the evolution of investor it due diligence
TRANSCRIPT
Follow Along@EzeCastleECI#ITDueDiligence
Topics Covered
Influencers to Evolution
Facets of IT Due Diligence
Investor Perspective on the Cloud
Common DDQ Questions
Follow Along@EzeCastleECI#ITDueDiligence
Due Diligence: The Influence to Evolution
Regulation
Sophistication of technology
Increased outsourcing
Prevalence of cyber threats
Large-scale disasters
Follow Along@EzeCastleECI#ITDueDiligence
Investor IT Due Diligence
Regulatory challenges
and scandals within
the investment
industry have forced
investors to sharpen
operational due
diligence dramatically.
Organization/Company
Background
Contingency/Redundancy
Planning
Systems, Network & Information
Security Practices
Access Control & IT Security
Policies
Compliance
Facets of IT Due
Diligence
Follow Along@EzeCastleECI#ITDueDiligence
Facets of IT Due Diligence
Business History
Years in business
# clients
Company Financials
Corporate Structure
Third-Party Providers
What functions do you outsource?
Tell us out about THEIR backgrounds!
Organization/Company
Background
Follow Along@EzeCastleECI#ITDueDiligence
Facets of IT Due Diligence
Contingency/Redundancy
Planning
Policy Layer: BCP Strategies
Management Layer: BCP Plans, Validation &
Testing
Infrastructure Layer: Data Backup, Replication, Storage, Alt. Site, etc.
Follow Along@EzeCastleECI#ITDueDiligence
Facets of IT Due Diligence
Data/Systems/Network Security
Protections need to be in place at each infrastructure level – from the desktop to the data center
Identify system vulnerabilities and risk mitigation procedures
Network and physical security practices
Intrusion detection & prevention
Regular vulnerability assessments
Are mature threat management practices in place?
Systems, Network & Information
Security Practices
Follow Along@EzeCastleECI#ITDueDiligence
Facets of IT Due Diligence
Access Control
Who has access to what? Server room, data center, shared drives, etc.
Cybersecurity/Risk Management
Written, documented security plans/policies
Access control
Personal information security
Incident response
Third party risk
Culture of Security?
Access Control & IT Security
Policies
Follow Along@EzeCastleECI#ITDueDiligence
Facets of IT Due Diligence
What Legal and regulatory issues/directives (e.g. Dodd-Frank, SEC Cyber Exams) are applicable?
Does your firm conduct a regular/annual assessment or audit?
Do you have a compliance manual?
Do you have a written information security plan (WISP)?
Compliance
Follow Along@EzeCastleECI#ITDueDiligence
The Investor Perspective on the Cloud
Private Cloud Service On-premise Installation
Delivery Fully Managed & Hosted On-Premise
Implementation& Turnaround
< 1 week 4 – 6 weeks
Pricing Subscription(All Inclusive)
Perpetual OS/Application Licensing + Maintenance
Cost Allocation Expensed (Over Time)
Capitalized (Upfront)
Additional Costs Additional Users & Resources CustomizationUpdates/Upgrades
MaintenanceOngoing Support
Platform Multi-Applications & OS
Updates Shorter – Automatic – Invisible –Defined
Larger – Frequent – Ubiquitous
Follow Along@EzeCastleECI#ITDueDiligence
The Investor Perspective on the Cloud
Private Cloud
Public Cloud
Dedicated infrastructure per customer
Shared infrastructure for all users
Layers of security. Less likely to be target of external hack
Security offerings vary. More susceptible to external attacks
Built-in DR DR not guaranteed; could be additional cost
Follow Along@EzeCastleECI#ITDueDiligence
Common DDQ Questions
Provide a list of compliance personnel,
their roles and qualifications, the date of his/her appointment and position within the
company’s organizational
structure.
When was the last date on which the company
tested its internal policies and
procedures? Please provide a summary of
the results.
Follow Along@EzeCastleECI#ITDueDiligence
Common DDQ Questions
What IT upgrades occurred in the last 12
months? What upgrades are planned
for the next 12 months? How do you stay
current with technology?
Provide details on relationships with third-
party integrators and support providers,
including an overview of their credentials and length of relationship.
Follow Along@EzeCastleECI#ITDueDiligence
Common DDQ Questions
Describe the company’s security
measures with respect to systems access, including who has access and at what
level.
Describe in detail (i) what records the
company retains on behalf of the client (in both electronic and
physical format) and (ii) for how long the records are kept.
Follow Along@EzeCastleECI#ITDueDiligence
Common DDQ Questions
How does the firm manage employee remote access? Are
procedures in place to ensure remote access is delivered securely?
How do you screen employees prior to employment? What
background checks are undertaken?
Follow Along@EzeCastleECI#ITDueDiligence
Common DDQ Questions
Has a secondary working location been established to which employees should
report in the event of a disruption or outage?
How often is the company’s disaster
recovery plan tested?
Follow Along@EzeCastleECI#ITDueDiligence
Final Thoughts
Investors have been influenced by a wide variety of factors and, as a result, have increased their technology savvy
Due diligence is about more than demonstrating successful performance. It is about taking responsibility for all areas of your organization
ADVICE: Be thoughtful in how your firm approaches technology & cybersecurity, in particular, as they can make or break your relationship with investors
Follow Along@EzeCastleECI#ITDueDiligence
About Eze Castle Integration
Learn more at www.eci.com/blog
Eze Castle Integration is the leading provider of IT solutions and private cloud services to more than 650 alternative investment firms worldwide, including more than 100 firms with $1 billion or more in assets under management. We provide one global financial cloud platform that is complimented by exceptional service and operational excellence.
Our Eze Private Cloud is built to deliver the high performance, applications and exceptional user experience demanded by the hedge fund and investment industry.