the evolution of investor it due diligence

Follow Along@EzeCastleECI#ITDueDiligence

The Evolution of Investor IT Due Diligence


Topics Covered

Influencers to Evolution

Facets of IT Due Diligence

Investor Perspective on the Cloud

Common DDQ Questions


Due Diligence: The Influence to Evolution

Regulation

Sophistication of technology

Increased outsourcing

Prevalence of cyber threats

Large-scale disasters


Investor IT Due Diligence

Regulatory challenges

and scandals within

the investment

industry have forced

investors to sharpen

operational due

diligence dramatically.

Organization/Company

Background

Contingency/Redundancy

Planning

Systems, Network & Information

Security Practices

Access Control & IT Security

Policies

Compliance

Facets of IT Due

Diligence



Business History

Years in business

# clients

Company Financials

Corporate Structure

Third-Party Providers

What functions do you outsource?

Tell us out about THEIR backgrounds!

Organization/Company

Background



Contingency/Redundancy

Planning

Policy Layer: BCP Strategies

Management Layer: BCP Plans, Validation &

Testing

Infrastructure Layer: Data Backup, Replication, Storage, Alt. Site, etc.



Data/Systems/Network Security

Protections need to be in place at each infrastructure level – from the desktop to the data center

Identify system vulnerabilities and risk mitigation procedures

Network and physical security practices

Intrusion detection & prevention

Regular vulnerability assessments

Are mature threat management practices in place?

Systems, Network & Information

Security Practices



Access Control

Who has access to what? Server room, data center, shared drives, etc.

Cybersecurity/Risk Management

Written, documented security plans/policies

Access control

Personal information security

Incident response

Third party risk

Culture of Security?

Access Control & IT Security

Policies



What Legal and regulatory issues/directives (e.g. Dodd-Frank, SEC Cyber Exams) are applicable?

Does your firm conduct a regular/annual assessment or audit?

Do you have a compliance manual?

Do you have a written information security plan (WISP)?

Compliance


The Investor Perspective on the Cloud

Private Cloud Service On-premise Installation

Delivery Fully Managed & Hosted On-Premise

Implementation& Turnaround

< 1 week 4 – 6 weeks

Pricing Subscription(All Inclusive)

Perpetual OS/Application Licensing + Maintenance

Cost Allocation Expensed (Over Time)

Capitalized (Upfront)

Additional Costs Additional Users & Resources CustomizationUpdates/Upgrades

MaintenanceOngoing Support

Platform Multi-Applications & OS

Updates Shorter – Automatic – Invisible –Defined

Larger – Frequent – Ubiquitous


The Investor Perspective on the Cloud

Private Cloud

Public Cloud

Dedicated infrastructure per customer

Shared infrastructure for all users

Layers of security. Less likely to be target of external hack

Security offerings vary. More susceptible to external attacks

Built-in DR DR not guaranteed; could be additional cost



Provide a list of compliance personnel,

their roles and qualifications, the date of his/her appointment and position within the

company’s organizational

structure.

When was the last date on which the company

tested its internal policies and

procedures? Please provide a summary of

the results.



What IT upgrades occurred in the last 12

months? What upgrades are planned

for the next 12 months? How do you stay

current with technology?

Provide details on relationships with third-

party integrators and support providers,

including an overview of their credentials and length of relationship.



Describe the company’s security

measures with respect to systems access, including who has access and at what

level.

Describe in detail (i) what records the

company retains on behalf of the client (in both electronic and

physical format) and (ii) for how long the records are kept.



How does the firm manage employee remote access? Are

procedures in place to ensure remote access is delivered securely?

How do you screen employees prior to employment? What

background checks are undertaken?



Has a secondary working location been established to which employees should

report in the event of a disruption or outage?

How often is the company’s disaster

recovery plan tested?


Final Thoughts

Investors have been influenced by a wide variety of factors and, as a result, have increased their technology savvy

Due diligence is about more than demonstrating successful performance. It is about taking responsibility for all areas of your organization

ADVICE: Be thoughtful in how your firm approaches technology & cybersecurity, in particular, as they can make or break your relationship with investors


About Eze Castle Integration

Learn more at www.eci.com/blog

Eze Castle Integration is the leading provider of IT solutions and private cloud services to more than 650 alternative investment firms worldwide, including more than 100 firms with $1 billion or more in assets under management. We provide one global financial cloud platform that is complimented by exceptional service and operational excellence.

Our Eze Private Cloud is built to deliver the high performance, applications and exceptional user experience demanded by the hedge fund and investment industry.

http://www.eci.com/

http://www.eci.com/cloud

the evolution of investor it due diligence

Investor Relations