FOCUS ON DATA MANAGEMENT Grigoriy Milis and Michael Asher, of RFA, update HFMWeek on what fund managers need to know regarding data management and data auditing Grigoriy Milis is an IT veteran with more than 15 years of experience working in the financial industry. As CTO at RFA, he is responsible for managing all aspects of infrastructure design and leads the R&D team in the evaluation and testing of new technologies. Michael Asher is CIO at RFA and is instrumental in the development of IT policies for the company and its clients. Asher designs and oversees managed services product offerings including RFA Cloud Platform, business continuity and disaster recovery services. 24 H F M W E E K . CO M HFMWeek (HFM): With companies producing more and more data every year, what are your suggested best practice techniques with regard to data management? Grigoriy Milis (GM): Having clear and established data protection is a necessity for any modern business. Data leaks caused by negligence on the company’s part will now lead to substantial regulatory punishments as well as reputational damage. The hedge fund industry was quite slow to adopt these cyber procedures in the past but now it can cause a serious headache for anyone who isn’t up to date on their data protection. HFM: What are the common pitfalls with data governance and how can they be avoided? GM: Data management can be divided in three distinct areas. The first area relates to the physical protection of data, the second to audits of data assets and thirdly is data classification. Today, most people have the physical aspect of data protection covered. The most common pitfall is, in fact, to do with data retention. With the wide variety of data related regulations, especially regarding long-term data retention, a lot of companies are unsure of what data they need to retain. This is a widespread problem in the industry and there seems to a lot of confusion. Some entities all but ignore this issue which can be very problematic during audits. Other companies opt to retain their entire data sets forever, which can be a very expensive solution. HFM: How can data classification help with audits? GM: When it comes to the data access audit, we feel it’s an under-served part of the data guards. People want to understand how their data is being used and accessed, and they want to be alerted if there is any anomalies in data access attempts. In the last six months we have seen a large rise in the number of companies showing an interest in getting this style of data management system and most of the industry now has a sufficient system for this in place. However, what they often overlook is the third aspect of data guards, which is data classification. Data classification is used to tell people where the sensitive information resides. Most people understand the obvious examples of sensitive data but it’s very common for people not to realise they also have a substantial amount of data that contains a wide variety of regulated information – specifically personally identifiable information. Data classification can effectively deal with this problem which is another very common pitfall we encounter. Michael Asher (MA): Last year the Securities and Exchange Commission (SEC) came out with their guidelines on data management which asked what steps a business has in place that will allow it to identify if your data protection process is actually working. If your process for classifying and monitoring data is manual then any employee can take this information and release it to the wider internet or malicious third parties. Newer technology allows for automatic alerts that removes this issue entirely. THERE IS NO SILVER BULLET THAT WILL PROTECT AGAINST A BREACH 100%, SO YOU HAVE TO INVEST IN THE PROPER PROCESSES TO MITIGATE THE DAMAGE IF/WHEN A BREACH DOES OCCUR ” 1 4 - 2 0 M AY 2 0 1 5 S P O N S O R E D E D I TO R I A L HFM: What must all fund managers be aware of with data auditing? GM: Data auditing is a big part of the SEC’s cyber security initiative. Data auditing allows people to know two things: first, is who has permission to access the data internally and second, who does what with that data. These are both extremely important features and people are only just starting to appreciate that. The first part protects the company from various internal and external issues. If an employee, either by accident or on purpose, gains access to HR information on other employees it can cause a headache for any company. MA: In addition, monitoring data usage can also protect the company in a similar way and also provides a trail if something goes missing that allows for the source of the leak to be discovered quickly. Any data that is leaked has to be reported so these types of devices are essential for allowing that to happen. It’s about having tools in place to prevent an event and also to piece together the puzzle if something does happen. There is no silver bullet that will protect against a breach 100%, so you have to invest in the proper processes to mitigate the damage if/when a breach does occur. HFM: Are you finding managers are sufficiently educated on cyber security procedures and potential risks surrounding data storage? GM: Very often, fund managers aren’t IT experts and sometimes they don’t fully appreciate the complexity with certain areas of cyber security. Other times IT vendors tell 1 4 - 2 0 M AY 2 0 1 5 a fund manager that if they buy their product they will be fully protected, which can actually do more damage than not buying a product at all because there is nothing worse than a false sense of security. There is a need to educate fund managers but it’s definitely not something that is specific to the hedge fund sector. A lot of business managers are simply not aware of the complexity surrounding active and passive cyber protection to create a layered defence for their data. HFM: On average are the funds you encounter sufficiently covered or are there still exposures? GM: I wouldn’t want to make a blanket statement about the whole hedge fund industry but in many of the funds we encounter there are still gaps. The larger hedge funds are often better protected than the mid to small sized funds. Until the guidelines were released by the SEC there were massive gaps in a lotof funds’ cyber protection. The SEC has effectively drawn people’s attention to the issue and things have improved, despite the fact it can often be a pricey proposition for smaller funds to have a well-rounded cyber solution. MA: Cyber security has been hammered home on a widescale but the recent guidelines don’t spell out the granular aspects of cyber security that are needed to create comprehensive protection. Also, at the end of the day the price tag can be an issue, but as technology becomes more accessible to smaller funds they are starting to incorporate these solutions into their structures. n H F M W E E K . C O M 25
© Copyright 2024