September 30, 2003

A recent Ernst & Young survey of 56 financial institutions in the U.S. and Canada reveals that there's room for improvement in companies' information security practices, particularly in the frequency and quality of communications about incidents, security policies and business unit requirements. The survey sample included 22 insurance companies, 17 commercial or consumer banks, 13 investment banks, and four other financial firms.

The top five reported problems: viruses/worms, employee misconduct, denial-of-service attacks, loss of customer data, and amateur hackers. From these threats, security has attained a higher profile within the industry. "There has clearly been an elevation of information security to a senior leadership position within the organization, as well as to the board level," says William Barrett, partner at Ernst & Young LLP.

But the topic may not make the agenda often enough. "It's still a little surprising that 43 percent do board-level security reports annually or longer," says Barrett. "Where you have identified gaps in information security or would want to have a quarterly update to the board of directors around how you're closing those gaps."

There's also a growing consensus among financial institutions that company shareholders should hear about the status of information and physical security programs, with 60 percent in favor of such reporting. Already, a related disclosure will be required under the Sarbanes-Oxley Act. "When management makes an assertion about its internal controls, the external auditor is going to render an opinion on management's assertion in their annual report," says Barrett.

Inside the organization, the survey data suggests that information security personnel should increase their contact with managers. Only 35 percent of respondents currently meet "monthly or more often" with business unit leaders to understand their needs and objectives, and an equal number reported doing so annually or less frequently.