Much has been written about cybersecurity and the measures that mutual fund boards should take to ensure that their fund shareholders’ information and assets are protected in the event of a system outage or cyberattack. Overall, most funds and their service providers have implemented adequate programs to address traditional system outages—primarily through business continuity plans (BCP) and other measures. Cyberattacks, however, should be viewed differently from hardware/software outages, as traditional BCPs do not always address the impact of a cyberattack by bad actors. Because cyberattacks and ransomware attacks are deliberate and constantly evolving, ongoing discussions with fund management and continuing education of board members is imperative.
In May, Colonial Pipeline, operator of the largest U.S. fuel pipeline, shut down its entire operation for five days after its financial computer networks were infected by a ransomware attack and it feared the hack could spread to its industrial operations. The shutdown led to widespread gasoline shortages and caused temporary price spikes and was resolved only after Colonial paid nearly $5 million to the hackers who orchestrated the attack. Clearly, these bad actors’ techniques are better than ever, and as a result, they are targeting large high-profile firms with aging technology infrastructures.
What is to stop a bad actor from turning on the very valuable mutual fund industry? Fund administrators and the few remaining fund complexes that perform their fund accounting in-house are particularly vulnerable to ransomware attacks, and fund companies are high-profile targets that cannot afford to miss their daily net asset value calculations due to the financial and reputational risks associated with these types of cyberattacks.
There are only three major fund accounting systems used to calculate NAVs for U.S. mutual funds and exchange-traded funds, and all three are over 30 years old with antiquated technologies at their foundation—leaving them extremely vulnerable.
The custodial banks and other fund administrators that utilize these third-party fund accounting platforms report that they have periodic system outages that leave them scrambling to calculate an accurate NAV that can be reported to NASDAQ, brokers and intermediaries, and other interested parties. This should be very concerning to fund board members.
The highest-profile system outage happened in August 2015 when a leading service provider’s fund accounting system failed, and the provider was unable to calculate the daily NAVs for nearly 1,200 funds for a week. This event had a significant impact on the service provider’s reputation and cost it $3 million in fines and undisclosed reimbursements to shareholders because of incorrect NAVs being used for fund admissions and redemptions during the week-long outage.
The following insights are intended to help shape the thinking of fund board members as they look to modernize their fund NAV resiliency policies and procedures in the wake of a global pandemic and advanced cyber threats—including ransomware attacks, which often result in corrupted data even when the ransom is paid.
The Securities and Exchange Commission’s Division of Examinations earlier this year released its 2021 examination priorities, and it should be no surprise that information security and operational resiliency is again on the list. The SEC stated that information security is critical to the operation of the financial markets and participants’ confidence and said the Division “is acutely focused on” working with the industry to identify and address related risks. The SEC also included:
“Over the past year, the increase in remote operations in response to the pandemic has increased concerns about, among other things, endpoint security, data loss, remote access, use of third-party communication systems, and vendor management. The Division will review whether firms have taken appropriate measures to: (1) safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access; (2) oversee vendors and service providers; (3) address malicious email activities, such as phishing or account intrusions; (4) respond to incidents, including those related to ransomware attacks; and (5) manage operational risk as a result of dispersed employees in a work-from-home environment.”
In other words, SEC examiners will be taking an even closer look at how fund complexes and boards are overseeing their NAV resiliency policies and procedures, whether it be performed internally or by a third-party service provider.
Adequate NAV Oversight, Resiliency
For sake of clarity, NAV resiliency should not be confused with fund valuation oversight, which is governed by new SEC rules under the Investment Company Act of 1940 (Rule 2a-5 and Rule 31a-4) that went into effect on March 8, 2021. Fund valuation oversight focuses on the processes of valuing individual securities held by a fund, while NAV resiliency focuses on the ability to calculate a contingent NAV in the event the primary fund accounting service fails to compute a NAV due to a cyberattack, ransomware attack, or some type of system outage.
Considering the recent ransomware attacks and a global pandemic that resulted in many middle- and back-office operations staff working outside the office, now is a great time to review funds’ policies and procedures around NAV resiliency.
Before reviewing the major approaches to NAV resiliency, it’s important to understand that a disaster recovery plan within a BCP is not an appropriate solution for NAV resiliency. While having a second instance of a fund accounting software and data in a separate data center is a proven solution for recovering from certain hardware or software problems, it is not a sound approach for NAV resiliency. Rather, it is simply an approach to be able to get your primary accounting book of record (ABOR) back online.
The three popular models for NAV resiliency:
- Contingent NAV: This is the most comprehensive solution to NAV resiliency, as it relies on the deployment of a second mutual fund accounting system that is separate and distinct from the primary ABOR. This second system could be operated by the primary fund accounting service provider, the fund sponsor, or another third-party service provider. This approach does require the daily processing of all executed security trades with full income and amortization accrual accounting, corporate actions, daily pricing, profit and loss reporting, and an integrated general ledger to produce financial reports to fully support the contingent NAV.
The most critical aspect of any contingent NAV solution is that it be a very low-touch (near lights out) operating environment, as it is cost prohibitive for most fund sponsors to pay twice for the fund accounting of their mutual funds. Therefore, it’s imperative to find a solution that includes a native cloud (preferably SaaS-based) that is completely online/real-time and requires little or no human intervention other than the final comparison of the contingent NAVs to the primary ABOR NAVs.
A significant benefit of the contingent NAV approach utilizing a modern native cloud SaaS-based application is that the fund sponsor will have a platform from which to perform data analytics with advanced machine learning and artificial intelligence to fulfill their obligations as the named administrator of the funds; the fund sponsor also will be able to produce fund fact sheets and support the sales and marketing efforts of the firm.
- NAV Approximation: Most NAV resiliency programs are based on a NAV approximation approach where there is no real investment accounting engine deployed, as there is in the contingent NAV approach outlined above. There are different variations of this operating model, but fundamentally the mutual fund data is received from the primary ABOR system each day and loaded into Excel and/or a vendor-provided or in-house application, then a series of checks are performed. These include a comparison to relevant benchmarks/indices to compute an approximate NAV, which is then compared to the primary NAV computed by the official fund accounting service provider.
The fundamental flaw in this approach is that it does not produce a NAV that could be reported to NASDAQ or used by other systems for more than the initial day of an outage or cyberattack. On Day 2 of an outage or cyber event, if the primary ABOR is still offline, there will be no way to refresh the mutual fund data in the NAV approximation system. This will result in the fund company deciding to use a stale or unaudited NAV for that day’s fund transactions, which in a volatile market could vary significantly from the real NAV for that day and every subsequent day that the primary ABOR is offline.
- Repurposed NAV Engine: This approach is like the contingent NAV approach with the major difference being a legacy fund accounting system is used to perform the shadow accounting. While this approach will deliver some of the same benefits as the contingent NAV, the cost to operate will be substantially higher than using a modern native cloud solution designed to run in a low-touch operating environment. Furthermore, the legacy fund accounting systems are not going to provide advanced analytics or fund administration dashboards, or effectively support the fund sponsor’s sales and marketing efforts.
What should fund boards do to mitigate the risks associated with failing to produce a daily NAV due to a cyberattack, ransomware attack or an extended system outage?
Here are some suggestions:
- Appoint an executive to be responsible for a NAV resiliency plan.
- Appreciate that the risks of not being able to calculate the daily NAV for a fund, or funds, is real. These include:
- reputational risks to the adviser,
- financial risks associated with stale NAVs used for shareholder activity; and
- SEC fines and other enforcement actions.
- Understand that different types of system outages will likely require different remediation plans. For example:
- Hardware and software problems often can be solved by a sound business continuity plan.
- Cyberattacks and ransomware attacks are problems that go beyond a BCP solution.
- Ask these simple questions of your fund accounting service provider:
- If your primary NAV engine (ABOR) is unable to compute our fund NAVs for whatever reason(s) for a day or an extended period of time, how will the fund’s NAVs be computed during that outage?
- How will we get the ABOR details for our internal reporting, particularly if the outage persists for days or weeks?
- Ask your administrator/fund accountant for a very specific NAV resiliency plan, and review that plan with industry experts.
- Request regular full-scale BCP and separate NAV resiliency tests to be reported to the board.
- Hold discussions across industry forums and in other settings regarding NAV resiliency best practices. The Independent Directors Council and Mutual Fund Directors Forum would be great places to start to help raise awareness of the importance of a true NAV contingency plan.
Since that major fund accounting system outage in 2015, fund companies and their service providers have implemented some NAV resiliency programs. However, most of those fund companies have adopted a NAV approximation approach and not a contingent NAV approach. The primary reason for this is that until recently there were no native cloud SaaS-based NAV solutions available, and the repurposed NAV engine approach was too expensive to implement and operate.
Some market observers see the 2015 outage as a black swan event, but the reality is that the aging technologies and the advanced cyberattacks and ransomware attacks do pose an exigent threat to the mutual fund industry in the United States. Fund companies and the fund accounting service providers are reporting that the fund accounting system outages are becoming more frequent (several hours per day in some cases).
When fund boards ask about NAV resiliency, the responses range from confusing to misleading. This must change so fund boards can help establish NAV resiliency policies and procedures so fund sponsors can avoid a major disruption to their businesses that can have significant financial consequences. Fund boards would be well served to fully understand the differences between NAV resiliency, fund valuation oversight governed by Rule 2a-7, and business continuity plans. What’s more, they should encourage fund management and their service providers to implement a true contingent NAV solution and hold them accountable when—not if—the next major industry event occurs.
Kirk Littleton joined FundGuard as a sales director February, bringing to the role more than 35 years of mutual fund industry experience ranging from business development to product management to pre-sales to implementations. Previously, he was at InvestCloud from 2017 to 2021, where he focused on trading, accounting, and other wealth management solutions sales, and at Ultimus Fund Solutions from 2012 to 2017, where he led business development. Earlier in his career, he held sales and product leadership roles at SunGard, now part of FIS, and at BNY Mellon, where he worked with the Eagle STAR system and served as managing director of global outsourcing.