April 1, 2014

A Matter of IT Trust

Before a hedge fund signs on with an IT firm-cloud, network or otherwise-it must be certain the firm can handle any and all situations.

By Art Murphy

When it comes to IT and the Operational Due Diligence (ODD) process, funds need to give a great deal of focus and consideration to a few topics in particular. Infrastructure providers will assure you that data is secure and accessible, but you need to ask the right questions before making the full transition to the cloud. This is where the value of a Due Diligence Questionnaire really lies.

The first, and perhaps most important, question in the ODD process pertains to data security. With many countries trying to hack data to gain access to people's intellectual property, as well as "hacktivists" and other individuals trying to make a statement by stealing and acquiring sensitive personal information, data security is of the utmost importance in today's business world. Though investors are becoming much more comfortable with the cloud as opposed to five years ago, many still make the assumption that data is safer residing physically on site.

However, when firms take a closer look, they can quickly see how much safer their data actually is when residing in a private cloud environment. In fact, the most common data security threats are internal and often involve systems being infected by malware, through email, a website download or by way of a USB drive. Certain infrastructure providers will work directly with clients by taking them on an in-person tour of their data centers, so the clients can see firsthand how and where their data is stored. The providers will also sit down and educate clients about how intrusion-detection solutions are implemented and how to map out proper access controls and policies.

It is important that firms fully understand how all of their applications are being hosted. If data is being stored outside the IT provider's cloud, it is important to make sure the company has all the checks and balances needed to keep all the data secure.

If firms choose to go with a Voice over Internet Protocol (VoIP) service, they must ensure that investors understand how their voice system works and how to continue using phones in case of an internal outage. In cases where phones are no longer an option, firms need to know of other methods that will allow them to carry out trades and continue to run the business effectively.

In the event of a natural disaster, knowing how to respond and, most important, how to continue operating is crucial to a firm's survival. This was never more evident in the financial services industry than when Hurricane Sandy struck the Northeast in October 2012. The majority of Wall Street operations were shut down, and firms relied heavily on their service providers for data protection and continued operations. Business continuity planning is a large part of this. Identifying the specific internal and external threats to the firm during a potential breakdown or disaster is the only way a firm will stay afloat. Business continuity planning can act as a large part of the ODD process, adding a great deal of value, and is very often an underrated component.