Securing the Source Code – VMS Navigates Mutual Fund Industry Regulations with Technology Escrow

By Rachel Melary, Iron Mountain

Located in Southern California, Vertical Management Systems, Inc. (VMS) is a 50-person company that provides data services related to mutual fund pricing, and develops accounting software for automation and control of mutual fund portfolio accounts.

Founded 17 years ago, the company started with just two employees developing custom software to help a large mutual fund company reconcile and balance its fund positions.

The company’s founders then began providing daily data to financial services companies on the pricing and asset value of mutual funds. Currently, this service covers approximately 30,000 different mutual funds.

Following several successful years of developing custom software during the mid-1990s, the founders made a business decision to package this software and sell it to other mutual fund companies. The business model entailed installing the software in a bank, and then supporting it over its lifecycle. VMS landed a major client based on their innovative software package, and subsequently grew from its staff of about 15.

Ron Cash, now VMS’s Executive Vice President and Chief Technology Officer, joined the company at this point with the goal of growing the development staff and the number of software installations. Cash explains that around the start of the new millennium, “We started to play with the idea of hosting applications ourselves. We recognized that on-premises licensed software was becoming an old paradigm at that point in time, and we said, ‘Let’s go to a web-based model and deliver it over a browser.’”

This decision was catalyzed, in part, by the events of September 11th. Cash states, “After September 11, 2001, everything we had in the sales pipeline came to a screeching halt” due to the general paralysis of business decision making in the U.S. “We adopted a model where our clients could pay a small monthly fee, which would be an easier decision for them. This drove monthly recurring revenues for VMS and helped stabilize our cash flow, allowing us to grow more effectively.”

VMS continued with both software models: licensed software installed at the customer site and a Software-as-a-Service (SaaS) model hosted by VMS. Cash continues, “We felt that by diversifying, we’d be better off long term, and this has proven to be a wise decision as we’ve successfully weathered the 2008/2009 economic situation. We basically redesigned our next generation software to be a web model, which we could support much more easily.” VMS only needed to keep one code base, and within the software they could turn various features on or off.

The Challenge: Navigate Industry Requirements and Regulations

Larger clients gravitated toward the on-premises model because they liked to have control over every aspect of their business. Meanwhile, medium-sized and smaller clients were more experienced with other service bureau types of arrangements, and chose the SaaS model because of lower up-front costs and the fact that VMS handled everything for them.

In both cases, VMS had to navigate requirements and regulations specific to the financial services industry, and stand behind the service level agreements they had with their customers. This is where technology escrow came into play.

Cash states, “We were dealing with huge companies and we started to go through their security audits to ensure that their standards were being met. We not only had to audit ourselves, but we get audited by a handful of these customers every year for routine compliance and regulatory purposes. Our customers have to prove to their regulators that VMS is performing to the same levels and standards to which they would need to adhere themselves.”

Initially, technology escrow was a requirement of the larger customers who had the VMS software onsite. As part of their service level agreements many of them were requesting to have their source code escrowed. Cash explains, “We work with some companies that are huge – they have a hundred thousand employees. And they said, ‘Look, you are a small company, we have to make sure we can get the source code in case something happened to you guys.’ And, we understand that entirely.” A few years later, VMS added technology escrow protection for its SaaS customers as well.

The Solution: Protect On-Premise and SaaS applications with Technology Escrow

The solution that VMS was looking for would have to protect both the on-premise and SaaS customers, so VMS was looking for a solution provider with a robust set of offerings. Additionally, the selected vendor would have to have the trust of VMS’ customers as well as the trust of the VMS team. The obvious choice was Iron Mountain, as Cash states, “it was going to be easier for us to pass muster with our customers by having Iron Mountain store the source code, rather than using somebody that no one had heard of.”

While most companies know Iron Mountain for their document retention and shredding services, VMS ascertained that Iron Mountain had escrow services for on-premise software and added escrow for SaaS applications in 2007. VMS now safeguards both the source code and the object code for their SaaS product. Data protection is also provided through a server backup service offered by Iron Mountain.

VMS’s customers are pleased with VMS’ response to their requirements, as they are insistent that strong internal control processes be in place for their vendors, eliminating exceptions on their audits. VMS recently completed a successful SAS 70-Type II audit, which is a service provider’s internal audit. The server backup service that was implemented was specifically referenced in this audit to protect the data for hosted clients.

Cash comments, “To be a quality service provider, we have to show customers that our data centers meet a certain standard. We take care of our source code and our object code, and we are properly managed. These become big selling points to show a broad tier of clients that, even though we are a small company, we are very sophisticated and we are very capable of doing things correctly.”