Risky Business

Although there is a wealth of technology to help companies build a defense against threat, it is no easy task to ensure that a system is failproof.

By Dermot S. L. Butler,
Custom House Administration & Corporate Service Ltd.

In the past several years, many hundreds of millions, probably billions of dollars have been spent on technology in the financial services industry, by asset managers, prime brokers, clearing brokers, investment, custodian and trading banks and, of course, fund administrators. Several hundreds of millions of the total sum would have been spent in the alternative investment and hedge fund sectors. This money was intended to purchase "and to a large extent has purchased" greater efficiency, a reduction in operational costs and, as a result, increased capacity for the purchaser.

Counting the Costs

Custom House's experience confirms that this expectation was justified. The costs to Custom House of purchasing the technology were, of course, high, but its hardware inventory was totally replaced in November 1999, taking advantage of a move to new premises and the upgrading of all of facilities and obtain the ultimate Y2K protection. Since then, it has spent close to two years Alpha and Beta testing, then implementing a new, totally integrated administration system. This, of course, is where the real costs arose - the time it has taken for the company to transfer from one system to another. Although there is a cost in purchasing the software - and no system comes cheap - the cost in money, human resources and management input also comes with the implementation of a new system.

Like most other hedge fund administrators, (alternative investment and hedge funds are Custom House's specialty), the company used to operate through, what can be describe as, a "multi-plex" system, which consisted of several separate systems, or modules. The number of modules varies with each administrator, but can include, inter alia, a share register module, a securities-transaction module, a general fees and expenses module, a performance-fee-calculation module and, if required, an equalisation module.

The data generated by each of these modules has to be transferred from one module to another, as the administration process progresses, until everything consolidates to produce the NAV / NAV per share. The drawback is that each such transfer creates an "error zone". Furthermore, the last three modules are all likely to be processed utilising spreadsheets, which are "breeding grounds" for mistakes. This relatively high risk of errors means that substantial resources - again in the form of time and personnel - must be dedicated to checking each stage of the process.

Total Integration

Custom House's new system "PFS PAXUS" is a totally automatic integrated system. This means that once the fund is set up on PAXUS, the actual administration process is carried out automatically. This automation is extended, so that the company can take in all of the trading data by electronic feed from the prime or clearing brokers and so that it can then deliver reports to both the fund managers and investors electronically - these are valuable efficiencies that suit everyone.

Thus, it can be seen that it is not only efficient in terms of the accurate processing that technology provides, it can also speed up whole processes. It is estimated that Custom House will eventually increase its capacity by up to 30 or 40 per cent, without having to employ any additional staff. This could be seen as optimistic, as its probable Custom House will start to provide additional peripheral and value-added services to the fund clients, which could soak up perhaps 10 per cent of that increased capacity. But that is still a bonus if the company is providing a superior and improved service.

Pinpointing the Problems

The main threat is the risk of systemic failure. This does not mean that the programme will suddenly stop working because of an internal design fault - that risk is minimal, if not negligible, because each component of the programmes should have been tested "into the ground". What is referred to here is a failure as a result of a disaster. This is not just in light of the awful events in New York and Washington on 11th September 2001, (although it must be said that now, very few people truly believe in the phrase "it can never happen to me"). Obviously, terrorism is recognized as a real risk and, of course, the financial sector is a high priority target for the extreme elements of all terrorist groups, including religious fundamentalists and quasi-religious political groups as well as the anti-globalisation and anti-capitalist movements. But disasters are not limited to violent terrorist actions - floods, fires and other natural disasters can, and do, occur.

As part of its business continuity plan, Custom House has had a specific disaster recovery plan (DRP) in place for many years. Although this plan would still have been effective, it was not particularly impressive and could have taken a few days to be properly established in an emergency. So earlier this year, the company decided to substantially upgrade it. Arrangements have now been made that will enable Custom House to seat at least 40 people at fully operational work stations based at a site half an hour's drive away from its offices (in Dublin traffic), within four to six hours of a disaster occurring, such as a fire gutting the existing offices. Furthermore, this facility will enable the company to back up everything on its main operating system to the DRP site every seven minutes throughout the day. This means that, in the event of a disaster, only seven minutes worth of work would be lost. It goes without saying that, like all other aspects of technology, this is a very expensive facility. However, it is also fair to say that the annual cost is probably less than the losses Custom House, as a company, would suffer if it were to be out of business for two days. As such, this is relatively inexpensive insurance.

Coping in a Crisis

The other areas of systemic failure are both internal and external. The internal risk of a network being attacked by a virus has increased exponentially in the last three years. If you do not have a very effective (and regularly updated) firewall and anti-virus protection system in place, you are at risk that your systems and database, including of course the backup (if that is transmitted electronically), will be decimated. And that risk is now a real, likely risk, rather than an "it would never happen to me", possible risk.

As astounding as it may seem, recently, over an eight day period, Custom House's network was hit by over 100,000 viruses, all of which, fortunately, were rejected by the security wall. It is therefore essential that anybody who relies upon their technology and uses the internet widely and frequently should also have very tight security rules and the latest firewall and anti-virus systems in place. These should, of course be updated on a regular basis. Custom House takes a further precaution by intercepting nearly all attachments received from outside sources and separately scanning them before they are accepted within the internal network.

It goes without saying that the effectiveness of any anti-virus software will only be as good as the last virus that the supplier of the software saw and was able to build an antidote to. To date, anti-virus companies have shown great efficiency and speed in delivering antidotes for new viruses. For example, Custom House was not hit by the "NIMDA" virus, which caused huge problems around the world in September 2001 - although staff felt somewhat vulnerable when they realised that "NIMDA" is the actually the inversion of 'ADMIN'.

Expect the Impossible

Virus attacks are, of course, just another form of terrorism, although to date the terrorists involved have been, largely amateurs, albeit sometimes very gifted (if warped) amateurs. Unfortunately, it is likely that the professional terrorists, who have previously lived (and died) by the gun and bomb, will endeavor to create more chaos in the international community. This could be through trying to disrupt and destroy, not only individual company networks, (by the introduction of viruses on the net), but also possibly an external systemic collapse, as a result of destroying the actual infra-structure of the internet or world wide web. There is, of course, little that individual companies, or risk managers, can do to protect themselves against such an event. Indeed, if the worlds international telephone, internet and web communication system was immoblised then I suspect that all markets would be closed until the paralysis was removed. The chaos that could ensue from that hardly bears thinking about - just don't forget how to use a pen, pencil and calculator.

Dermot S.L. Butler is Chairman of Dublin-based Custom House Administration & Corporate Services Limited ("Custom House"), a company that specialises in assisting clients in the organisation, establishment and administration of alternative investment and hedge funds. Custom House is authorised by the Irish Financial Services Regulatory Authority ("IFSRA"), (formerly the Central Bank of Ireland) under the Investment Intermediaries Act, 1995.