Hedge Fund Compliance: Ensuring the Security of Investor Data Online
|October 15th, 2009||
|Contributed by: Natalie Kaminski, FinCode Solutions|
|As fund managers prepare to meet the many requirements of the Hedge Fund Transparency Act they are looking for ways to reduce overhead and streamline tedious administrative processes. There are countless software and technology solutions designed to automate manual tasks and improve productivity. One key solution that many hedge funds consider are Online Reporting Systems, also sometimes referred to as “Investor Websites.” |
Online Reporting Systems have many advantages when it comes to sharing investors’ data. For example, investors have the ability to access their performance reports from any place and at any time. Also, the generation and distribution of these reports is significantly simplified and expedited due to the ability to pull data directly from source databases onto their screens. However, before rushing to implement an Online Reporting System, whether packaged or custom-built, it is very important to consider the security risks involved and understand how to minimize them.
The most obvious but often overlooked security feature is password strength. A strong password should be between 12-14 characters long and include at least one of each – an uppercase, a lowercase, a number, and a symbol. It is also crucial to remind users that passwords should never be based on repetition, dictionary words, letter or number sequences, usernames, relatives’ or pets’ names, or any biographical information. While an unusual password may be harder to memorize, it will significantly reduce the risk of a security breach.
Further, passwords should always be stored in an encrypted format. Often, developers use industry-standard encryption algorithms that require an encryption key. The problem with this approach is that encryption keys can be compromised. A more secure way to encrypt sensitive data is to use one-way hash functions. Basically, a hash function is an encryption algorithm that does not require a key and produces a result that cannot be decrypted. The encrypted value of a user’s password is stored in the database. When a user logs in, the submitted password is encrypted and compared with the value stored in the database. If they match, the user is authenticated.
In addition to requiring strong passwords and storing them in an encrypted format, it is very important to use HTTPS connections and to apply a security certificate, such as TLS or SSL. These measures prevent eavesdropping, tampering, message forgery and other attacks that hackers use to gain access to website accounts and sensitive information.
The next important security measure is to implement an advanced session timeout that would automatically log an idle user out of the system and hide their account information. Most secure websites have timeouts set at 10 minutes of inactivity, and when users return, the site simply re-directs them to a timeout or site home page asking them to log in again. While this strategy may be fine for some websites, Hedge Fund Reporting Systems should always log a user out automatically once the timeout period is reached. This will prevent others from seeing sensitive data on the screen if a user happens to be away from the computer.
It is also advisable to minimize the usage of third-party tools when building a custom solution and to opt for commercial products as opposed to open-source software. The main reason for this recommendation is insufficient knowledge and control over third-party tools, the way they function, and their security features. Also, any time third-party software is embedded within an application, certain information about the application is stored at the third-party provider’s database, which increases the risk of potential security breach.
Additionally, most Online Reporting Systems have an administrative interface that provides data loading, user management and other administrative functions to authorized users. It is crucial to separate the administrative module from the public module and to create dedicated database connection strings for each one. The administrative module should also be kept inside the corporate network and be accessible via a VPN connection when working from outside the office.
Finally, a regular data backup schedule should be created and data should be taken offsite to a secure data facility. Today, there are numerous online backup companies that offer fully managed data backup, storage and restore services. Generally, these vendors make significant investments into their data centers and backup software to ensure data safety and adhere to various regulations, such as the Sarbanes-Oxley Act, the Gramm-Leach Bliley Act, SEC NASD Act and so on.
To summarize, technology can provide significant time and money savings to hedge funds when it comes to meeting regulatory requirements and improving investors’ experiences. Knowing the risks involved and ways to avoid those risks, as well as partnering with the right technology vendor are critical to ensuring successful implementation of any software solution.
Natalie Kaminski is the Founder and CEO of FinCode Solutions, a boutique software development and consulting firm that focuses on the alternative investment industry. For more information on Ms. Kaminski and FinCode Solutions, please click here.