Tag Archive: Best Practices


Time is Running Out!

Filed under: Best Practices, ComplianceLeave a comment
May 30, 2015

sticky-notes-to-do-listAround this same time last year, many of us said our final goodbyes to Windows XP and Exchange 2003.  This year, Microsoft’s latest End-Of-Life (EOL) event – along with good sense – will force most of the firms that are still using Windows Server 2003  to replace it with a newer version of the Windows Server operating system (OS).  July 14th, 2015 marks the end of extended support for the 2003 product line – after that date, there won’t be any more security updates.

For those unfamiliar with the issue this raises, compliance regulation and standards related to private information and security dictate that firms must keep up-to-date with regular patches to the software and hardware that powers their businesses.  Your firm’s Written Information Security Program (WISP) should detail a policy of adherence to these standards, among many others, and in there somewhere you have almost certainly indicated that you are keeping your systems updated with respect to security.

Like Windows XP, Windows Server 2003 has been around long enough and really should be replaced, so there is not much point in delaying the switch.  Most firms have likely changed over to Windows Server 2008 or 2012, but those that haven’t made the change yet should be planning on upgrading their server(s) in Q2 of 2015.

 

rackAlternatives to Windows 2003?

Assuming your firm is committed to Microsoft Server products, you have two choices:

1. Windows Server 2008 r2 (2008)

2008 is a mature operating system, which is still in use at a large number of firms today. However, mainstream support for 2008 ended earlier this year (1/13/2015), and though extended support is available until 1/14/2020, it probably doesn’t make sense to move from 2003 to 2008 in 2015. Firms that have existing 2008 software licenses may not want to incur the additional expense of 2012 licenses, and those with significant compatibility concerns may opt to install Windows 2008 on new server hardware.

2. Windows Server 2012 r2 (2012)

2012 is the latest and greatest from Microsoft. It has a shiny new interface and a bevy of neat features like deduplication. My experience with 2012 has been overwhelmingly positive. Though worries about 2012 compatibility with legacy applications may delay widespread acceptance of this operating system, many firms will ultimately choose to make the switch to 2012.

What happens if we stay on Windows 2003?

Your server will still work, but you will not get any more security updates from Microsoft, and your firm will technically be out of compliance.

What else could happen?

Software companies and other parties your firm interfaces with will assume that you are making these updates.  Your firm’s failure to upgrade to a later version of Windows Server could cause problems that you and your staff may not be able to anticipate.

As an example of this, one of my clients that was slow to upgrade all of their Windows XP systems last year found that the latest version of Orion’s desktop software, which was automatically updated sometime in Q1 of 2014, was incompatible with Windows XP.  Unfortunately for the client, there wasn’t a way to reverse the update or use an older version.

At the time, I was surprised, especially because the customer wasn’t given any notice of the “feature enhancement.”  It didn’t make sense that a software company would launch an update incompatible with existing customer desktops that were still supported by Microsoft.  Thankfully, Orion addressed the issue quickly by providing the users affected with remote desktop (RDP) connections to Orion servers for an interim period.

About the Author: Kevin Shea is the Founder and Principal Kevin Shea Impact 2010Consultant of Quartare; Quartare provides a wide variety of technology solutions to investment management and financial services firms nationwide.

For details, please visit Quartare.com, contact Kevin Shea via phone at 617-720-3400 x202 or e-mail at kshea@quartare.com.

Tags: , , , ,
Comment

End Nearing for Some Microsoft Systems

Filed under: Best Practices, Business Continuity, Investment Operations, SecurityLeave a comment
May 31, 2013

HourglassWindows XP was a mainstay at many financial services firms for nearly a decade.  In keeping with the Microsoft Lifecycle Support Policy, support for Windows XP and similar aged software must eventually end.  You can learn more about the policy here.

According to Microsoft, extended support for Windows XP is scheduled to end on 04/08/2014.  If your office is using Windows XP, you should be working on plans to phase out XP by replacing those systems with new PCs or upgrading the PCs to a more recent workstation operating system in the next six to nine months.  There is no good reason to wait until or beyond April 2014 to perform these upgrades.

Why should you care?

Most security standards – for instance, 201 CMR 17.00 – require that you apply security patches on a regular basis.  It is the extended support from Microsoft that allows you to do this.  After extended support has ended, there is no guarantee that any security patches will be released for these systems.  In order to stay compliant with security standards, firms using Windows XP will need to upgrade to other systems.

Hasta la vista, Vista!

androide

Currently, we are recommending that business users implement Windows 7 Professional on workstations.  Windows 8 makes sense for home users with touch screens, but we prefer not to implement operating systems before they have become mainstream in the workplace; Windows 8 just isn’t there yet.

Vista extended support is good through 04/11/2017, but Vista has always been a dog, and any business users still using Vista should strongly consider moving to Windows 7 Professional immediately.

Server-based systems affected by the Microsoft Lifecycle Support Policy

Windows 2003 Server extended support is good through 07/14/2015.  Nevertheless, Windows Server 2008 R2 will likely be the most widely used network operating system among investment advisors by the end of 2013.  Windows Server 2012 was released on 09/04/2012 and hasn’t yet been widely implemented among SMBs we are familiar with.

Exchange Server 2003 extended support also ends on 04/08/2014.  The implications of this related to security updates are the same as those detailed above regarding XP.  If you know which version of Exchange is in use at your office, you can check Microsoft’s site here to determine when the end of extended support for Exchange will affect your firm.

Like Vista, extended support of Exchange Server 2007 is good through 4/11/2017, so there is no need to upgrade in the near term future.  Exchange 2010 adds OWA support for Firefox and Chrome.  In addition, Exchange 2010 makes better use of lower-cost disk subsystems, allowing you to get a performance boost over 2007 without spending a premium.  Those are nice features, but not nice enough to push an Exchange upgrade before a normal IT lifecycle replacement demands it.

Exchange Server 2003 will be phased out by many advisors this year, and most will move to Exchange Server 2010.  Though Exchange Server 2013 was technically released in November 2012, it may be premature for the SMBs that dominate the investment industry to adopt Exchange Server 2013 over Exchange Server 2010.  Presently, there is no direct migration path from Exchange 2003 to Exchange 2013.  A number of small investment advisors will move to hosted Exchange solutions and no longer keep Exchange servers at their offices.

With this many possible changes slated for the next ten months, now is a good time to make sure your firm has addressed the issues or has a plan to upgrade any systems affected.

About the Author: Kevin Shea is President of InfoSystems Integrated, Inc. (ISI); ISI provides a wide variety of outsourced IT solutions to investment advisors nationwide.

For details, please visit isitc.com, contact Kevin Shea via phone at 617-720-3400 x202 or e-mail at kshea@isitc.com.

Tags: , , , ,
Comment

The Evolution of Investment Reporting

Filed under: Best Practices, Client Communication, Custom Reporting, Portfolio Management SystemsLeave a comment
May 28, 2013

black coffee,glasses and newspaper on business fileI have been talking about the evolution of investment reporting for years and telling anyone who would listen that their clients will soon have other investment reporting options.  My dream or vision of the future includes me (of course) providing the interface to facilitate getting data from financial services firms to a secure data warehouse via xPort where their clients could download the data for analysis on an open reporting platform.

As I discussed this with one of my clients at a recent Schwab conference, they shared their concerns with me.   I was told, “It’s basically a problem of apples and oranges.”

My long-time client and friend explained to me that they would have concerns that data they reviewed and corrected (“apples”) might be reported as uncorrected data (“oranges”).

Though data aggregators exist and have much of the data required, they won’t have it all unless advisors participate and cooperate in the process.  Reconciliation needs to be performed and maintained on an ongoing basis with respect to assets under management, inception-to-date performance, and tax cost.  No one is more motivated and qualified to maintain that data integrity than the advisors whose decisions, service, and bottom line are impacted by the quality of that data.

Big Brother will have access to this data too – that’s not part of my plan, but just a given eventuality and perhaps already a reality.  Regulatory powers will employ predictive analytics to proactively search for potential fraud.  For example, an advisor reporting the same exact composite return two years in a row is possible, but highly unlikely and worth investigating.  When more scrutiny is applied to this data, one can only hope that the benefits of additional regulation will outweigh the compliance headaches.

Enter SigFig

SigFigAccording to their web site, SigFig was born out of the noble desire to serve the millions of investors that don’t meet typical portfolio minimums and cannot afford quality investment advice.  Your clients may be using SigFig already.  If you haven’t seen it, SigFig is to investment reporting what Mint is to personal financial reporting.  Unfortunately for investment advisors, SigFig has a similar business model, meaning that investors do not pay for the service, but instead get solicited with offers that appear relevant to their investments; for example, “this fund is outperforming your fund “or “your investment advisor is overcharging you.”

Using SigFig, investors can view a dashboard summary of investment reporting information that looks better than what many investment advisors currently provide to their clients.  However, as one familiar the details of performance calculations, client billing, and reconciliation, I am naturally concerned about possible data quality issues.  The idea of replacing the sound advice of an investment professional with algorithms designed to place ads – even though those ads are intended to be unbiased – seems inherently flawed.

To learn more, you can check out SigFig here:

www.sigfig.com

In my preferred vision, advisors would pay an interface fee and their participating clients would purchase SAAS reporting or a Droid/iOS app.  Idyllic as it might seem, this version of the future would allow investment advisors and their clients to share views of reports created by impartial third-party reporting sources.

SigFig is a step in the right direction, and should serve as warning to investment advisors that more robust investment reporting information will be delivered to their clients whether they participate in the process themselves or allow their clients to find it on their own.

The Best Investment Reports

It makes perfect sense that your firm should want to provide the best reports possible to your clients, without incurring an unreasonable expense or maintaining an unmanageable reporting process.  Unfortunately, what’s best for your firm and what’s best your client may be two different things. You want to validate your investment methodology and highlight the value continued use of your firm offers, but you also need to keep your client’s best interests in mind.  More than one advisor I have worked with in the past has chosen to shy away from slick, eye-popping reports, instead favoring black-and-white reports where simple numbers alone underscore performance.  In the opinion of these advisors, the relationship with a client is more important than fancy reporting and such reports can distract investors.

Call modern reports a prudent best practice or self-serving marketing effort designed to ensure your firm’s survival.  The truth is that they are a little of both.  Clients expect decent reporting, so substandard reports are now passé.  Quarterly report packages like those I have helped clients create for twenty years are also known as presentations, and perhaps that is a better name for them.  It describes what investors are really trying to do at quarter end.

Sample Client Reporting Presentation

Sample Client Reporting Presentation

Every quarter, advisors have an obligation and opportunity to make a presentation of how their clients’ investments are doing.  Most advisors also write a quarterly letter in which they address the near-term market conditions and reasonable expectations for the future while trying to impart some relevant wisdom to their investors.  Advisors are, in fact, presenting and remarketing to their clients on a quarterly basis.  Good presentations typically illustrate an advisor’s general knowledge of the markets, educate clients, and show how the advisor adds value.  The reports included in these presentations also present holdings analyses that provide clients with additional insight into their investments, but, most importantly, these reports provide the client with performance figures and comparative benchmarks for various time periods.

Report Development or Adoption

For some firms, proprietary custom report writing is required to meet the needs outlined above.  With this requirement comes the necessity to employ staff or contract with vendors to produce and maintain the reports.  The effort to produce high-quality reports can be daunting whether the project is handled internally or outsourced.  Many custom reports, by definition, are in flux.  In a typical quarter, custom reports may undergo additional feature enhancements and require maintenance modifications or bug fixes.  In order to maintain custom reporting systems, an ongoing commitment of time and money is necessary.

Advisors may want to create distinct custom reports that are part of their brand, but given the potential complexity and cost of creating those reports – the best investment reports for those with limited funds are the ones that already exist.

About the Author: Kevin Shea is President of InfoSystems Integrated, Inc. (ISI); ISI provides a wide variety of outsourced IT solutions to investment advisors nationwide.

For details, please visit isitc.com, contact Kevin Shea via phone at 617-720-3400 x202 or e-mail at kshea@isitc.com.

Tags: , , , ,
Comment

Protecting Your Clients’ Security

Filed under: Best Practices, Client Communication, Investment Operations, SecurityLeave a comment
April 5, 2013

iStock_000009182001XSmallIn a day where security threats are constantly evolving and your business is reponsible for keeping confidential information secure, your clients’ computer systems may seem an unlikely place to prod your nose, but unfortunately, an increasing number of security threats are originating from the clients of investment advisors.

One recurring example that we have witnessed over the past year, is the hacking of email accounts.  In this scenario, your client’s email account with Google gets hacked because their password is “patriots1” or perhaps their PC has been infected with a keylogger virus.  In any event, a hacker somehow discovers your client’s password and now has access to their historic email records.

In the past, hackers might have been satisfied to use that account to SPAM everyone on earth, but today’s hackers are more sophisticated.  Apparently, they’ll actually take the time to read through your client’s emails in search of financially sensitive information.  Based on the content of previous communications with your firm, they can compose a similar looking email to one that the client might have sent in the past to ask your staff about total holdings or even request a check.

Here are some tips your clients should follow to keep their email and other accounts secure:

  1. Don’t enter your passwords in kiosks and other systems available to the public.
  2. When you get the option to store the password for various accounts and websites on your PC, don’t do it.
  3. Never send your passwords in an email.
  4. Use encrypted email connections.
  5. Institute complex passwords.  I know it’s a pain, but so is having your identity stolen.
  6. Don’t use the same passwords for multiple accounts.  Yes, this is a pain too, but there are some programs like eWallet that can help.
  7. Run up-to-date versions of security software that include protection for spyware, malware and viruses.  Don’t ignore messages from your Antivirus program.
  8. Stay up-to-date on operating system and application security patches.
  9. Be cautious of which sites you browse.  A program like openDNS can help you keep your computers clean by limiting access to potentially harmful websites.  The home version of OpenDNS is free.  You can find it at www.opendns.org.  Antivirus programs like AVG and Symantec can filter websites too, but do it with less specific controls.

Here is what your clients should to do if they do get hacked:

  1. Contact a computer professional or the email provider to help determine how you got hacked.
  2. Alert your investment advisor and other vendor relationships that hackers could try to take advantage of.
  3. Resolve any issues that may have led to the hack, such as: simple passwords, malware, spyware, and viruses.
  4. Change your passwords and any hints from a computer system, smart phone or the original system once the threats have been removed on the following: the hacked site, any other sites where you used the same username and password and any sites whose information you stored in the hacked account.
  5. If you determine that you have been a victim of spyware or malware, you will need to change all your passwords for your online accounts and follow the procedures for recovering from identity theft.
  6. If you cannot follow any of these steps because your account credentials have been changed, you will need to contact the company providing that account in order to regain control of your account.
  7. Implement better security provisions going forward.

There is only so much you can do to protect your clients.  Ensuring that email communications are secure should be at the top of the list. Your firm can implement a product like Zixmail to encrypt selected emails, but at the point where your client’s computer system has been compromised, this may only provide an additional deterrent, and should not be seen as the solution to the problem.

The best course of action is a combination of staying vigilant, educating your clients, implementing best-practice email security, and instituting additional internal controls aimed at how your firm handles client communications, such as balance and check requests.

About the Author: Kevin Shea is President of InfoSystems Integrated, Inc. (ISI); ISI provides a wide variety of outsourced IT solutions to investment advisors nationwide.

For details, please visit isitc.com, contact Kevin Shea via phone at 617-720-3400 x202 or e-mail at kshea@isitc.com.

Tags: , , , , , , , ,
Comment