Fintech Can Improve Returns, But Asset Owners Must Also Protect Data Privacy and Cybersecurity
The State of Wisconsin Investment Board (SWIB), which manages $111.3 billion in assets for the Wisconsin Retirement System, considers data so important that the agency recently moved its data management director to directly report to the pension fund’s chief technology and operations officer.
High-quality, accurate, and timely data helps SWIB spot both investment opportunities and control risk, and it is integrating data and technology to better serve the investment teams.
“There’s an unbelievable amount of complexity we face now [in investing], be it in all the asset classes and geography. Without fintech, how do you deal with the complexity? It’s not a nice-to-have anymore, it’s a requirement to be able to deliver on what a simple bond portfolio used to give you in 1995,” says Julia Valentine, chief technology and operations officer at SWIB.
SWIB has a mix of active, passive, internal, and external investment management, and it also uses several fintech providers, including CRD, Bloomberg, Aladdin, FactSet, and MSCI Risk Manager to address its investment needs. In the next 18 months, the board will pursue a more consolidated approach to support a major concern: to control and protect the technology infrastructure that produces the core data supporting its multi-asset daily business.
As technology becomes more important, asset owners must learn how to manage data privacy when working with fintech providers and asset managers, while having a robust cybersecurity program to protect the whole organization. Data privacy and cybersecurity are separate, yet equal, technology issues asset owners must understand as they embrace fintech to improve portfolio performance.
Managing Data Privacy
Fintech can help save asset owners time, reduce errors, and improve returns, but depending on the system, it may require exchanging sensitive information on data or investment strategies. Asset owners must figure out what they want the technology to accomplish when looking for a provider.
Zhuoying (Joy) Xu, vice president of strategic asset allocation and fixed income at Verizon Investment Management Corp. (VIMCO), a $19 billion pension fund, says she uses Mcube Technologies to run systematic models. She and her asset managers developed together a proprietary, quantitative trading system and she feeds the inputs from those models into Mcube for analysis.
To keep her data secure, she keeps the research and builds the models on a separate system from Mcube. “Mcube helps me to aggregate multiple model signals, and generate information or run back tests, but it does not have the transparency of the proprietary models.”
Enterprise fintech systems, those that can perform multiple functions, may require asset owners to partner closely with the service producer and give sensitive data. Susan Veksler, co-founder and president of Caissa, says asset owners should understand what aspect of the data being fed into the technology platform will be theirs versus what becomes property of the technology provider.
“That’s something that allocators should understand, especially if they ever have to disengage with an organization. Where does their data go? Who owns it?” she says.
A vendor’s response to these questions often provides insight into how they will use the asset owner’s data, Veksler says, noting data ownership parameters should be stipulated in the contract.
It’s critical asset owners understand what their data is being used for, says Michael Neuman, vice president of information security at Backstop Solutions Group. There is privacy legislation in the US and under the EU’s General Data Protection Requirements (GDPR), but it’s also important the fintech provider explains its role in handling data. He says some organizations may have clauses that say they want to do levels of data mining or have other purposes.
“It becomes a unique challenge, especially in the growing space of artificial intelligence and machine learning, where that becomes a more critical aspect of how information is getting used to teach the machines,” Neuman says.
Jeremie Bacon, chief executive officer of Imagineer Technology Group, says asset owners should also ask about encryption practices, whether data is encrypted both in transit and at rest. Companies should be able to verbally explain their privacy and security policies.
“Review the documentation and have a conversation with the tech team at the vendor to understand line by line how what they’ve written is actually practiced in real life and how that may or may not be potentially an issue for your business,” he says.
Valentine says SWIB works closely with its legal department to parse fintech provider contracts. If asset owners don’t have someone with technology contract experience on staff, they should contract for those services.
Monel Amin, founder of DiligenceVault, says to start, asset owners must question how a fintech provider uses data, the controls they have over it, and who owns this data. As fiduciaries, asset owners need to understand as they use technology to empower their investment and operational portfolio oversight, they also must assess data and technology risk factors.
Cybersecurity Needs
Valentine says asset owners with cybersecurity concerns shouldn’t shy away from partnering with fintech providers if they haven’t already. “Industry-leading vendors will have similar or more advanced cybersecurity controls than pension funds. SOC II compliance [a component of the American Institute of CPAs Service Organization Control reporting platform] with annual certification should address this concern for pension funds,” she says.
When it comes to asset owners securing their data, Mark Nicholson, cyber principal at Deloitte, says organizations should focus on protecting their most critical data.
“What are the crown jewel assets (e.g., information or applications) that really are germane to the foundation of the business? Once you have an understanding of that, find out whether it exists in your organization’s control, who has it, where is it stored, and where is it accessed from? Once you start to understand that footprint, then you can start to drill into what are the controls needed around it,” he says.
When talking with a service provider, inquire about how they deliver the service, Nicholson says. Is it a discrete technology environment for one client, or is it considered multi-tenant, meaning IT assets like servers, databases, and applications are shared across several clients? If its multitenant, does each tenant get a unique set of security keys or is one set of security keys shared? Ask how often passwords are changed, if there is multifactor authentication to get in, and if there is monitoring for users logging in, he says.
“It gets deep quickly, but you really need to understand who has the data, where it is, and how it is controlled,” he says.
Bacon says asset owners internally need to conduct their own cybersecurity protocols such as multifactor authentication and using password managers, rather than writing passwords on sticky notes on screens. “I still see this every day,” he says, even at large institutional clients.
Asset owners can also conduct penetration testing on themselves and their partners, where organizations hire companies to try to hack into their systems to see where the vulnerabilities lie, Nicholson says, noting depending on how simple or extensive the test, it can cost $10,000 to $50,000.
Valentine says it’s important to educate employees how to recognize phishing emails, where hackers send emails with links with malicious intent. SWIB has strict firewall rules and will conduct random phishing tests, as phishing emails are one of their top cybersecurity concerns.
Bacon also recommends asset owners use secure messaging systems like Slack for internal communication rather than email. “Email is really a beast,” he says.
Related Stories: