Financial institutions' leaders must come together to deal with data security risks and compliance requirements, reports Illena Armstrong.
CEOs, government regulators and IT security pros sometimes may have disparate views on information security planning for financial institutions, but their ultimate end goal seems the same: Secure customer data.
Still, varying strategies can rankle even the best laid plans. For the information security leaders who recently attended SC Magazine's 2011 Financial Services Roundtable, C-level executives and government regulators often confound the most ideal data security outcomes and the methods used to achieve these.
Especially among CEOs, concerns about compliance and regulation rule, said Leigh Williams, who spoke at the event as president of BITS, a division of an umbrella organization called the Financial Services Roundtable, which is made up of about 100 various financial organizations, including banks, insurance providers, investor firms and others. (Williams has since left BITS to serve as the director of the Office of Critical Infrastructure Protection and Compliance Policy at the U.S. Department of Treasury. Paul Smocer, former technology risk manager at Bank of New York and CISO at Mellon Financial, who first joined BITS in 2008, is now the organization's president.)
Because the financial crisis led to everything from the creation of the Consumer Financial Protection Bureau (CFPB) to myriad regulations, CEOs want assurance from IT and information security executives that data security and data reporting standards put forth in these rules are upheld, Williams explained during the SC Magazine Roundtable, which was sponsored by HP Enterprise Security.
“Foremost in their minds, for better or worse, is this avalanche of regulation,” he said. “You can argue about whether that's a good thing or a bad thing, but it absolutely crowds out some of their thinking about opportunity and customer service and I know they're frustrated about that.”
Many SC Roundtable attendees agreed, noting that while their CEOs don't necessarily get into the detail of how they're keeping compliant with regulations they do have firm expectations.
“From a compliance and risk management perspective they're very, very tuned in and I think it's generating a lot of the push down in terms of action amongst our teams…” said one attendee who asked to remain anonymous.
Multifactor authentication is of particular interest, agreed many SC Roundtable participants, especially given the updates earlier this year to the Federal Financial Institutions Examination Council (FFIEC) guidelines, which pushed for use of such technologies in 2005 to combat such attacks as phishing. Revisions specifically address corporate bank account takeovers, which have plagued financial services organizations of all sizes more recently. Small and midsize companies have been particularly targeted, losing millions of dollars after having their accounts hijacked by criminals to steal funds through fraudulent wire transfers.
The new guidance directs financial institutions undertaking these high-risk transactions to implement a layered security approach, which might include detection and monitoring systems to flag suspicious transactions; dual customer authorization that requires employee sign-off on some transactions before completion; out-of-band verification that prompts the bank to ask customers to approve transactions; or the bank's procurement of a list of approved payees from customers.