Category: Financial

The world’s financial and banking systems are under increasing attack from internet viruses. Many attacks, according to the Deloittes Global Security Survey 2004, have resulted in costly losses.

Despite this experience, the survey also found that 25 per cent of the top 100 companies interviewed have flat budgets for their security systems.

This month Westpac was penetrated by the Sasser virus which slowed down its information processing. Westpac spokesman Paul Gregory said the bank’s systems were purged overnight and no financial loss was incurred. Westpac, AMP financial Services and Kiwi Bank also said they regard information systems security and planning to be critical.

Global leader of Deloitte’s IT Risk Management and Security Services, Adel Melek, said the challenges were getting greater as banks fought bigger battles around security and resources stagnated. Although more than 70 per cent of respondents saw viruses and worms as the greatest threat to their systems in the next 12 months, only 87 per cent had fully deployed anti-virus measures.

The ASB’s general manager retail banking Barbara Chapman said her organisation had security as a top priority and its banking systems had never been penetrated. Management took a very firm view that security was critical. There were significant policies, practice and adequate funding to support initiatives in this area. She said an area where there was potential for harm for any bank was when customers accessed their accounts from unsafe environments like internet cafes. It was the same as being aware that someone could be watching as you used your Eftpos card to get money from a hole in the wall.

More info: http://www.dsinet.org/?id=3797

The accord — known as Basel 2 because it would replace an existing regime — is a set of rules governing international bank capital and oversight and is focused on preventing financial problems from spreading across borders while taking into account modern risk management methods.

But Roeder said the United States will conduct an extensive survey of how the new regulations will affect the estimated 10 large U.S. banks that must follow them.

Officials have not publicly identified which 10 banks will be subject to the rules, but they must have at least $250 billion in assets or have 10 percent of their assets outside the United States.

http://www.reuters.com/financeNewsArticle.jhtml?type=bondsNews&storyID=5065845

Generally, we hear about the exorbitant losses in the more spectacular cases, or about totals gleaned from the annual Computer Security Institute/FBI Computer Crime Survey.

In fact, even the CSI/FBI survey doesn’t do justice to the magnitude of business loss from cybercrimes (see “The Indirect Cost Of Cybercrime,”).

You usually don’t see information-security managers applying capital-budgeting techniques, such as the net present value (NPV) or internal rate of return (IRR), to information-security infrastructure investments.

Since information-security managers go up against other department managers for a share of the budget, it’s to their advantage to catch up with their peers who specialize in capital budgeting.

“I go to security conferences where we sit around puzzling about what kind of metrics to use for measuring the results of security programs,” says Adam Stone, a security management analyst for the financial-services industry.

He says we can learn from the methods of financial, statistical, economics and securities professionals who deal with these kinds of uncertainties all the time to predict and measure business effectiveness in a rational way.

Those who do think in economic terms are grappling with ways to use ROI and NPV to provide economic justification for investments.

The “somewhat less than $100” that you get now is the NPV of the $100 you’ve been promised in a year.

So, rather than the traditional accounting notion of ROI, economists prefer to talk in terms of NPV or IRR, the latter being a time-adjusted notion of rate of return.

http://www.banktech.com/story/BSTeNews/showArticle.jhtml?articleID=18901266

Implementation is due in 2007, but requires that banks are using Basel compliant systems and data for several years before then.

The most widely perceived benefit is an improved credit rating system, followed by improved management of operational risk. A reduction in capital requirements was only the fourth most highly rated benefit.

Amongst UK banks, progress is generally greater – but they have concerns around the cost of implementing Basel, lack of IT flexibility, and uncertainty over how the regulator will be assessing the robustness of the systems they have developed. Globally, around 10 percent of banks are still establishing their Basel teams – and in the Asia Pacific region this climbs to as high as 22 percent. Only eight percent of banks have reached the testing and validation phase of their project on credit risk (although this rises to 15 percent in the Americas).

While 46 percent of banks have reached the systems modelling stage or further on credit risk, only 33 percent have done so on operational risk. Banks are also generally planning to take a more advanced approach to credit risk than operational risk – over a quarter are intending to take the most advanced approach to credit risk, while only 11 percent plan to do so on operational risk.

Barriers
The cost of complying with Basel was seen as the biggest barrier – perhaps not surprisingly, as half of respondents said that their total Basel budget was less than $1 million. Other widely cited concerns were lack of time, lack of data for operational losses, inflexibility of existing IT systems (a concern in Europe especially) and, in the Asia Pacific region primarily, a shortage of Basel experts. Concerning Europe, Jane Leach commented “Whilst European banks are relatively ahead of the pack, they cannot afford to be complacent.

More info: http://continuitycentral.com/news0980.htm

The Banking Industry Technology Secretariat (BITS) in Washington released the security guidelines as an addendum to an existing framework for managing business relationships with IT services providers. The group’s goal is to help financial services firms streamline the outsourcing evaluation process and better manage the risks of handing over control of key corporate systems to vendors.

The guidelines are based on the International Standards Organization’s ISO 17799 code of practice for information security management, which covers categories such as documenting corporate security policies and classifying assets. They also include best practices gathered from BITS members and input from vendors, government agencies and third-party IT auditors, said Faith Boettger, a senior consultant at BITS.

Bob Cedergren, second vice president of information security and business continuity planning at Fortis Inc., a financial services firm with U.S. operations in New York, said security concerns related to outsourcing are getting more attention in corporate boardrooms. “Each time there’s a virus outbreak, this gets discussion within our CIO group here at Fortis as well as with the CEOs” of individual business units, Cedergren said.

Many of the financial services industry’s certification standards, including Statement on Auditing Standards No. 70, SysTrust and WebTrust, don’t fully cover what companies have been looking for in a best-practices matrix, according to Boettger.

More info: [url=http://www.bankinfosecurity.com/?q=node/view/543]http://www.bankinfosecurity.com/?q=node/view/543[/url]

The document serves as a guide for management and hopes to clarify some of the ambiguities bank management has to confront.

On January 17, 2001, the banking regulatory agencies adopted guidelines implementing the security and privacy requirements for Section 501b of the GLBA. The guidelines require financial institutions to establish a comprehensive and coordinated information security program, appropriate to the size of the bank and the complexity of its operations. However, many bank managers are still struggling with what exactly is expected of their financial institutions to satisfy these requirements.

This is further complicated by the fact that the examiners themselves are still learning how to address these new regulations causing inconsistencies among various regional areas and regulatory agencies. This will soon change and banks are in need of a better roadmap so as not to be caught off guard at their next examination.

GLBA mandates that banks ensure the security and confidentiality of customer records. These records have become more accessible to patrons and business partners with the advent of online banking, ATMs, and email.

Just as banks have taken numerous steps to assure physical security, they need to take steps to prevent network intruders from copying sensitive data and using or distributing it.

GLBA is the call for financial institutions to take the steps to seek out and prevent these acts.

More info: [url=http://www.bankinfosecurity.com/?q=node/view/457]http://www.bankinfosecurity.com/?q=node/view/457[/url]