Guilbert.
Third party risk is a key component of an investor's due diligence so the manager should seek assurances before selecting a cloud provider that they will allow the manager to execute their strategy without issue. In other words, the technology provider must check the box in the eyes of potential investors and demonstrate that they will be able to mitigate as much of the manager's operational risk as possible.
"Investors are asking questions to give them the confidence that the manager has chosen an institutional-grade cloud provider. Have they gone through the necessary steps to create the right IT environment, the right technology, and put the right protections in place? Clearly from an institutional investor perspective, if the manager selects a cloud provider like Eze it gives them reassurance that the fund's technology infrastructure is enterprise-quality and robust," says Guilbert.
Some of the points to consider before selecting an outsourced technology provider include:
• Reputation
• Technology capabilities – managers should validate this with their own due diligence
• Security Prowess – are they using the highest levels of security and encryption to store and protect clients' data on the cloud? Do they have the latest certifications?
With respect to security, Guilbert says that Eze Castle Integration uses encrypted tunnels to ensure that no one can see what data is flowing through.
"We are not security specialists per se so we leverage numerous third parties. One in particular is eSentire, which monitors traffic coming in to and out of our cloud. They provide a managed service to continuously monitor activity. If they see an attack (i.e. a rogue IP address) on one of their hedge fund client's networks they will lock down that IP address for all of their other hedge fund clients.
"We have well over 400 clients using the Eze Managed Suite which is protected by eSentire. These security layers allow us to fully protect them, should one manager be the focus of a targeted attack. In addition, we use the highest security measures in our data centres: biometrics, locked cages, segregation of client data and so on," confirms Guilbert.
Cyber insurance
Cyber insurance is becoming increasingly popular among managers of all sizes as the threats of cybersecurity rise in number and sophistication. Managers have to guard against this and although it might not be a top priority on Day One, start-ups should at least make plans to have cyber insurance in place once the fund's assets and investor base start to grow.
"It is definitely a key area of focus for the majority of our hedge fund clients. I would say that at least 75 percent of our clients have approached us to discuss cyber insurance, and all of them are doing the necessary due diligence to assess their firm's cyber exposures, evaluate their current cyber security protection and controls, and formulate a comprehensive incident response plan in the event of a cyber breach," explains Ron Borys, Managing Director, Crystal & Company, a leading New York-headquartered strategic risk and insurance advisor.
There are three main areas of insurance that a start-up manager should consider before going live: 1) Financial Insurance, 2) Employee Benefits and 3) General Insurance.
There are two main forms of financial insurances to be aware of:
• Professional indemnity insurance
• Directors and Officers insurance.
Professional Indemnity insurance covers professionals for their legal liability to compensate other parties (generally their clients) for any losses they suffer as a result of the professionals' breach of their professional duty (known as professional liability).
Directors & Officers insurance cover directors and officers for their legal liability to compensate other parties for the loss which they suffer as a result of any wrongful act, error or omission committed by the directors and officers. `Other parties' in this context could be shareholders, the Company, competitors, employees and liquidators.
Premiums & level of liability
The above are well-established insurance policies that have been used by fund managers for decades and as such are fairly straightforward to price. Cyber insurance, on the other hand, is a recent development. Hackers are stealing data not assets, and data doesn't have a `value' per se.
"The potential liability that relates to the theft of data and breaches of confidentiality is a key area of concern for our hedge fund clients.
"With respect to the premium, we approach the broad marketplace with our clients' permission and solicit quotes from different insurers. There's no clear direction right now as to how insurers are pricing premiums for cyber insurance as the underwriters continue to work to understand and evaluate cyber risk exposures with respect to hedge funds," notes Borys.
One factor that can help determine the premium is ascertaining the amount of personally identifiable information (PII) a manager has stored on their server. Another important factor will be the fees or revenues generated by the manager.
"Those are probably the two main factors considered by insurers underwriting hedge fund cyber liability risk. Keep in mind that there is generally a minimum premium that an underwriter will look to charge for the issuance of a cyber policy.
"Our hedge fund clients are typically considering limits in the range of USD5m to USD10m. We are currently seeing premiums in the range of USD6,000 to USD8,000 per million, so managers considering USD5m in coverage will be looking at an annual premium in the range of USD30k to USD40k," confirms Borys.
There are two key components that will go into a cyber insurance policy.
First party costs
These will typically include:
• Privacy notification costs. If there is a breach and personally identifiable information is stolen, the manager has an obligation to provide notification that such a breach has occurred to the US regulatory authorities.
• Business interruption costs. If the manager's systems are taken offline as a result of a cyber breach (maybe a DDoS attack) it could prevent them from trading and potentially impact the fund's performance
• Cyber extortion. This is where someone penetrates the manager's network and threatens to do something unless they pay a ransom (often with Bitcoins).
"Some of the other first party costs would include: forensics, accounting, extra expense coverage to bring systems back on line, public relations costs that might arise to protect a manager's reputation following a breach. The coverage is written to respond to the potential expenses incurred by the manager who could be liable to pay damages as a result of a security breach," says Borys.
The second component of the coverage is written to respond to the broader liability associated with claims made against a manager for damages associated with a breach of their network, including unauthorised access to confidential or personally identifiable information.
Check your service providers
In addition to focusing on the manager's own protections and systems, they should also ensure that their third party service providers are doing the same; they need to ask the right questions to get assurances that their service providers are protecting their information that the manager could be liable for in the event of a cyber breach.
These questions might include: How are your servers protected? Who are you consulting with to stay up-to-date with the best solutions and tools? What is your disaster recovery plan? What would you do if a breach occurred and you had a system outage, which would directly or indirectly affect the fund?
"Three key insurance coverages that every fund manager should ask of their service provider are:
• Errors and Omissions – broad coverage for any actual or alleged wrongful act committed by the service provider in rendering or failure to render services to the manager or fund;
• Fidelity bond coverage – coverage for the fund's assets from theft by an employee of the service provider (i.e. the PB or custodian);
• Cyber insurance – coverage if the fund or its investors' confidential data is exposed or stolen, or if the service provider experiences a network outage that adversely impacts the fund or manager as a result of a cyber breach," concludes Borys.