One of the challenges for putting in controls around information integrity is that it is a hard sell: what's really the value of accurate information? This is in contrast to something like information security where it is also hard sell, but much easier. The reason? When an information security breach occurs, it is largely to access something of value that can be monetized. The Poneman Institute puts this cost at approximately $174 per record.
Consequently, it is easier for someone to go to the CEO/CFO and explain how tightening controls around information security will protect the company's bottom line. Furthermore, information security breaches are something that has entered the mass consciousness within the business community: SunGard was quick to reassure everyone that the issue affecting BNY Mellon's accounting software was NOT attributable to "any external or unauthorised systems access".
When making the business case for controls over information, it can be challenging to show how the control will lead to savings in terms of "decision failure", i.e. the cost of making the wrong decision due to unreliable information. Let's face it: most companies are willing take big risks on their information by continuing to rely on spreadsheets that have an error rate of 88%. Furthermore, as highlighted by this Protiviti study, internal auditors understand the information integrity challenges but are not getting the funding to tackle them.
So the incident at BNY Mellon is rare occurrence where something that is mis-priced can actually lead to costs. As noted in the Wall Street Journal:
"A software glitch this week at fund administrator Bank of New York Mellon Corp. caused difficulties in pricing many mutual funds and exchange-traded funds, prompting some fund sponsors to publish lists of funds whose stated asset values were erroneous.
What can you do if one of your funds is on the list, meaning you may have overpaid for shares?
Reach out to your fund company and ask for a refund. They don’t have to give you one but firms may do so because of their often long-term relationships—ones they want to keep—with investors, analysts said."
The other costs include:
- Direct costs: As noted in the WSJ, "BNY Mellon was working on a separate contingency plan, mobilizing more than 100 accountants to manually calculate the values of thousands of fund securities". The company also required SunGard to come in and work at their premises to fix the issue. If the company had to pay extra for this work to be completed, it would add up quickly.
- Loss of business due to damaged reputation: Experiencing these types of issues exposes the company to the loss of business due to their reputation being damaged.
- Regulatory scrutiny: Yes, BNY Mellon is under regulatory review. As noted in the Boston Globe and Yahoo Finance, BNY Mellon's technical problems have attracted regulatory scrutiny of Massachusetts's Secretary of State William F. Galvin who has sent letters of inquiry to the company to investigate what happened. Regarding the incident he said: "In the warp-speed of trading these days computer problems can happen...But the fallout that seems only to affect large financial institutions can hit the average investor looking at his and her retirement money".
Of course we won't know the full cost until, the regulatory probe finishes and the publish their findings or the cost was material and this shows up in the financial statements. Regardless, organizations should be proactive in ensuring that sufficient technology controls are in place and that these types of risk are controlled.