A recent Ernst & Young survey of 56 financial institutions in the U.S. and Canada reveals that there's room for improvement in information security practices at financial institutions, particularly in the frequency and quality of communications about incidents, security policies and business unit requirements. The survey sample included 17 commercial or consumer banks, 22 insurance companies, 13 investment banks and four other financial firms.
The top five reported problems: viruses/worms, employee misconduct, denial-of-service attacks, loss of customer data and amateur hackers. From these threats, security has attained a higher profile within the industry. "There has clearly been an elevation of information security to a senior leadership position within the organization, as well as to the board level," says William Barrett, partner at Ernst & Young LLP (New York).
But the topic may not make the agenda often enough. "It's still a little surprising that 43 percent do [board-level security reports] annually or longer," says Barrett. "Where you have identified gaps in information security or vulnerabilities...you would want to have a quarterly update to the board of directors around how you're closing those gaps."
There's also a growing consensus among financial institutions that company shareholders should hear about the status of information and physical security programs, with 60 percent in favor of such reporting. Already, a related disclosure will be required under the Sarbanes-Oxley Act. "When management makes an assertion about its internal controls, the external auditor is going to render an opinion on management's assertion in the annual report," says Barrett.
Inside the organization, the survey data suggests that information security personnel should increase their contact with managers. Only 35 percent of respondents currently meet "monthly or more often" with business unit leaders to understand their needs and objectives, and an equal number reported doing so annually or less frequently.
Strained budgets and resources certainly make it harder to stay secure. But for financial institutions, it's a cost of doing business, not a luxury item. While it's relatively easy to determine information security spending, calculating the return on investment requires several hard-to-test assumptions about what might have happened in the absence of those investments. Sixty percent of respondents rarely, if ever, try to calculate such an ROI, with 18 percent doing so only "sometimes."
ONCE MORE INTO THE BREACH
Financial institutions cannot simply worry about their own backyards. In particular, insurance companies have a significant stake in the security practices of their customers. On the one hand, carriers that underwrite security breach policies have a vested interest in boosting security among the insured. On the other hand, customers who are not insured against such losses may not be aware of their own exposures-which may cause contractual rancor down the line. "There still are a lot of companies that believe that their traditional lines of coverage cover them for breaches of security," says Barrett. "Insurance companies have been working to try to educate companies about it, but it's still an uphill battle."
At stake are some fairly significant exposures, including the theft and destruction of information, losses from unauthorized electronic funds transfers, and the costs of identifying and remedying any such breaches. Accordingly, insurers have taken a keen interest in the security practices of their corporate customers. Similarly, commercial lenders and investors also want to know that their financial interests are adequately protected by sound information security practices in their clients' organizations.
Thus, the financial sector may have valuable experience to share with enterprises in the corporate arena and the government sector alike. Indeed, fully 50 percent of survey respondents rated the government as having a "marginal" ability to secure its critical infrastructure in the event of a malicious attack or disaster.
"The government can learn from the private sector in terms of closing the gaps around information security and physical security issues," says Barrett. "When I look at banks, they probably are the ones to which most industries can look for ways to improve."