IT security important, but firms need a push
Despite the heightened need for IT security, firms are slow to implement changes unless it is legislated suggests the latest OR&C Intelligence survey. Ellen Davis reports
Although firms value their IT security function and believe it is effective, IT security is seen primarily as a compliance issue, and new initiatives are the result of regulatory or legislative activity, according to the July OpRisk & Compliance Intelligence survey.
The new survey, sponsored by audit and risk consulting firm Protiviti, shows that "regulatory compliance" is the top security concern among respondents for the next 12 months. Actual security events, such as financial fraud involving information systems, loss of customer data privacy, or a major virus, Trojan, or worm ranked considerably lower in respondent's responses.
This response is not surprising, say industry experts, since regulators around the world have been paying a lot of attention to the issue of IT security over the past several months. From new anti-money laundering regulations, to guidelines on the prevention of phishing and other online crimes, IT security has become an area that regulators are focusing on in congressional hearings, new guidance, and in discussions with industry groups. For example, in late June, the US Senate Banking Committee published its long-awaited data security legislation for financial services firms. The banking data security bill, introduced by Republican Robert Bennett and Democrat Tom Carper, will let existing bank regulators handle data breaches within the industry, while the Federal Trade Commission will oversee all other industries.
Internationally, the sources of these regulations are many and varied. Specifically, increased regulatory activity around Basel II's operational risk requirements have motivated firms to make their IT security provisions more robust. In a strong second place, with 22% of the vote, is internal controls. "Sarbanes-Oxley has made financial services firm take a good, long look at their internal controls frameworks," says one op risk executive based in the US. "Many didn't like what they saw, in terms of how things were protected within organisations." Another regulation that has motivated firms to boost their security profile include privacy rules (12%), including recent European Union legislation around data protection.
Motivation
But "should it be regulation that is motivating firms to improve their security around information systems", asks the operational risk manager. "Why aren't firms making business cases to improve this area? Why aren't they taking a more proactive approach? Where is the leadership in this area?"
Perhaps this regulatory-driven attitude comes down to executive management's view of the security function at firms. Some 47% of respondents view it as a "utility that is part of IT", while some 7% believe that senior management "know security exists but have no idea where it is or what it does". These neutral-to-negative attitudes towards IT security among senior executives could mean that firms are not getting what they could – and should – out of their IT security programs.
Industry experts say this is worrying. More than 5.5 billion phishing emails are sent every month – one June e-mail targeted National Australia Bank customers, telling them the institution was about to go bankrupt. More than 1000 Australians were conned by this attack, downloading a Trojan that stole their login and password details. In another case this month, a Royal Bank of Scotland employee allegedly fiddled with his firm's computer systems so that he was able to loan millions to key accounts over the course of several years. His scheme was not discovered until a new computer system that had been installed crashed as a result of the fraudulent transactions. Meanwhile, a recent report by the European Banking Federation (FBE) indicated that there is a bank robbery in Europe approximately every 90 minutes – indicating that physical security of financial institutions is still a major issue.
Even with all of this negative publicity about security at financial services firms, some 58% of respondents to the survey rated their firm's security team's effectiveness at dealing with external threats as well as internal threats a "4" or a "5". Some 66% gave their firms top marks for monitoring and reacting to security events, while 63% said their IT security teams earned a "4" or "5" for their efforts at supporting end-user platforms. Scores were similarly high across a number of other topic areas, such as supporting regulatory requirements and driving security awareness.
But where IT security departments seem to fall down is when they are asked to specifically deliver against business unit needs. Some 31% of respondents gave their IT security departments poor scores of only "1" or "2" on their ability to demonstrate business value, via such tools as metrics. Another 35% gave their firms a score of "3" – which seems especially low in the context of the much more positive responses to other parts of the same question as detailed above.
Going forward, most firms are working toward automating IT security controls to make compliance with regulations in this area easier. While some 23% of respondents said they currently have controls in place, another 22% said they were planning to automate their controls and 20% said they had a specific project underway to do so.
However, 17% of respondents said they plan to rely on manual controls and audit on a regular basis, while another 16% indicated that they do not have plans to automate controls in response to security requirements.
Meanwhile, 21% of respondents said they would be updating and aligning their policies and procedures over the next year, while 17% would be conducting new training and awareness-raising exercises. Just 11% said they would be aligning their security infrastructure with various industry standards. OR&C
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Printing this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Copying this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@risk.net
More on Regulation
Industry calls for major rethink of Basel III rules
Isda AGM: Divergence on implementation suggests rules could be flawed, bankers say
Saudi Arabia poised to become clean netting jurisdiction
Isda AGM: Netting regulation awaiting final approvals from regulators
Japanese megabanks shun internal models as FRTB bites
Isda AGM: All in-scope banks opt for standardised approach to market risk; Nomura eyes IMA in 2025
CFTC chair backs easing of G-Sib surcharge in Basel endgame
Isda AGM: Fed’s proposed surcharge changes could hike client clearing cost by 80%
UK investment firms feeling the heat on prudential rules
Signs firms are falling behind FCA’s expectations on wind-down and liquidity risk management
The American way: a stress-test substitute for Basel’s IRRBB?
Bankers divided over new CCAR scenario designed to bridge supervisory gap exposed by SVB failure
Industry warns CFTC against rushing to regulate AI for trading
Vote on workplan pulled amid calls to avoid duplicating rules from other regulatory agencies
Bank of Communications moves early to meet TLAC requirements
China Construction Bank becomes last China G-Sib to release TLAC plans
Most read
- Top 10 operational risks for 2024
- Top 10 op risks: third parties stoke cyber risk
- Japanese megabanks shun internal models as FRTB bites