The transition to cloud computing services is at a high in the hedge fund industry and will continue to increase throughout 2012 and beyond.  Efficiencies, scalability and cost-savings are three of the most commonly listed benefits of moving to the cloud, while concerns around security remain one of the biggest perceived risks.

The reality is that cloud security is a real consideration across all industries – not just financial services – and must be a critical focus area when conducting due diligence on cloud infrastructures and cloud providers.  The Cloud Security Alliance recently released the third version of its “Security Guidance for Critical Areas of Focus in Cloud Computing” report, which delivers actionable best practices around cloud security.  The report is 177 pages, so consider this article a much abbreviated Cliffs Notes version to help frame your questions on cloud security for hedge fund environments.

Defense in depth is a security methodology long followed for on-premise infrastructures where layers of security (office building to desktop to server to firewall to router) help ward off threats and provide redundancy should one layer of protection fail or become compromised.  This strategy is also applicable to cloud infrastructures, with a key difference being the cloud includes virtual assets along with physical assets.

Physical Security

Physical security includes the data center facilities that house the cloud infrastructure as well as the physical network components.  The cloud should reside in a Tier III (or greater) class data center that is composed of multiple active power and cooling distribution paths as well as redundant components throughout.  Be sure to ask the cloud provider if the data center is in a region that could experience seismic activity, natural disasters (i.e. flooding) or other environmental threats that could disrupt service.

Beyond location, the cloud data center should be secured with practices including:

• 24x7x365 manned lobby with visual verification of identity
• Two-phase (card and biometric) authentication of visitors
• Secured entry points (doors and elevator banks), including sensors and cameras
• Monitored security cameras
• Visitor logs for cages, which are periodically reviewed and cross-checked
• Key-locked cages and cabinets

Isolation & Security

Virtualization is a core element of a cloud infrastructure and brings unique security considerations as traffic travels differently over virtual machines than it does with a traditional network.  A cloud provider should combine traditional network-based security controls alongside virtual machine security tools for an added layer of security.  In addition to security protocols, all network interfaces within the virtualized environment should be configured in a redundant manner, and the infrastructure should be backed up and replicated to multiple data centers to ensure resiliency and uptime.

Another often-voiced cloud security concern is that of data co-mingling across different clients.  A cloud must be architected in such a way that clients have secure, isolated environments for their data, resources and applications to reside.  It is critical that data be securely separated to eliminate the risk for cross-contamination of data or access to other client environments.  Consider asking a provider to explain their reporting mechanism for ensuring evidence of isolation and identifying a breach of isolation.

Finally, cloud providers should follow best practices for securing cloud inter-site transmissions and offer clients the option to encrypt sensitive messages in accordance with regulatory legislation including SOX, GLBA, PIPEDA and the European Union Data Directive.

Policies, Policies, Policies

As part of your due diligence, ask for specifics on your service provider’s security policies including:

• Access Control Policy: How is access to and control of the storage, virtualization and network infrastructures managed?  What protocols are in place for monitoring, granting access and logging changes to client information systems?
• Information Security Management Policy: What physical and virtual security safeguards does the provider have in place to protect against breaches?  How does the provider manage information security violations and incidents?  What are the procedures for incident reporting, resolution and corrective action?
• Employee, Visitor and Contractor Physical Security Policy: What practices are in place for monitoring employees, visitors and contractors while on premise (office or data center)?  What background verification, screening agreements and employment agreements are established?

Beyond reviewing the policies, inquire about how employees are trained on the policies and when the company last tested its internal policies.  It is worthwhile to request a summary of results to ensure a passing score was achieved and any identified vulnerabilities were addressed.

The Reality

Security threats exist in both traditional networks and cloud environments.  The reality is that either deployment scenario is only as strong as its weakest link.  The key is working with a provider that understands the unique security threats, looks at the infrastructure holistically and implements the appropriate safeguards to mitigate risks.

About the Author

Mary Beth Hamilton is director of marketing for Eze Castle Integration (www.eci.com), a leading provider of IT and cloud computing services, technology and consulting to hedge funds and alternative investment firms.  She has over a decade of technology and marketing experience and holds an MBA from Boston College.

Newly Revised 20 Strategy and Index Report with VaR, Drawdown and Sharpe Rankings, Probabilities on Risk and Return, Attribution Breakdown, 20 pages by Pj de Marigny, Director, GARP SoCalDITMo Hedge Strategy Monthly Jan12-Issue6

Private fund adviser registration is here, meaning a whole new world of compliance risk has become a reality. Successful registration means more than just filling out a form and the March 2012 deadline is fast approaching.

Remember, in order to be registered by the deadline, you must file by February. If you haven’t already taken the steps necessary to protect your firm, you’re out of time.

Hedge fund compliance firm NRS has put together some tools to help your firm prepare for registration:

• The NRS Private Fund Registration and Compliance Intelligence Center, a collection of 15 insightful, easy-to-understand articles and how-tos designed to help your firm find its footing when it comes to registration tasks and strategies.

• Back by popular demand, a free Webinar entitled “Private Fund Registration and Compliance: What you need to know now”. Limited to the first 100 respondents, this online seminar is hosted by Mederic Daigneault, NRS’s Director of Hedge Fund Services, and will provide answers to frequently asked questions regarding registration requirements, timelines and the specifics of an ongoing compliance program.

NRS also recommends that you build your compliance program and complete registration documents now even if you don’t file until the 11th hour, avoiding the risk of operating as an unregistered investment adviser.

Once a hedge fund has determined that adoption of cloud-based services is appropriate for its business, selecting the right cloud technology provider is crucial. You are turning over control and entrusting your IT operations to the service provider; downtime is not an option, and a proven track record is vital.

During the vendor evaluation process it is necessary to ask tough questions and evaluate the service provider in a number of areas including the cloud architecture, security policies, data protection safeguards and support delivery. The following questions provide a starting point.

Cloud Architecture, Experience & Support

• Does the service provider deliver dedicated or shared resources within the cloud? Will a client’s data be isolated from other clients who reside in the same cloud?
• Does the cloud provider own their own equipment?
• Is the cloud data center SAS 70 compliant?
• Which technology vendors have applications operating within the service provider’s cloud?
• What certification levels does the provider have with these application vendors?
• How are support requests handled, and what is the expected response time?
• What Service Level Agreements are in place for the cloud infrastructure?

Security Policies & Procedures

• What is your information security policy and how often is it reviewed?
• What security standards are used to ensure data and application integrity?
• Have you ever experienced a security breach? If so, how was it resolved and what safeguards were implemented to prevent a repeat experience?
• Is data encrypted at rest as well as in transit?
• What physical security elements are in place at the data center (i.e. locked cages and cabinets, cameras, access points, etc.)?
• When was your last network penetration test conducted and what did it involve?

Business Continuity & Disaster Recovery

• Does the cloud infrastructure feature an N+1 configuration to enable high availability?
• What are your backup and retention procedures? How long is data retained?
• What is your disaster recovery strategy and how frequently is it tested? What does the test encompass?
• Is there a plan for pandemic or mass absentee (up to 40%) situations?
• Are there provisions in place to recover work in progress at the time of an interruption?
• How much downtime (planned and unplanned) has your cloud experienced over the past 12, 24 and 36 months? How did the downtime impact clients?

About the Author
Mary Beth Hamilton is director of marketing for Eze Castle Integration (www.eci.com), a leading provider of IT and cloud computing services, technology and consulting to hedge funds and alternative investment firms. She has over a decade of technology and marketing experience and holds an MBA from Boston College.

This week we have a guest post by Matthew Reinhard, Member at law firm Miller & Chevalier

The tale of hand-bag mogul, turned Azerbaijan oil-speculator, turned felon, Frederic Bourke came to an end in mid-December when the Second Circuit Court of Appeals sustained his conviction on conspiracy to violate the Foreign Corrupt Practices Act (“FCPA”) and other charges.  The next day the trial court denied Bourke’s motion for a new trial and ordered that he surrender himself to Federal Marshals on January 3, 2012 to begin serving a year and a day sentence in the federal penitentiary.

Bourke’s legal problem arose from a far-reaching private investment scheme designed to purchase and privatize the national oil company of Azerbaijan — SOCAR.  Though the focus of much of this case has been on Bourke and the leader of the investment scheme Viktor Kozeny — the so-called “Pirate of Prague” (who has, to date, fended off attempts extradite him from the Bahamas to the United States to face charges) –the case also touched the hedge fund world.  Clayton Lewis, a former partner at the Omega Advisors, Inc. hedge fund, pled guilty to FCPA charges arising from Omega’s investment in the scheme, but has yet to be sentenced as the Government still hopes to use him as a testifying witness against Kozeny if and when he is extradited.  Omega, for its part, avoided criminal prosecution, but did agree to a civil forfeiture of $500,000.

In upholding his conviction, the Court of Appeals found the trial court correctly informed the jury it could find Bourke guilty of conspiring to violate the FCPA if it believed he “consciously avoided” gaining knowledge of the corrupt scheme.  In rendering its decision, the Court emphasized that Bourke knew he was doing business in a country with a reputation for corruption (Azerbaijan) and that Kozeny — who was leading the investment syndicate — had a reputation for corrupt dealings (Kozeny).  This decision only reiterates the importance of conducting anti-corruption due diligence of potential business partners, especially on deals involving countries with a reputation for corruption.

While the scope and details of such due diligence efforts may necessarily vary from deal to deal, the basics can oftentimes be integrated into existing due diligence modules.  In general, due diligence efforts directed at potential partners should be focused on discerning the reputation of the investor and determining whether the potential-partner has any business or family ties with foreign government officials that could present FCPA risks.  This may include asking the potential partner to answer detailed questionnaires, vigorously checking business and credit references, checking the partner against U.S. government and international “blacklists”, and personal interviews between the hedge fund manager and key personnel of the potential partner.

The bottom line take-away from the travails of Frederic Bourke, Clayton Lewis, Omega Advisors and their dealings with the Pirate of Prague, is that the U.S. government expects sophisticated investors to know their partners and recognize the risks of investing in markets with a reputation for corruption.  The U.S. government and the courts have made clear that investors who fail to undertake robust due diligence or who knowingly chose to partner with unsavory advisors risk prosecution under the FCPA.

Miller & Chevalier is recognized as having one of the pre-eminent FCPA and international anti-corruption practices in the United States. For more than 20 years, our team has advised U.S. and non-U.S. businesses in every aspect of anti-corruption and FCPA issues. Since 2006, Miller & Chevalier lawyers have made more than 100 visits to over 35 different countries on five continents, including China, Russia, and several countries each in Africa, Latin America, the Middle East, and South East Asia, in connection with FCPA investigations and compliance assessments.

JEFFERSON REVOLUTION! Vote RON PAUL
JEFFERSON LIBERTY! Vote RON PAUL
JEFFERSON SLAVERY: Vote OBAMA
GREATER THAN JEFFERSON: Vote OBAMA
JEFFERSON UNDERWEAR: Vote ROMNEY
ANOTHER CONSTITUTION OF JEFFERSON: Vote ROMNEY
JEFFERSON BIOGRAPHY: Vote NEWT
JEFFERSON CONSULTING: Vote NEWT
JEFFERSON PHILANDERER: Vote BACHMANN
JEFFERSON ISN’T CONSERVATIVE: Vote BACHMANN
I LIKE JEFFERSON TOO: Vote SANTORUM
I WILL CHANGE MY NAME TO JEFFERSON; Vote SANTORUM
I READ NEWT’s JEFFERSON BIOGRAPHY: Vote PERRY
DID JEFFERSON PLAY FOOTBALL?: Vote PERRY

KILL THE MONSTER! Vote RON PAUL
FEED THE MONSTER! Vote OBAMA
CONVERT THE MONSTER! Vote ROMNEY
NEGOTIATE WITH THE MONSTER! Vote NEWT
OUTLAW MONSTERS! Vote BACHMANN
I HATE MONSTERS, TOO! Vote SANTORUM
WE EXECUTE MONSTERS IN TEXAS! Vote PERRY

GARP SoCal Director, Pj de Marigny, PM DITMo Strategies: 20pgs, 20 Hedge Strategies and Indexes with Atrributions, Probabilities of Risk and Return for 10,5, 3, 1 Yr periods, Ranking Color-coded Matrices, Risk/Return Graphs and Commentary.DITMo Hedge Strategy Monthly Dec11-Issue5 (PRINTABLE Version)

The increased use of cloud-based services is undeniable. Analyst firm Forrester forecasts that the global market for cloud computing will grow from $40.7 billion in 2011 to more than $241 billion in 2020. The advantages of using “the cloud” include the ability to:

• Quickly implement and use enterprise-grade technology systems and applications without employing a dedicated IT team;
• Outsource management and maintenance of technology to third-party experts responsible for ensuring continuous availability and high performance levels;
• Transition technology spending from capital expenditures to operating expenditures; and
• Easily scale technology environments to match business needs – eliminating the need to over or under buy when forecasting business growth.

When weighing adoption of cloud-services, it is important to understand the difference between cloud deployment models, namely public and private clouds.

• Public clouds are owned and operated by third-party service providers and benefit customers by delivering cost-savings derived from economies of scale. While competitively priced, public clouds aren’t always the best option for firms that require custom configurations and applications or desire high-touch service from support staff that understand the financial services market and associated technology.
• Private clouds are those that are built exclusively for an individual enterprise and can minimize concern around resource availability, security and resiliency. In the private cloud category, there are two flavors – on-premise and externally hosted.

An on-premise private cloud is generally known as an “internal cloud” that is hosted within an organization’s own data center. An externally hosted private cloud is, just as the name indicates, hosted and managed by an external cloud computing provider. Externally hosted private clouds are a popular choice for hedge funds as they allow for greater customization and flexibility while still providing compelling cost-savings.

Beyond the types of clouds, the cloud-based services market is frequently divided into three subcategories based on the services delivered. These categories are: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). Of these, IaaS and SaaS are gaining the greatest traction and interest in the hedge fund market.

• In the SaaS model, an application is hosted and managed by a vendor or service provider and made available to users via the Internet. Customers share all or part of an application but do not control the underlying platform or infrastructure.
• PaaS is the delivery of a computing platform via the cloud. The PaaS model enables hedge funds to build and test applications without incurring the cost and complexity of buying and managing the underlying software/hardware.
• IaaS provides computing resources without requiring a firm to purchase physical hardware such as storage, servers and networking equipment. Many IaaS providers bundle the infrastructure services with business applications, such as Microsoft Exchange and Office, to deliver a complete solution. With IaaS, customers can control processing power, networking components, the operating system, storage and deployed applications, but do not control the underlying physical infrastructure.

Cloud-based services aren’t right for every hedge fund, but the potential value delivered via the cloud makes it essential that firms become knowledgeable about their technology options.

About the Author
Mary Beth Hamilton is director of marketing for Eze Castle Integration (www.eci.com), a leading provider of IT and cloud computing services, technology and consulting to hedge funds and alternative investment firms. She has over a decade of technology and marketing experience and holds an MBA from Boston College.

GARP SoCal Director, DITMo Strategies PM, Renovatio Asset Management Alternatives Risk Manager: “Deep-In-The-Money Hedge Strategy Report” November 2011, Issue #4 Revised Version.  Probabilities on Return and Risk over 10, 5, 3, 1 Year with Color Pullout Rankings Matrices and unique metrics.  Free Download.DITMo Hedge Strategy Monthly Nov11-Issue4

By Jay Gould –  (Pillsbury Winthrop Shaw Pittman LLP) - On October 18, 2011, the SEC released a notice of FINRA’s filing of Proposed Rule 5123 (the “Proposed Rule”) which would require FINRA members and associated persons to: 1) provide to investors disclosure documents in connection with private placements prior to sale and 2) file with FINRA such disclosure documents within 15 days after the date of first sale and any subsequent amendments. These proposed changes would significantly affect fund managers who offer or sell their funds that are exempt from registration pursuant to Section 3(c)(1) of the Investment Company Act through third party marketers, nearly all of which are required to be registered as broker-dealers.

Pre-sale requirement to provide disclosure documents to investors

The Proposed Rule would require FINRA members and associated persons that offer or sell private placements or participate in the preparation of private placement memoranda (“PPM”), term sheets or other disclosure documents in connection with such private placements, to provide such disclosure documents to investors prior to sale. The disclosure documents must describe the anticipated use of offering proceeds, the amount and type of offering expenses, and the amount and type of offering compensation. Much of this information is currently captured in the Form D filing that most fund managers file with the SEC, but under the Proposed Rule, would go directly to investors in connection with the sale of fund interests.

As a practical matter, this likely means increased scrutiny of hedge fund and other private fund offerings by FINRA, as well as the likelihood that third party marketers that sell on behalf of hedge funds may request greater or more enhanced indemnification from fund managers in the placement agency agreement between the third party marketer and the fund manager. Accordingly, fund managers who use third party marketers to market their funds must keep their fund documents updated, taking into account all changes to fund strategies, material performance issues (to the extent applicable), regulatory changes and management personnel changes, to name a few.

Post-sale requirement to notice file with FINRA

The Proposed Rule would also require each FINRA member and associated person to notice file with FINRA by filing the PPM, term sheet or other disclosure documents no later than 15 days after the date of first sale. In addition, any amendments to such disclosure documents or disclosures required by the Proposed Rule would have to be filed no later than 15 days after such documents are provided to any investor or prospective investor. To the extent these documents are provided to investors, they would also be subject to the strict liability standard of Rule 206(4)-8 under the Investment Advisers Act to which all fund managers are already subject. Accordingly, fund managers must be careful to keep all of their documents current under the materiality standards of state and Federal securities laws.

Offerings Exempted from the Proposed Rule

The Proposed Rule would exempt several types of private placements including offerings sold only to any one or more of the following purchasers:

· institutional accounts, as defined in NASD Rule 3110(c)(4);

· qualified purchasers, as defined in Section 2(a)(51)(A) of the Investment Company Act; (Accordingly, 3(c)(7) funds would be exempt from the Proposed Rule.)

· qualified institutional buyers, as defined in Securities Act Rule 144A;

· investment companies, as defined in Section 3 of the Investment Company Act;

· an entity composed exclusively of qualified institutional buyers, as defined in Securities Act Rule 144A;

· banks, as defined in Section 3(a)(2) of the Securities Act; and

· employees and affiliates of the issuer.

In addition, the Rule would exempt the following types of offerings:

· offerings of exempted securities, as defined by Section 3(a)(12) of the Exchange Act;

· offerings made pursuant to Securities Act Rule 144A or SEC Regulation S;

· offerings of exempt securities with short term maturities under Section 3(a)(3) of the Securities Act;

· offerings of subordinated loans under Exchange Act Rule 15c3-1, Appendix D;

· offerings of “variable contracts” as defined in Rule 2320(b)(2);

· offerings of modified guaranteed annuity contracts and modified guaranteed life insurance policies, as referenced in Rule 5110(b)(8)(E);

· offerings of non-convertible debt or preferred securities by issuers that meet the eligibility criteria for incorporation by reference in Forms S-3 and F-3;

· offerings of securities issued in conversions, stock splits and restructuring transactions that are executed by an already existing investor without the need for additional consideration or investments on the part of the investor;

· offerings of securities of a commodity pool operated by a commodity pool operator as defined under Section 1a(11) of the Commodity Exchange Act; and

· offerings filed with FINRA under Rules 2310, 5110, 5121 and 5122.

Confidential treatment

Documents and information filed with FINRA pursuant to the Proposed Rule would be given confidential treatment. FINRA would use such documents and information solely for the purpose of determining compliance with FINRA rules or other applicable regulatory purposes, although presumably such documents would be available to the SEC in connection with examinations and enforcement proceedings of hedge fund managers. In addition, FINRA would afford confidential treatment to any comment or similar letters by FINRA and thus could not be discoverable by a litigant through a legal action.

A full text of the SEC Notice is available here (PDF).