OlenderFeldman LLP was interviewed by Jennifer Banzaca of the Hedge Fund Law Report for a three part series entitled, “What Concerns Do Mobile Devices Present for Hedge Fund Managers, and How Should Those Concerns Be Addressed?” (Subscription required; Free two week subscription available.) Some excerpts of the topics Jennifer and Aaron discussed follow. You can read the second entry here.
Three Steps That Hedge Fund Managers Should Take before Crafting Mobile Device Policies and Procedures
As indicated, before putting pen to paper to draft mobile device policies and procedures, hedge fund managers should take at least the following three steps. Managers that already have mobile device policies and procedures in place, or that have other policies and procedures that incidentally cover mobile devices, may take the following three steps in revising the other relevant policies and procedures.
First, Aaron Messing, a Corporate & Information Privacy Lawyer at OlenderFeldman LLP, advised that hedge fund managers should ensure that technology professionals are integrally involved in developing mobile device policies and procedures. Technology professionals are vital because they can understand the firm’s technological capabilities, and they can inform the compliance department about the technological solutions available to address compliance risks and to meet the firm’s goals. Such technology professionals can be manager employees, outside professionals or a combination of both. The key is that such professionals understand how technology can complement rather than conflict with the manager’s compliance and business goals.
Second, the firm should take inventory of its mobile device risks and resources before beginning to craft mobile device policies and procedures. Among other things, hedge fund managers should consider access levels on the part of its employees; its existing technological capabilities; its budget for addressing the risks of using mobile devices; and the compliance personnel available to monitor compliance with such policies and procedures. With respect to employee access, a manager should evaluate each employee’s responsibilities, access to sensitive information and historical and anticipated uses of mobile devices to determine the firm’s risk exposure.
With respect to technology, Messing cautioned that mobile device policies and procedures should be supportable by a hedge fund manager’s current technology infrastructure and team. Alternatively, a manager should be prepared to invest in the required technology and team. “You should be sure that what you are considering implementing can be supported by your information technology team,” Messing said. With respect to budgeting, a hedge fund manager should evaluate how much it is willing to spend on technological solutions to address the various risks posed by mobile devices. Any such evaluation should be informed by accurate pricing, assessment of a range of alternative solutions to address the same risk and a realistic sense of what is necessary in light of the firm’s business, employees and existing resources. Finally, with respect to personnel, a manager should evaluate how much time the compliance department has available to monitor compliance with any contemplated mobile device policies and procedures.
Third, hedge fund managers should specifically identify their goals in adopting mobile device policies and procedures. While the principal goal should be to protect the firm’s information and systems, hedge fund managers should also consider potentially competing goals, such as the satisfaction levels of their employees, as expressed through employee preferences and needs. As Messing explained, “It is not that simple to dictate security policies because you have to take into account the end users. Ideally, when you are creating a mobile device policy, you want something that will keep end users happy by giving them device freedom while at the same time keeping your data safe and secure. One of the things that I emphasize the most is that you have to customize your solutions for the individual firm and the individual fund. You cannot just take a one-size-fits-all policy because if you take a policy and you do not implement it, it can be worse than not having a policy at all.” OCIE and Enforcement staff members have frequently echoed that last insight of Messing’s.
Aaron and Jennifer also discussed privacy concerns with the use of personal devices for work:
Firm-Provided Devices versus Personal Devices:
As an alternative, some firms have considered adopting policies that require employees to make their personal phones available for periodic and surprise examinations to ensure compliance with firm policies and procedures governing the use of personal phones in the workplace. However, this solution may not necessarily be as effective as some managers might think because many mobile device functions and apps have been created to hide information from viewing, and a mobile device user intent on keeping information hidden may be able to take advantage of such functionality to deter a firm’s compliance department from detecting any wrongdoing. Additionally, Messing explained that such examinations also raise employee privacy concerns. Hedge fund managers should consider using software that can separate firm information from personal information to maximize the firm’s ability to protect its interests while simultaneously minimizing the invasion of an employee’s privacy.
Regardless of the policies and procedures that a firm wishes to adopt with respect to the use of personal mobile devices by firm personnel, hedge fund managers should clearly communicate to their employees the level of firm monitoring, access and control that is expected, especially if an employee decides that he or she wishes to use his or her personal mobile device for firm-related activities.
Jennifer and Aaron also discussed controlling access to critical information and systems:
Limiting Access to and Control of Firm Information and Systems
As discussed in the previous article in this series, mobile devices raise many external and internal security threats. For instance, if a mobile device is lost or stolen, the recovering party may be able to gain access to sensitive firm information. Also, a firm should protect itself from unauthorized access to and use of firm information and networks by rogue employees. A host of technology solutions, in combination with robust policies and procedures, can minimize the security risks raised by mobile devices. The following discussion highlights five practices that can help hedge fund managers to appropriately limit access to and control of firm information and networks by mobile device users.
First, hedge fund managers should grant mobile device access only to such firm information and systems as are necessary for the mobile device user to perform his or her job functions effectively. This limitation on access should reduce the risks associated with use of the mobile device, particularly risks related to unauthorized access to firm information or systems.
Second, hedge fund managers should consider strong encryption solutions to provide additional layers of security with respect to their information. As Messing explained, “As a best practice, we always recommend firm information be protected with strong encryption.”
Third, a firm should consider solutions that will avoid providing direct access to the firm’s information on a mobile device. For instance, a firm should consider putting its information on a cloud and requiring mobile device users to access such information through the cloud. By introducing security measures to access the cloud, the firm can provide additional layers of protection over and above the security measures designed to deter unauthorized access to the mobile device.
Fourth, hedge fund managers should consider solutions that allow them to control the “business information and applications” available via a personal mobile device. With today’s rapidly evolving technology, solutions are now available that allow hedge fund managers to control those functions that are critical to their businesses while minimizing the intrusion on the personal activities of the mobile device user. For instance, there are applications that store e-mails and contacts in encrypted compartments that separate business data from personal data. Messing explained, “Today, there is software to provide data encryption tools and compartmentalize business data, accounts and applications from the other aspects of the phone. There are also programs that essentially provide an encryption sandbox that can be removed and controlled without wiping the entire device. When you have that ability to segment off that sensitive information and are able to control that while leaving the rest of the mobile device uncontrolled, that really is the best option when allowing employees to use mobile devices to conduct business. The solutions available are only limited by the firm’s own technology limitations and what is available for each specific device.” This compartmentalization also makes it easier to wipe a personal mobile phone if an employee leaves the firm, with minimal intrusion to the employee.
Fifth, hedge fund managers should adopt solutions that prohibit or restrict the migration of their information to areas where they cannot control access to such information. Data loss prevention (DLP) solutions can provide assistance in this area by offering network protection to detect movement of information across the network. DLP software can also block data from being moved to local storage, encrypt data and allow the administrator to monitor and restrict use of mobile device storage.