Prying Into Banking’s Privacy Practices

Of all the regulations that have been placed on the banking industry in recent years, there is one related to privacy directors must pay special attention to. The Gramm-Leach-Bliley Act requires financial institutions to ensure the security and confidentiality of customer information. And it specifically holds the board accountable for understanding a bank’s information security program and for reviewing it annually.

“It’s a fundamental mind shift,” says Lawrence T. Levine, managing director at Lincolnshire, Illinois-based SecurePipe, a provider of security services. “It’s the first piece of legislation that makes the board responsible for something technical.”

And now, four years after the act’s privacy provisions took effect in July 2001, there’s solid evidence bank regulators are starting to take privacy laws seriously.

“My forecast is the examiners are going to start asking a lot more questions about the board’s involvement,” Levine says.

Moreover, today, there is more to be concerned about beyond Gramm-Leach-Bliley. The USA Patriot Act, passed in 2001 to combat terrorism, requires financial institutions to develop procedures to verify the identities of new account holders. And the Bank Secrecy Act, which aims to detect money laundering, has been around much longer, but regulators appear to be applying it more stringently. Last fall they slapped Birmingham, Alabama-based Amsouth Bancorp with a $50 million fine for failing to report suspicious activity. They followed up in January with a $41 million fine against Washington, D.C.-based Riggs National Corp., now part of PNC Financial Services Group Inc. in Pittsburgh.

Not only are the regulations more numerous and binding, the security threats are far more menacing. As little as 10 years ago, most banks supported their operations with dumb terminals. Now most banks tap into Internet-connected PCs, which allow far greater functionality but also expose the bank to all the perils of the Web. “The significant difference now is virtually everything I do is potentially compromised,” says Charles Welsh, president of Alexandria, Virginia-based NETBankAudit, a provider of security risk assessments and technology audits.

The scope of the security threat to Internet-connected institutions is alarming. In 1988, Carnegie Mellon’s CERT Coordination Center recorded only six attacks against Internet-connected systems. By the end of 2003, after identifying 137,529 incidents in that year alone, the research and development group decided such attacks were too commonplace to count. CERT then sought to develop more meaningful metrics to assess the scope of attacks, and in 2004, it issued the findings of a survey of 500 organizations, which found losses from electronic crimes in 2003 equaled $666 million.

Those figures do not take into account blows to a bank’s reputation. A California law that requires companies to notify customers in the event of a security breach has brought unwanted press to scores of institutions. Even potential breaches make good copy. Dumpster-diving television news crews regularly highlight companies that throw away customer information without shredding it. Such exposes are “very popular, especially during sweeps weeks,” says Beth Givens, the director of San Diego-based Privacy Rights Clearinghouse, who has been asked to appear on several such segments.

Shredding documents might seem like a small detail in an overall security program. But the ability of crooks to make money off of discarded paper points to another troubling aspect of today’s information security problems: They have as much to do with policies and procedures as they do with technology. “Information security problems are not just IT problems,” says Levine.

The first step toward gaining control over security is simply understanding its importance. “This isn’t hype,” says Welsh. “There are still way too many banks that see security as a pain. Until they take the attitude that dealing with the problem of information security has to be made almost into a lifestyle, then the regulators will climb all over your organization.”

Instilling greater respect for security starts from the moment an employee is hired, Welsh says. Many banks, for example, require new employees to go through security training and even sign a document saying they did so. But banks often drop the ball on updated training. “You have to build an environment where everyone knows they are responsible and they are constantly being reminded of it,” Welsh says.

Even those banks that have embraced the importance of security often find they are unable to keep pace with criminals. A particular hardship is the growing acknowledgement that regulators want to see Internet networks monitored 24 hours a day, seven days a week. Retaining sophisticated security professionals, and paying them to work around the clock, is simply beyond the financial means of most community banks.

As a result, many have turned to outside professionals known as managed security services providers, or MSSPs, who take over the burden of monitoring banks’ networks. Professionals at MSSP operations centers are trained to watch for suspicious traffic coming in over a bank’s Internet servers. One basic offering is known as “intrusion detection,” in which MSSPs notify institutions of anomalous activity. Generally, dangerous-looking activity is grouped into categories of high, medium, and low risk. Providers produce regular reports of the types of risks encountered and work with institutions to find ways to mitigate those risks.

Banks are helping to drive growth of MSSPs in North America, a profession whose revenues are projected to grow from $950 million in 2004 to $1.7 billion by 2007, according to Kelly Kavanagh, a senior analyst at market researcher Gartner Group in Stamford, Connecticut. A community institution, depending on its size and requirements, might expect to pay between $25,000 and $100,000 a year.

An important point to keep in mind is that outsourcing security is not equivalent to outsourcing responsibility for it. Banks that offload security take on the burden of managing that vendor relationship. Ultimately, says Welsh of NETBankAudit, banks have to “exercise control over the actual security of data … and prove control exists.”

A useful mechanism for proving an outsourcer has adequate controls in place is by ensuring the bank hires vendors who have a SAS 70 designation. This refers to Statement on Auditing Standards No. 70, which is given to vendors that have achieved an industry-accepted standard of sound practices. Even with this measure though, banks still need to show they are ultimately responsible for their data should the vendor run into any problems.

It’s also important that vendors provide the board with reports that are comprehendible to people who don’t have a technology background. “You don’t want something with a lot of techno-geek that will put you into a coma,” says Danny Johnston, president and CEO of Gladiator Technology Services, an Alpharetta, Georgia-based managed security provider. Two levels of reporting can be usefulu00e2u20ac”one for systems administrators that is more technical, and one for executives that summarizes events.

Among the pieces of information that should float up to the board level are instances when the vendor failed to meet the terms of its service-level agreement, Johnston says. For example, the board should know that a vendor took four hours to respond to a high-level alert if the contract stipulated two hours. “If I’m on the board, I want to know, ‘What were the exceptions?’” says Johnston. Directors should also be apprised of the results of vulnerability tests, in which a vendor attempts to penetrate a bank by acting as a hacker would, he says.

In all likelihood, most banks will experience a security breach at some point, experts say. So a good crisis management plan, which clearly articulates how the bank will talk about the breach with its customers, is essential. “It’s about calming down customers,” says Marilyn Seymann, a founding partner of the Directors’ Council and an associate dean at Arizona State University, “because the reputation of the bank can be sullied.”

In the end, communication is the most important element of an effective security policy. “Directors need to challenge [chief information officers] to provide them with effective information,” says Gladiator’s Johnston. “They need to have as much capability to measure a bank’s performance in technology as they do with loan quality.”

Bad news, in particular, should find its way to the top. “The worst risks are the ones you are surprised by,” says Seymann. “What it really comes down to is communication between management and directors.” |BD|

Join OUr Community

Bank Director’s annual Bank Services Membership Program combines Bank Director’s extensive online library of director training materials, conferences, our quarterly publication, and access to FinXTech Connect.

Become a Member

Our commitment to those leaders who believe a strong board makes a strong bank never wavers.