Grigoriy Milis and Michael Asher, of RFA, update HFMWeek on
what fund managers need to know regarding data management
and data auditing
Grigoriy Milis is an
IT veteran with more than
15 years of experience
working in the financial
industry. As CTO at RFA,
he is responsible for
managing all aspects of
infrastructure design and
leads the R&D team in the
evaluation and testing of
new technologies.
Michael Asher is
CIO at RFA and is instrumental in the development of IT policies for the
company and its clients.
Asher designs and oversees managed services
product offerings including
RFA Cloud Platform,
business continuity and
disaster recovery services.
24 H F M W E E K . CO M
HFMWeek (HFM): With companies producing more
and more data every year, what are your suggested best
practice techniques with regard to data management?
Grigoriy Milis (GM): Having clear and established data
protection is a necessity for any modern business. Data
leaks caused by negligence on the company’s part will now
lead to substantial regulatory punishments as well as reputational damage. The hedge fund industry was quite slow
to adopt these cyber procedures in the past but now it can
cause a serious headache for anyone who isn’t up to date
on their data protection.
HFM: What are the common pitfalls with data governance and how can they be avoided?
GM: Data management can be divided in three distinct
areas. The first area relates to the physical protection of
data, the second to audits of data assets and thirdly is data
Today, most people have the physical aspect of data
protection covered. The most common pitfall is, in fact,
to do with data retention. With the wide variety of data
related regulations, especially regarding long-term data
retention, a lot of companies are unsure of what data they
need to retain. This is a widespread problem in the industry and there seems to a lot of confusion. Some entities all
but ignore this issue which can be very problematic during
audits. Other companies opt to retain their entire data sets
forever, which can be a very expensive solution.
HFM: How can data classification help with audits?
GM: When it comes to the data access audit, we feel it’s
an under-served part of the data guards. People want to
understand how their data is being used and accessed, and
they want to be alerted if there is any anomalies in data
access attempts. In the last six months we have seen a large
rise in the number of companies showing an interest in
getting this style of data management system and most of
the industry now has a sufficient system for this in place.
However, what they often overlook is the third aspect
of data guards, which is data classification. Data classification is used to tell people where the sensitive information
resides. Most people understand the obvious examples of
sensitive data but it’s very common for people not to realise
they also have a substantial amount of data that contains a
wide variety of regulated information – specifically personally identifiable information. Data classification can effectively deal with this problem which is another very common
pitfall we encounter.
Michael Asher (MA): Last year the Securities and Exchange Commission (SEC) came out with their guidelines on data management which asked what steps a business has in place that will allow it to identify if your data
protection process is actually working. If your process for
classifying and monitoring data is manual then any employee can take this information and release it to the wider
internet or malicious third parties. Newer technology allows for automatic alerts that removes this issue entirely.
1 4 - 2 0 M AY 2 0 1 5
HFM: What must all fund managers be aware of with
data auditing?
GM: Data auditing is a big part of the SEC’s cyber security
initiative. Data auditing allows people to know two things:
first, is who has permission to access the data internally
and second, who does what with that data. These are both
extremely important features and people are only just
starting to appreciate that.
The first part protects the company from various internal and external issues. If an employee, either by accident
or on purpose, gains access to HR information on other
employees it can cause a headache for any company.
MA: In addition, monitoring data usage can also protect
the company in a similar way and also provides a trail if
something goes missing that allows for the source of the
leak to be discovered quickly. Any data that is leaked has
to be reported so these types of devices are essential for
allowing that to happen. It’s about having tools in place to
prevent an event and also to piece together the puzzle if
something does happen.
There is no silver bullet that will protect against a breach
100%, so you have to invest in the proper processes to mitigate the damage if/when a breach does occur.
HFM: Are you finding managers are sufficiently educated on cyber security procedures and potential risks
surrounding data storage?
GM: Very often, fund managers aren’t IT experts and
sometimes they don’t fully appreciate the complexity with
certain areas of cyber security. Other times IT vendors tell
1 4 - 2 0 M AY 2 0 1 5
a fund manager that if they buy their product they will be
fully protected, which can actually do more damage than
not buying a product at all because there is nothing worse
than a false sense of security.
There is a need to educate fund managers but it’s definitely not something that is specific to the hedge fund sector. A lot of business managers are simply not aware of the
complexity surrounding active and passive cyber protection to create a layered defence for their data.
HFM: On average are the funds you encounter sufficiently covered or are there still exposures?
GM: I wouldn’t want to make a blanket statement about
the whole hedge fund industry but in many of the funds we
encounter there are still gaps. The larger hedge funds are
often better protected than the mid to small sized funds.
Until the guidelines were released by the SEC there
were massive gaps in a lotof funds’ cyber protection. The
SEC has effectively drawn people’s attention to the issue
and things have improved, despite the fact it can often be a
pricey proposition for smaller funds to have a well-rounded cyber solution.
MA: Cyber security has been hammered home on a widescale but the recent guidelines don’t spell out the granular
aspects of cyber security that are needed to create comprehensive protection.
Also, at the end of the day the price tag can be an issue, but as technology becomes more accessible to smaller
funds they are starting to incorporate these solutions into
their structures. n
H F M W E E K . C O M 25