Your SlideShare is downloading. ×
Hedge fund operational_due_diligence_info_security_risks
Hedge fund operational_due_diligence_info_security_risks
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Hedge fund operational_due_diligence_info_security_risks


Published on

Published in: Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  1. Information Security RisksInformation technology is a quickly evolving area of operational risk. Fund managers are oftenundertaking a number of different technology projects at once. These can range from mundanesoftware updates, to full scale hardware upgrades. Additionally with the increased acceptance ofvirtual work environments and increased cloud usage, many fund management organizations areeschewing further investment in more traditional technologies and ramping up the resourcesallocated to these emerging technologies.With all of these changes taking place, investors may be tempted to focus their efforts during theoperational due diligence process on these more cutting edge advances, in lieu of spendingappropriate time and effort reviewing technology basics. These basics can typically include anevaluation of the appropriateness and quality of software systems utilized across a number ofoperational functions including order management, settlement and reconciliation and fundaccounting. Other traditional items which may be covered during an operational due diligence reviewinclude, hardware related items such as understanding the types and number of servers utilized andthe type of network connections in place. A common item which may become lost in the duediligence shuffle between an increased focus on a fund managers use of new technologies andmore traditional technology concerns is information security.A fund manager is not like a traditional factory - they do not manufacture anything an end-user cantouch. Rather, a fund manager is in the investing business - and this is a field that is centeredaround information. Funds deal with all types of information- not limited solely to investment data.For example, they typically maintain data related to daily operational procedures (i.e. - books andrecords, data from accounting systems, trade confirmations etc.) as well as information about theiremployees (i.e. - employee addresses, payroll figures etc.), and data about who their clients are.During the operational due diligence process, a key question to consider is how does a fundmanager go about protecting this data? Perhaps the more appropriate preceding question should be,who is this fund manager protecting this data from?The most common consideration that first comes to the minds of most investors is that a fundmanagers approach towards protecting data is often focused almost exclusively on external threats.For example, it would be concerning if a hacker was able to log onto the fund managers internalnetwork and steal data. This is certainly an important concern. During the operational due diligenceprocess investors can take a number of steps to evaluate the quality of a hedge funds informationsecurity defenses from external threats including:  Has the firm performed any penetration testing? If yes:  - has the firm employed a third-party firm to conduct an evaluation or did they perform the testing themselves?  -what were the results of the penetration testing?  If not, does the firm have any plans to perform such testing in the future?  What are the firms standard information security procedures to prevent external attacks?  What types of firewalls are in place? Another often overlooked area of information security due diligence relates to segregating andprotecting data within the fund management firm itself. Often, particularly in a larger fundmanagement organization, different employees will have access to certain pieces of information.This can be both to protect the confidentiality of certain employees (i.e. - the administrative assistantdoes not have access to everyones personnel files in the same way a human resources professionalwould) as well as more likely to implement checks and balances throughout the firm. In this regard, a© 2011 Corgentum Consulting, LLC
  2. fund manager who takes measures to protect or limit access to certain pieces of information woulddo so among the firms employees itself. Some key considerations investors may want to considerwhen evaluating the way in which a fund manager protects data internally include:  Are IT consultants utilized? If so, how does the firm monitor consultant access to and use of proprietary data?  Can employees utilize remote storage devices, such as zip drives?  If employees can access the firms systems remotely, are equivalent data protection procedures in place to system access from within the office?A fund manager that does not take measures to appropriately protect data from threats, bothinternal and external, can have critical information literally walk out the door. From an investorsperspective, putting aside any loss of competitive advantage from loss of investment related data, afund manager that does not protect data may be exposing their clients information to others and runthe risk of future fraudulent activity or even identity theft. By asking the right questions, an investor,can effectively diagnose whether a fund manager approaches this subject seriously.Originally posted in the February 2012 edition of Corgentum Consultings OperationalDue Diligence Insights.For More info@corgentum.comInformation | Blog | Twitter FeedTel. 201-360-2430About Corgentum Consulting:Corgentum Consulting is a specialist consulting firm which performs operational due diligencereviews of fund managers. The firm works with investors including fund of funds, pensions,endowments, banks ultra-high net-worth individuals, and family offices to conduct the industrysmost comprehensive operational due diligence reviews. Corgentums work covers all fundstrategies globally including hedge funds, private equity, real estate funds, and traditional funds.The firms sole focus on operational due diligence, veteran experience, innovative originalresearch and fundamental bottom up approach to due diligence allows Corgentum to ensurethat the firms clients avoid unnecessary operational risks. Corgentum is headquartered at 26Journal Square, Suite 1005 in Jersey City, New Jersey, 07306. Phone 201-360-2430. For moreinformation visit, or follow us on Twitter @Corgentum© 2011 Corgentum Consulting, LLC