By Kevin M Nixon, MSA, CISSP, CISM, and Laura Wilson, JD, CISA candidate
While the world eyes the valuation meltdown in financial services, don’t neglect the danger to regulated systems and data. The pitfalls of underestimating the financial risk of transactions are now apparent; the fallout from underestimating the information security implications of transactions is waiting in the wings. We believe that, in addition to the obvious threat to market stability, the current situation has the added element of national and global security concerns. Misuse of financial systems and information can cause widespread, immediate, and long-lasting disruption to our daily lives and our society.
It is frequently assumed that established financial services firms have the information security threat well-covered. That assumption is frequently wrong. Despite spending hundreds of millions to attempt to manage risk, significant gaps remain in the due diligence and ongoing monitoring of the business relationships that give third parties access to financial systems and data. We have encountered multiple projects involving vendors providing products and services to financial services companies, thereby having access to the Fort Knox of financial systems and accounts, and the data elements allowing entry to those accounts; however, many of the security protections, reviews, and controls that were supposed to be in place for vendors with this level of data access were bypassed. And this was during the good times.
Everybody has gaps – that’s why there are internal audit and other control functions. This is not the time for finger-pointing; it’s the time for finding and fixing the material gaps before we further lose control of this data.
Many of these gaps are readily fixable, and can be addressed efficiently without stopping business. Getting a better handle on vendor relationships (frequently called ‘outsourcing’ by the financial services industry) won’t prevent all information security breaches, but financial services companies must know and monitor the parties that access information assets.
The financial services industry is well versed in the multiple laws and regulations to which it is subject. The industry consortium BITS (www.bitsinfo.org) has long articulated the risks of outsourcing. Many companies have well-documented policies to address this risk. What they frequently miss is how the gaps occur, and how to fix them.
Many of the gaps happen in the contracting process – the entire lifecycle of selecting, reaching agreement with, and performing the relationship with a vendor of a product or service. The current threat environment, which includes terrorism, organized theft of individual and corporate financial assets, and just-for-fun hackers, makes new security, due diligence, and risk management demands of financial services companies. The old way of analyzing and managing these deals and business relationships cannot keep up. Because many different teams are involved in the lifecycle of a deal, because the teams have different vocabularies, areas of expertise, requirements and agendas, and because the teams find it difficult to coordinate these competing needs, the controls that are supposed to protect systems and information are often bypassed if the myriad teams do not understand the risk and how readily it can be addressed.
For a long time, the deal management function was based on a manufacturing, assembly-line model. This approach, and the compensation of the deal team, emphasized speed of the process, cost-cutting, and keeping the internal project sponsors happy (’customer satisfaction’), rather than the due diligence and control functions required for a threat environment. The deal team had little incentive to push back on an unacceptable proposal, and much of the due diligence and risk mitigation was pushed to the back end, after the deal was done and the contract signed. That’s
like agreeing to pay for an expensive piece of real estate that will process sensitive radioactive material, but not inspecting the property until after the contract is signed and the check cashed.
Most business teams don’t want to do the wrong thing, but many have not been given the information or tools to adequately understand the situation and make supportable decisions. Most contract and deal teams don’t want to do the wrong thing, but the old job functions have not been given the gravitas, training, or compensation structure to push back on proposals that carry unacceptable risk.
It’s hard enough to protect this stuff during good times. With layoffs, cost-cutting, companies folding, projects changing hands, and unhappy workers bearing flash drives, keeping track of these information assets and who touches them is a huge challenge.
This is not the time for financial services to cheap out on information security. While the industry, regulators, and consumers are watching the dollar valuation, do not forget to protect the systems and data.
October 31, 2008 at 9:54 am |
Is any of this due to the fact that we have a growth based economy?
I’m not real up on this stuff…
October 31, 2008 at 10:04 am |
I believe this mainly has to do with issues of converting from a paper file to electronic data storage, how to control where the data ends up, who can get to it and who can not.
Technology is being implemented at a faster pace than the safe-guards and protocols can be developed.
The risk is not only to people in general – ID theft and such – but also the entire financial industry as a whole.
And now that the industry is cutting back on expenses and personnel, does that also mean they will be cutting costs on security?
This is ultimately a national Security issue. There will be a series of articles dedicated to these issues right here at YourMortgageOrYourLife.com, and they will be even more in-depth than this introductory article.
We are just getting started.
Thanks!
November 2, 2008 at 10:00 pm |
I don’t like how our personal information is an asset to most companies where they will try to sell mailing list to credit card companies or home loan brokers, and they will try to compete for your business.
I mean the same companies we trust to keep track of and get our credit scores also are the same companies which will group you with other people with similar financial needs than sell your name address and social number to banks and brokers. I mean why are we so surprised when our information is being stolen now a days?
Our SS# must be floating around so many server systems in the country, and some of it may be outsourced to other countries if server space is cheaper, than when a company tries to update their software the legacy software with the information is still stored on there for anyone who can access it.
November 2, 2008 at 10:39 pm |
I agree Harry – are we incentivising the very security breaches we are spending billions to prevent?
The whole idea that a company can – through contracts with financial companies that I also have contractual agreements with – collect data on me and others, subsequently sell that information top undisclosed entitles while simultaneously barring my access unless I pay them too, is ridiculously one-sided to say the least, and not in the consumer’s favor.
I think you have hit on an important aspect of the problem – the resulting black market for confidential information’s.
Since it apparent we will not be able to de-value data, that leaves us with improving the security protocols we employ.
Part of this project is not only identifying problem issues, but to also make suggestions as to how we may best combat these threats.
What systemic changes do you envision both government and the private sector needing to undertake in order to prevent a catastrophic security breach – be it financial or with other national security issues?
Thanks Harry!
November 4, 2008 at 10:27 pm |
That is really hard to say, because the system works so well with it being centralized between a small group of agencies, they’ve monopolized the industry of our information and credit scores, so they could do anything they want with it prior to the government putting a strong ban on information selling which I don’t foresee ever happening.
The government doesn’t have much reach either, after implementing Sarbanes Oxley on the accounting industry it didn’t stop people from finding other ways to trick the analysts and cook the books. What can the government really do to the credit rating industries.
I remember taking an Ethics class in my MBA, and it makes me wonder if these guys that head large corporations this very instance if they ever took an Ethics class or not, because so much corruption begins at the top of the pyramid and sprinkles its way down the rung. Will the new generation of workers who just got out of college who have more exposure to previous bouts of corruption be able to weed it out and replace these old timers with more ethical practices.