“I think it’s maybe a bit more of an issue than people think it is,” admits the CTO of a $5bn hedge fund.
“In recent years there has been a bigger move to outsourcing technology in the industry, so for example there are certain data centre firms getting more business, not just from hedge funds. But in certain areas there is a tendency to cluster a little, so it’s definitely something to think about.”
Concentration risks arise when outsourced services or products are provided by a limited number of service providers or are concentrated in limited geographic locations, according to a definition released by the US Department of Justice.
For hedge funds of all sizes, there is simply no way of avoiding the need to place some part of the technology function in the hands of a third-party, whether that is part of an outsourced IT agreement or an obligatory arrangement with a service provider such as an administrator or prime broker.
Vendor scrutiny
Against this backdrop Ray Bricknell, managing director of Behind Every Cloud, says vendor liquidation is the number one aspect of concentration risk people don’t think about enough, whether they use a single end-to-end provider or opt to outsource to multiple vendors.
Bricknell explains that “one stop shop” vendors who describe themselves as being 100% aligned with hedge funds tend to be relatively small firms, meaning their revenues are often pegged to serving a small number of clients.
“The way these firms operate tends to be that they suck in the IT of the client in a reasonably non-standardised way, then scale headcount to deal with the issues involved with that and end up with a difficult to scale commercial model, which means they are a constant aggregation risk (to the hedge fund),” he explains.
For smaller funds, Bricknell adds, this is a particular problem because they tend to buy from an end-to-end provider, which means they are limited for choice.
Hedge funds with bigger budgets can lessen this risk by outsourcing different things to different vendors, but Bricknell says there is still concentration risk here.
“So you might get a vendor who just does disaster recovery as a service, which means you end up splitting service acquisition across a range of vendors, you still have a concentration risk with just one vendor doing one thing for you,” he adds.
For managers of any size, the use of niche services also presents a key concentration risk.
“There are a lot of similar applications that different funds use like logging emails or email review, or firewalls,” says the CTO of one $800m AuM US-based fund.
“There are just a handful of firms who do firewall security well for our industry, so a breach on their systems would be devastating. Security providers are a tremendous concentration risk because there are not many handling leading edge security very well and you can’t go to just any firewall vendor.
“Bloomberg is another risk, because not many people have a back-up provider for that service. We have alternate data feeds but don’t have the instant messaging that Bloomberg offers.”
For many hedge funds, the recent spate of mergers and acquisitions among vendors exacerbates the challenge of handling concentration risk.
Deals such as SS&C’s acquisitions of Citi’s admin book and Advent Software, or Equinix’s $3.6bn acquisition of rival TelecityGroup, in 2015, has arguably heightened the threat of concentration risk among vendors because it reduces the choices managers have around providers.
Attempts to diversify
Samer Ojjeh, principal and US head of advisory services for alternatives at EY, contends that managers are responding to this by attempting to diversify their systems and by trying to forge closer partnerships with vendors.
He explains: “Managers also want to have their own independent view of the risk in their portfolio so that’s why they’re trying to diversify their systems from counterparties including trading counterparties, fund administrators and custodians. There is usually a lot of overlap in the systems used by hedge funds and their service providers.”
Ojjeh also argues that as a result of consolidation, more service providers are exploring the potential of building their own software, prompting more managers to try to partner with vendors offering less mature products, and helping these vendors mature their products so that the manager can have more control over their concentration risk.
He says: “Managers are looking to manage the risk of not having enough influence over the vendors to manage risks and enhancements. They are trying to avoid being a smaller fish in a big pond.”
This may be a realistic aspiration for managers when dealing with smaller, more niche vendors, but the issue is not as clear cut for key vendors such as administrators, custodians and prime brokers, all of which are obligatory relationships for a hedge fund to have, and all of which will have some insight, ownership or control of certain elements of a fund’s data.
“There is concentration risk at the administrators and prime brokers but there is no good strategy for it,” says the CTO of the $800m US fund.
“It’s like having all the eggs in one basket in your value chain, if one thing breaks you are in a bad state, and the industry is naturally going in that direction because fewer people want to be in that admin/PB space.”
Ojjeh says the larger, more mature hedge funds have this issue on their radar and are starting to ask deeper questions of their key service providers on the technology side in response.
“Mature hedge funds have been asking more detailed questions about cyber-attack preparedness and penetration testing, disaster recovery, data retention and archiving,” he explains.
“Some managers are even asking about social engineering protection and how data is being protected by their admin or PB from that perspective, because their trading strategy is their holy grail.”
Data centres are another area of serious potential concentration risk hazard due to their nature of being clustered near trading exchanges.
There is good reason for this: hedge funds want low latency and the only way to ensure that is to use a data centre near an exchange.
For example in the US, many hedge funds will use data centres in New Jersey or Connecticut.
In the UK meanwhile, Canary Wharf and Slough are the locations for large data centres used by hedge funds operated by the likes of Equinix and Virtus Data Centres.
“Slough has been the number one choice for proximity or low latency solutions for a long time,” explains Bricknell, citing its close proximity to London but also its location outside a flood plain, in contrast to low-lying Canary Wharf.
But Bricknell says that even the advantage of being closely located and outside a flood plain can present problems.
“At one stage in Slough, it got to the point where it was almost impossible to find capacity in the data centre because of the ultra-low latency the managers wanted,” he says.
“As a result it became very expensive. By definition, those hubs have to be close to the exchanges with nanosecond delays, which means there is major exposure to an outage at those sites.”
Similarly, even with a good arrangement in place, connectivity to data centres is not always so straightforward and presents another concentration risk.
As the $5bn fund CTO explains: “We use a data centre further that’s further away because we rely less on low latency, but that does present some issues around the connectivity we can obtain.”
Connectivity is another risk to be aware of, one which appears to be offset by larger data centre providers offering multiple internet service providers and thus diverse routing from multiple providers, according to George Ralph, managing director at Richard Fleischman and Associates.
Many facets of risk
Concentration risk clearly exists in many facets of the technology function at hedge funds, but is perhaps an issue that garners less attention than things like cyber-security.
Regulators, so far, have had little to say on the issue from a technology standpoint, with the only recent reference to the issue contained in the FCA’s proposed guidance on cloud computing in November 2015.
While the 15-page document had plenty of detail around outsourcing guidance, the specific issue of vendor concentration risk was addressed with just one simple line, advising firms to “monitor concentration risk and consider what action it would take if the outsource provider failed”.
Aima, in a response part-authored by CTOs, said that while it agreed the FCA’s suggestions were a good idea “in theory”, it would be especially problematic to implement for large service providers with many clients, and smaller firms with confidential client lists.
“The FCA is simply cautious not to see firms put all their eggs in one basket,” said an FCA spokesperson.
“We don’t have much to elaborate on yet as we are still going through the responses to the consultation, but we expect to issue full guidance by April or May this year.”
The SEC meanwhile, has not released specific guidance on technology concentration risk, but does advise firms reliant on third parties for elements of their technology to have a business continuity plan in place as per its cyber-security guidance, released in April 2015.
The SEC also cites IAA compliance rule 206(4)-7 as a guide for what it requires from firms, specifically a footnote within that regulation which states:
“We believe that an adviser’s fiduciary obligation to its clients includes the obligation to take steps to protect the clients’ interests from being placed at risk as a result of the adviser’s inability to provide advisory services after, for example, a natural disaster or, in the case of some smaller firms, the death of the owner or key personnel.”
In the meantime, CTOs are clearly aware of the issue and for certain elements of concentration risk such as exposure to an administrator or prime broker, there is no easy solution.
“We protect ourselves by having the encryption key so no vendor can access our data, but if we lost the encryption keys we’d be in very bad shape,” says the CTO of the $800m US fund.
Like many technology issues, protection against concentration risk often boils down to the budget allocated to spend on IT.
“I think CTOs are very aware of this but protecting against it comes down to the budget they are given,” says Ralph.
“The obvious thing is to think about all the potential existing bottlenecks in a business, and it should be considered as part of risk management, because the board should be given the chance to make an informed decision weighing up cost versus risk.”
To mitigate this, Ralph advises firms to perform functions such as random checks on staff activity, automated documentation, hardware maintenance, updated firmware on hardware, hardware support, manually testing for replication failure over configuration, virtualising servers, diversifying router connectivity and choosing good IT partners.
Bricknell meanwhile, recommends split-vendor models despite the risk.
“There are a number of single points of failure many vendors don’t address, so you should diversify your environment,” he says.
“It gives you complete vendor diversity so you can spin up into a provider’s capacity but it also saves you money.”