Finding the Phish in Your Firm’s Pond
It’s Friday afternoon, and you’re planning to leave early and get a jump start on your weekend. You receive an email with the subject “Office 365 – Failed Login Attempts – Password Reset Required Immediately!” You wonder who tried to access your account or whether you forgot to logout of your email on the public computer at the hotel business center. You were all but out the door when out of an abundance of caution, you decide you should probably reset your password; otherwise you’ll think about it all weekend. The email looks legitimate. You click the link and a familiar page opens in your browser. Everything looks as expected – the logos are there, the web address looks convincing, and the general layout of the site leads you to believe this is a legitimate website. You enter your username, your old password, and you carefully select a new, even more complex password and click the button to reset your password. The problem is, in your haste to get out of the office early you just clicked a link in a fraudulent email. The credentials you just entered on that website? They were just sent to a hacker who can now access your company’s network masquerading as you. You just fell victim to a phishing attack, and unfortunately, you’re not alone.
What is Phishing?
Phishing is a form of social engineering where an attacker with malicious intent attempts to trick a target into performing an action such as clicking a link, providing credentials, or opening an infected file. Targets are often tricked into disclosing private or sensitive information by someone impersonating a trusted source such as a bank or credit card company, an authoritative source such as a government agency, or by appealing to a target’s willingness to help by impersonating a colleague, supervisor, or client. In one of the more successful methods of phishing, attackers send emails to company staff purporting to be from company executives.
Mike Farrell, CISA, CISM – CSS Cyber IT Services
Securing Your Investments: Why Cybersecurity Matters for Private Equity Investments
Would you buy a car without taking it for a test drive? It seems obvious you would want to know the vehicle has all its parts, and that those components work together to make the vehicle operate properly. Unfortunately, in the world of private equity investing, advisers may be doing exactly that, investing in a business before taking it for a proverbial test drive to evaluate the number one risk facing any firm today: cybersecurity.
To be fair, private equity advisers conduct substantial deal related due diligence prior to deploying fund capital into a privately held business. But at the end of the day, how much of that due diligence is driven by the current financials, EBITDA, revenue forecasts, and competitive advantage? What attention, if any, is given to the information security posture of the organization? Cyberattacks on public companies make all the headlines, and it may surprise some to hear that companies of all shapes and sizes are at risk of a cyberattack or data breach. A single cyberattack or breach could put a small to mid-size company out of business once cybersecurity forensics and legal expenses mount, with drastic consequences not only for the business, its clients and employees, but also to the fund’s valuation and the investment adviser’s bottom line.
By E.J. Yerzak, CISA, CISM, CRISC and Mike Farrell, CISA, CISM – CSS Cyber IT Services
Big Data Part III: Preparing for the Future of Global Regulatory Governance
United States and European Union reporting requirements imposed on investment managers have exploded since the Global Financial Crisis and, with the imminent arrival of SFTR in Europe, it seems poised to expand again. The challenge of reporting trades, transactions and contracts in multiple jurisdictions requires firms to embrace technology as regulators continue to look to dig data as a solution for identifying issues and potentially preventing another crisis.
What should investment managers be doing right now, and how should they be planning to handle even more reporting? At the recent Ascendant Compliance Solutions Strategies 2019 Spring Conference, John Walsh of Eversheds Sutherland LLP, along with Keith Marks and Jeanette Turner of CSS, reviewed the evolution of big data since the global financial crisis, and offered guidance on managing today’s reporting challenges and preparing for the future.
The panel noted that following the financial crisis, firms and regulators sought to understand why it happened. The push for big data began due to “sheer panic as major firms everyone thought was were fully capitalized, collapsed” leading to a feeling of “the world is ending, what do I need to know?” noted Mr. Walsh.
This ushered in the first wave of rulemaking, with MiFIED I, AIFMD, and Dodd-Frank, followed by MIDAS, VAG, CRR, Solvency II and other regulations. In 2014, the SEC launched The National Exam Analytics Tool (NEAT), enabling Office of Compliance Inspections and Examinations (OCIE) examiners to access and systematically analyze years of trading data much more efficiently than in the past. Since then, investment managers have been faced with additional new reporting requirements and forms, as well as modernizing existing forms, with N-PORT, N-CEN, MiFID II, SFTR, MMFR, PRIIPs and re-expansion of Form ADV.
The panel noted that regulators are crunching data from commercial sources, custodians, and broker-dealers in addition to what is provided directly by advisers. Mr. Marks offered a glimmer of hope, reminding the audience that the SEC recognizes there is a cost of making regulatory changes and the debate of cost and burden is real. In fact, in remarks made at the Economic Club of New York, July 12, 2017, SEC Chairman Jay Clayton acknowledged, “Companies spend significant resources building systems of compliance, hiring personnel to operate those systems, seeking legal advice concerning the design and effectiveness of those systems, and adapting the systems as regulations change. Shareholders and customers bear these costs, which is something that should not be taken lightly, lest we lose our credibility as regulators.”
So, what can you do now? Here are the panel’s big three tips:
- Be agile. Look at your legacy systems and determine if they can work with change or if it’s time to swap them out and prepare for evolving reporting needs
- Know your data. If you’re unaware of what’s in trading, that’s a problem. Regulators are not tolerant. The firm needs to understand its data. If your business is data rich and using great technology, but your compliance team is not, you’re in trouble.
- Watch the regulators. It’s going to continue to be an iterative evolution, but market data will increasingly serve as the source of rulemaking.
CSS offers a full, strategic suite of solutions to address the full scope of global compliance needs. For more, visit our Solutions page.
Custody Concerns Continue
You timely filed your Form ADV within 90 days of fiscal year end, but, did you properly answer all the questions related to custody? Not surprisingly, the Form remains confusing for many advisers, as does application of the Custody Rule itself. The SEC has issued guidance, letters to the industry, alerts and FAQs, but things continue to remain murky, and not just on the delivery vs. payment concept.
Do you have custody, and are you meeting your obligations if you do? This is not a one-stop analysis. The nuances of the Custody Rule, including its application to your operations, requires you to continuously and regularly assess your business and practices, including client relationships, client onboarding processes, fee calculations, advisory contracts, client-custodial contracts, custodial relationships, client services, affiliate relationships, affiliate services, and more. On top of that, you then must accurately disclose your custodial practices, choosing your words carefully and explaining things in “plain English,” which in and of itself can be problematic.
The SEC may be poised to soon revise the Custody Rule. But, in the meantime, it continues to expect compliance with the Custody Rule and continues to issue enforcement orders against registered advisers who fail to adhere to the Custody Rule’s mandates. In short, protecting client assets is a perennial mission for the SEC; and the SEC sees little need to compromise on the important responsibility of protecting client assets, even if you are not 100% clear on the specifics of the Custody Rule and the intricacies of the required controls. This is especially true if you have custody over retail client funds or securities.
Sometimes, with a little assistance, concepts that initially seem complex become simple, and responsibilities that seem overwhelming become routine. Consultants from CSS consulting arm, Ascendant, can help turn the interpretation and implementation of the Custody Rule into simple, organized routine. Additionally, the Ascendant Custody Toolkit provides a step-by-step program to facilitate understanding and application.
“Do not let Custody get you down.” We first will help you assess your authority over and access to client funds and securities, and then discuss required maintenance and protective measures, including if you need a surprise examination, an annual audit, an internal control report, or other controls. If you want to avoid custodial authority, we also can help you strategize on how to change your business practices. Finally, we can help you tailor your written policies and procedures to ensure that you are doing what you say and saying what you do, all of which needs to be in compliance under the watchful eyes of the SEC. You timely filed your Annual Updating Amendment, but, alas, custody concerns continue and a compliance professional’s work never ends.
For more information on our compliance consulting services, click here.
Blockchain Isn’t Hot Sauce
Guest post by Samson Williams, Partner – Axes & Eggs
and Keynote Speaker – Ascendant CSS Spring 2019 Conference
I started telling people that blockchain isn’t hot sauce in mid-2017 to help explain why initial coin offerings (ICOs) were just the latest form of unregulated, online gambling. In November 2017, with Bitcoin nearing a high of $19k per bitcoin, I was telling anyone who would listen that 98% of ICOs were destined to fail. As of April 2019, ~87% of ICOs have failed and the global investor community has come to realize that it’s true; blockchain isn’t hot sauce. However, it should be noted that a 2% survival rate for entrepreneurs looking to leverage an emerging, novel technology is actually a sign of a healthy startup ecosystem.
Samson Williams, Keynote Speaker – Ascendant CSS Spring 2019 Conference
“So what?”
So what, right? As compliance managers, SMEs and leaders, why do you care that blockchain isn’t hot sauce? Here are eight reasons why blockchain not being hot sauce matters (or should matter) to compliance professionals:
- You can’t “invest in blockchain.” You can invest in businesses that leverage blockchain technology to be more profitable. If blockchain doesn’t make your business more profitable, why would you use it?
- Less than 1% of businesses will ever be true blockchain businesses. This statement requires a little explanation. AOL (American Online) and Comcast Cable are internet service providers (ISPs). Amazon, Google, Uber, and other web/mobile app based businesses are not ISPs but they do use the internet as a tool to generate profits. Consensys is the blockchain equivalent of AOL. They are a true “blockchain business.” Leveraging Consensys’ ERC20 protocol and others, Consensys is happy to build you, or any business, a blockchain infrastructure on which to conduct your business for a fee, of course. Does your business need a blockchain infrastructure to make money? This would mean making your company more profitable than it currently is, not just for a quarter but for the long run. For 99% of businesses the answer is “No.” Blockchain as a technology will be a help desk job by 2024. So the real question is, Do you want to invest in today’s blockchain “AOLs” or tomorrow’s businesses that leverage blockchain, as Amazon does the internet, as a tool to generate profit?
- Blockchains come with risk. Do you want everyone to be able to see all your business records? What are the legal requirements of “self-reporting” when you have 100% transparency to every transaction? What are the moral, ethical and reputational realities of having the ability to monitor and potentially prevent 100% of malfeasance within your business operations? How do you maintain data privacy when records are “immutable?” What are the regulatory requirements for managing data, access and records internationally, when using a blockchain? #GDPR
- Cryptocurrencies are a customer service battle. Customers want convenience in banking. Banking is a verb. Ultimately customers will choose whichever noun (bank, Facebook, Apple, cellphone, etc…) that can provide them with the most convenient banking services and experiences. So, how does KYC/AML work on a burner phone?
- Stablecoins don’t exist but nonetheless come with real risk. From JPMorgan to Facebook, institutions are rolling out new, ever more clever ways of creating “value” from thin air. How has the industry acknowledged the risk of stablecoins? How do we as an industry verify the value of something made, not by a government-backed bank out of thin air, but by some other private institution that provides banking services? So-called stablecoins present a variety of unknown risks that your institution and you as compliance experts will be tasked with discovering. So, what is a stablecoin? And what exactly makes it stable?
- Shitty data on a blockchain is shitty data on a blockchain. Blockchain isn’t quality assurance for your data. However, your business’ data is its most valuable asset. How will you profitably manage your data in a decentralized ecosystem?
- Blockchains present a whole new world of cybersecurity risks. Systemic risks of blockchains will not be known until after they’re built and hacked. Who wants to volunteer to be hacked first?
- Smart Contracts aren’t smart, nor contracts. Smart contracts are at best “terms and conditions.” You don’t want to find this out the hard way.
The above is by no means an exhaustive list of why Blockchain isn’t hot sauce. Blockchain isn’t hot sauce because it does not magically resolve even basic business issues such as operations, customer acquisition, service delivery, or profit generation. Blockchain also does not fix human issues of trust, transparency, and accountability. That said, blockchain technology is here to stay.
Looking forward to seeing you all in a couple of weeks at the Ascendant Compliance Solutions Strategies Spring 2019 Conference in Miami. Come prepared to discuss what blockchain is, why blockchain is here to stay, how its poised to impact your wallets and which technologies will be even more disruptive to your business operations, organizational culture and bottom lines than blockchain.
See you in South Beach!
It’s not too late to join us in Miami. For more information or to register, click here.
ESMA Updates AIFMD Q&As
The European Securities and Markets Authority (ESMA) has updated its Questions and Answers on the application of the Alternative Investment Fund Managers Directive (AIFMD).
Specifically, ESMA has added two new Q&As, providing clarification on the calculation of leverage under AIFMD:
- The treatment of short-term interest rate futures for the purposes of AIFMD leverage exposure calculations according to the gross and commitment methods
- The required frequency of the calculation of leverage by an AIFM managing an EU AIF which employs leverage.
Question 6 [Last update 29 March 2019]: Should the calculation of leverage exposure of an AIF resulting from a short-term interest rate future be adjusted for the duration of the future, under the gross and the commitment methods?
Answer 6 [Last update 29 March 2019]: No. The calculation of leverage exposure of an AIF resulting from a short-term interest rate future should not be adjusted for the duration of the future. Subparagraph (a) of paragraph (1) of Annex II of the Commission Delegated Regulation (EU) No 231/2013 sets out the method to be applied, when converting all interest rate futures into equivalent positions in the underlying asset in the process of calculation of exposure of the AIF, as the product of the number of contracts and the notional contract size. The duration of the financial instrument should not be considered for the purpose of that calculation.
This does not, however, preclude AIFMs managing AIFs that, in accordance with their core investment policy, primarily invest in interest rate derivatives from applying duration netting rules under the commitment method, in accordance with paragraph (9) of Article 8 of the Commission Delegated Regulation (EU) No 231/2013.
Question 7 [Last update 29 March 2019]: How frequently should an AIFM calculate the leverage of each AIF that it manages?
Answer 7 [Last update 29 March 2019]: An AIFM should calculate the leverage of each AIF that it manages as often as is required to ensure that the AIF is capable of remaining in compliance with leverage limits at all times. Consequently, leverage should be calculated at least as often as the NAV is calculated, or more frequently if required. Circumstances which may lead to increased frequency of leverage calculation include material market movements, changes to portfolio composition and any other factors the AIFM believes require calculation of leverage more frequently than NAV in order for the AIF to remain in compliance with leverage limits at all times.
For more on our AIFMD reporting platform Consensus, click here.