By Grigoriy Milis, CTO, RFA
Over the course of less than a decade, the complexity of hedge fund technology due diligence has evolved at a rapid rate. Firms were once able to satisfy investors and regulators by demonstrating that their infrastructure was composed of appropriately resilient hardware and software, but new standards have been set that have expanded the scope of the typical due diligence questionnaire (DDQ).
Elements addressed in DDQs are now anticipating technology best practices rather than responding to the status quo. How did this expansion of scope occur and what do firms need to be prepared for in the future?
Aspects of technology covered in DDQs have evolved in stages. In the past, IT DDQs were singularly focused on the Stability Stage of network engineering, ensuring that a hedge fund’s infrastructure resided on enterprise-grade hardware and consisted of the key elements necessary to conduct business quickly and reliably. These traditional questions test whether or not the firm has technology assets in place such as routers that stand up to the demands placed on them by trading programs, firewalls that provide a reliable barrier against unwanted traffic, and switches that keep the network running smoothly. Storage capacity, server configuration, and a technology asset inventory are all addressed during the Stability Stage.
As firms have moved towards more complex networks that rely increasingly on Internet connectivity, a Redundancy Stage has come into play. Not only is it expected that networks should be composed of business-grade hardware, it is a requirement that these networks are designed to keep operating in the event of a hardware or software failure. Network outages can be caused by events as dramatic as a natural disaster or as simple an HVAC failure or a loss of power to a network device. Whatever the cause, it is common for DDQs to require there to be some form of disaster recovery (DR) technology and business continuity planning (BCP) in place. These DR/BCP designs will ensure systems can be brought online faster than traditional backups. They will also provide a more recent replica of the production environment so firms don’t need to rely on point-in-time backup captures of data and applications that are used for archival purposes.
Most recently, DDQs have begun to address the Protection Stage of technology planning. Networks are required to be resilient and redundant, and now they must also have the appropriate security measures in place to ensure data assets are not compromised or stolen. The inclusion of security-related questions signals a shift in the development of the DDQ: No longer are these documents reactionary in nature, keeping pace with regulations and technology standards. Now they are prefiguring regulatory guidelines. In the development of its April 2014 OCIE Cybersecurity Bulletin, the SEC referred to industry DDQs to compile and develop its own sample questionnaire. Requirements for intrusion detection and prevention systems, information security plans, and other key elements of cybersecurity were pulled from pre-existing documentation crafted by hedge fund investors.
The Proof Stage is an emerging trend for technology DDQs. Now that a comprehensive picture of the network stability, redundancy, and security have been addressed, investors are starting to seek detailed proof that technology systems will operate as promised. Requests for proof of security penetration tests, disaster recovery tests, and other documentation surrounding system functions are beginning to be included in many DDQs. In addition to proof of testing, there is an increased demand for technology documentation of processes and procedures. This is needed to determine who has access to data resources within the company as well as to understand what third parties have access to data. As has been seen from breaches at major retailers, third parties can be the source of network attacks for which firms will be held accountable.
In much the same way that the Sarbanes-Oxley Act shaped the way publicly-held companies managed their technology assets, the evolution of DDQs is now guiding the way for hedge funds to address the enhancement of their data and related procedures. It is no longer realistic to expect to simply check the boxes next to server and firewall requirements. In order to satisfy an increasingly tech-savvy investor base, hedge funds will have to stay ahead of the technology curve.
The Evolution of Technology Due Diligence for Hedge Funds (Wall Street and Technology, October 10, 2014)