By Maiya Keidan and Jemima Kelly
LONDON (Reuters) - Tucked into the attic of a Georgian building in London's West End, seven people run a $200 million hedge fund following artificial intelligence formulas. But the supercomputers that process their complex algorithms are nowhere to be seen.
While most established hedge funds keep their trading systems at close quarters, Piquant Technologies outsources all its IT to third parties via the cloud, where multiple computing resources are shared by multiple and often unrelated users.
Moving data off-site to cloud providers may be physically safer than storing servers in an office in Mayfair and may even provide security in anonymity.
Piquant co-founders James Holloway, 32, and Iain Buchanan, 36, say putting their trading and back office systems on external platforms halves hardware costs and means one less person to hire for maintenance.
"Do not burgle Piquant - it's not worth it," said Holloway, the fund's Chief Investment Officer. "In our office we have really no hardware except for a mouse, a keyboard and a screen."
But risks lurk if data is not properly protected. Technology provider RFA, which has 576 hedge fund clients globally, said 20 percent - or 115 - of them funds moved some operations to the cloud last year.
The likes of Amazon, Google and Microsoft are winning new customers - asset managers who gain access to the latest supercomputers without having to buy any hardware, helping them cut costs.
Regulators are trying to keep up, raising concerns about how well the risks are monitored.
Britain's Financial Conduct Authority spelled out in guidelines earlier this year that use of the cloud must not "erode, impair or worsen the firms operational risk".
It said "some respondents" wrote in to challenge that prerequisite.
The regulator also asked funds to actively supervise and test arrangements. The Monetary Authority of Singapore added the topic to its guidelines.
Regulators in Germany, Spain, Italy and the United States have put out no guidelines specifically on cloud usage, though many address outsourcing generally. They declined to comment on whether they might provide future guidelines.
A spokesman at the Swiss regulator said they were "aware of the topic" but had no plans to bring out FCA-style guidelines.
"TOE IN THE WATER"
Piquant's founders set up their fund in 2013 and later outsourced all their IT. Most other hedge funds - worried by the risks of cyber-attacks and data centers going down - are reluctant to trust third-party providers with their trading systems. They are outsourcing less sensitive areas such as email.
"We are putting our toe in the water, starting to use infrastructure and other services on the private cloud," said Iain Anderson, Chief Technology Officer at $15 billion hedge fund Cheyne Capital.
Cheyne has moved investor relations and marketing applications to an off-site location dedicated solely to their firm. It is not currently using "public" cloud platforms such as Amazon's, where hardware is shared by multiple users who require technological aptitude to use it securely.
Amazon says, for example, that clients should encrypt their own data to keep it totally safe. Some funds worry the size of public cloud providers makes them a hacking target.
Others say only platforms like Amazon Web Services have the money and expertise to put in place the safest systems. Research firm Gartner says Amazon holds almost double the amount of data held by its seven nearest competitors combined.
"Few firms have the means to stay on top of cyber security," said Alexandru Agachi, the chief operating officer of Empiric Capital, a Knightsbridge-based hedge fund. "The largest clouds in the world do have these resources." LITTLE DATA Some anticipate a wholesale move.
"This will be the last set of servers we buy," said Andy Flatt, Chief Technology Officer at London-based fund Omni Partners. "My guess is that in three years we will not be buying physical servers".
Others fear that many breaches - beyond well-publicized hacks of celebrities' images stored on Apple's iCloud - may go unreported. "If you're storing someone else's data, you'd think there'd be hacks on that but that's not something we've seen," Garry Liburn, detective inspector for the Metropolitan Police Cyber Crime Unit, said at an event in Mayfair last month.
Under the FCA's new guidelines, which only took effect in July, firms should tell the regulator if they experience a breach. The watchdog declined to comment on whether any had reported incidents.
"I am sure there have been hacks of the cloud ... no one is reporting them," said Viktor Ula, managing partner at investment consultant PivotalPath. "If a cloud reported a hack, it would halt their growth. The risk that everyone believes exists out there would then be perceived to be even higher and folks would probably revert to having systems internally."
Such fears explain why some funds, like $10 billion Systematica Investments Services, reject the cloud."Systematica does not use any external cloud at this point in time," said Matt Kilsby, chief operating officer at Systematica. "Security is a big risk, with the growing range and complexity of cyber crime in the backdrop."
Ian Massingham, a technical evangelist at Amazon Web Services (AWS), told Reuters AWS hadn't had any hacks, though it was possible to create an insecure system using AWS.
"When we give you the resources, you're creating machines, you're configuring machines on our platform so we give you a set of tools - but it's in your hands," he said.
(Reporting by Maiya Keidan and Jemima Kelly, additonal reporting by Joshua Franklin, Lawrence Delevingne and Andrew MacAskill; Editing by Ruth Pitchford)