CUInfoSecurity.com Interviews Catherine Allen, CEO of BITS on Information Security at Financial Institutions
Weâ€™ll get right into the questions. You have the ears and know the opinions of the top 100 financial organizations in the United States. What is their vision, in your view, of the state of information security at financial institutions here in the United States?
CATHY ALLEN: I think that the CEOs are very concerned, very aware, and proactively working to address the concerns of information security. And by that, I mean concerns about data breaches and the loss of public confidence, customer confidence. By that, I mean looking at the processes, the technologies, and the sort of internal people training that makes the institutions more aware and more concerned, and more proactively addressing the information security areas.
I just recently met with the CEOs. Every year I go out and meet with about 30 or 40 of them one on one, and I thought I might share with you whatâ€™s top of mind for the CEOs of these 100 largest financial institutions. They are wireless security, and I think part of their interest there is because they use handheld devices, their Blackberries, their Treos, and other devices, and theyâ€™re acutely aware of how wireless is proliferating, both devices and networks, but also the applications and the concerns about security and delivering payments and information services over the wireless networks. So thatâ€™s one major area that theyâ€™re concerned about.
Second is cross channel paymentâ€™s risk. The fact that through information security breaches, the fraudsters or bad guys are able to leap from one payments channel to another and to use information from one channel into another channel. So that is of concern.
Iâ€™ve mentioned the data breaches and public confidence issues. Research is showing that consumers are increasingly concerned about identity theft and about their data being breached, and this latest TJX breach is a good example of where financial institutions are going to need to reissue a number of cards, both debit and credit cards, and yet it is not the financial institutionâ€™s fault that the data was breached, it was the retailerâ€™s fault. So itâ€™s one of those issues where the CEOs are very concerned about the liability and the responsibility they have to their customers, yet theyâ€™re relying on other institutions, third parties who may actually have the breach.
Lastly, theyâ€™re concerned about the cost of compliance with all the regulations that are addressing and sometimes overlapping regulations, addressing data security and information security, how to make sense of those, how to have more efficiency in compliance and to work collaboratively with the regulators to address that. Lastly, their concerns top of mind is third-party providers and how they can manage them and have oversight on their third-party providers to make sure that theyâ€™re meeting the regulatory requirements that we have and that theyâ€™re ensuring that our customer data is held secure. Thatâ€™s the genesis of much of the work weâ€™ve done in the Shared Assessments Project.
LINDA MCGLASSON: Cathy, of those items that you just mentioned what is the most damaging cyber threat facing financial institutions and our customers today, and in your opinion have we been winning this war against cyber crime?
CATHY ALLEN: The answer is, is we are in the war. Weâ€™re in numerous battles on cyber crime. I donâ€™t think it is winnable in the short run. I think only in the long run when we have a combination of technologies that help us to detect and prevent intrusions, we have processes in place that are not only for financial institutions but for other third parties, and retailers, and others that we trade or interact with, and until the law enforcement, until we make it a significant enough crime and the punishment for that crime significant, I think weâ€™re going to continue to have these battles. The most significant thing is the data breaches and they may come from bot nets and keystroke loggers, or breaches of databases, and then using that data for identity theft or fraudulent activity on accounts. It not only is a fraud that occurs, but it harms public confidence in not only the financial services systems but also in technology.
I think that our dependence on IT, on telecommunications and the power industry means that all of those industries need to work collaboratively to address these problems. A good example of that is work weâ€™re doing on e-mail security where we are requiring financial institutions to adopt more rigorous practices and also some technologies that strengthen that e-mail security component. Weâ€™re also going to the vendors, the ISPs, the Internet Service Providers, to have them also adopt the practices and technologies. Thatâ€™s just an example of one way of approaching the battlefront using your analogy.
LINDA MCGLASSON: So itâ€™s multiple levels and different fronts. In a recent essay that you published, you noted that 9/11 showed us that our industry was dependent upon other critical infrastructures. What is BITS doing to help focus attention on the big picture for business continuity within our industry and how will this help the regular financial institutions plan for the next Katrina or other such events like the predicted avian flu pandemic?
CATHY ALLEN: Excellent question. Much that we learned from 9/11 and BITS started proactively to bring together the industry to look at how we might address either future terrorist events or any kind of mega-catastrophe that would impact a locale or impact the industry as whole. Examples of some of those things are early on when the Department of Homeland Security created the code levels of red, orange, yellow, we developed some best practices of what needed to be implemented both in the information security and the physical security area for our industry. We then shared that with the Department of Homeland Security who actually made those best practices available to all critical infrastructure industries.
A second thing that we did is we worked with some of our members in the Chicago area and created Chicago First, which was the first regional coalition of the financial services community with the state and local government law enforcement first responders. We then worked with treasury to develop a cookbook, so to speak, of how to create regional coalitions and that was published and has been used and shared with the industry to create other first responder financial services regional coalitions like Miami First.
A third thing that we did is we spent a lot of time looking at this interdependency issue, in particular on the IT industry and on the telecom industry, and then thirdly on the power industry. On the IT area, we engaged with Microsoft, and IBM, and others and we provided software and operating systems, and developed a set requirements, business requirements that our industry wanted from them to address the vulnerabilities in the software and operating systems. So weâ€™ve had that relationship for some time and have been working together to try to identify and address both things that could be effected at a very short time period.
In the telecom area, we worked with the NSC, the National Communications Service out of the Department of Homeland Security to look at the diversity and redundancy issues that are in the telecom infrastructure. We had some private proprietary meetings around that. We worked with the in-staff to get them, this is the presidential advisory board for the telecom industry, to address these diversity and redundancy issues. We created a white paper and best practices, and thatâ€™s available on our website, on what the financial services sector needs to do to have the required diversity and redundancy, and also what the telecom sector needs to do. All of this weâ€™ve worked very closely with the regulatory agencies to make them aware of the dependency issues and what they might be able to do in terms of negotiations and discussions with these other third party and telecom related industry players.
I sit on the INREC which is an advisory council of the FTC. We brought the same adversity and redundancy issues to bear there and are working very specifically with ADIS which is a group of the CIOs of the telecom industry. We did two pilots, one with the Federal Reserve and one with one of our member companies to actually map out what it would take to get the diversity and redundancy that we need, and what the cost might be around that. So in the telecom interdependency area weâ€™ve done a lot work.
Similarly, we worked with the power coalition to look at alternative sources of power, or backup power when there has been a major power outage. Again, the assumption is that the power grid will go down at certain times. Much of the lessons that we learned when we had the power outage a few years ago, I believe it was in August, in the New York and Detroit area, and again thatâ€™s a white paper that identifies the issues, the best practices for our industry, and best practices for the power industry.
So in the IT, telecom, and power industry weâ€™ve done quite a bit of work. Weâ€™ve done a lot of work to help look at business continuity issues and disaster recovery, and today one of the things that we do is we have been supporting the FSSCC which is the trade associations in the financial industry led by treasury, meet on a quarterly basis to address, again, business continuity and crisis management kinds of issues. In that group, weâ€™ve done a lot of work on the pandemic and preparing for pandemics with the financial services roundtable, which had a mega-catastrophe task force. Weâ€™ve developed recommendations for the government and for the industry on how to handle a mega-catastrophe, and that includes a pandemic, something like the avian flu or some other kind of major biochemical type of disaster.
So thereâ€™s a large body of work available for free and for the public on our website that we think serves a strong core for the financial sector and for other critical infrastructure sectors to be able to understand how to prepare for disasters and how to enhance their business continuity program.
LINDA MCGLASSON: Great answer, by the way. Going on to another question related to some of the things that you at BITS have been working on, what is the acceptance level within the industry of BITSâ€™ product certification program and the shared assessments program?
CATHY ALLEN: Let me start with the BITSâ€™ product certification program where we developed, now it must be four or five years ago, which is a minimum set of security requirements for a number of different software applications. We actually have six different software application security requirements. Those are available on our website. We then worked with various laboratories like the NIST laboratory to make it compatible with the common criteria testing, and then we have had a number of vendors go through the testing process. I think weâ€™re now up to seven or eight that have actually gone through the process and have received the BITS tested marks.
We also worked with our own financial industry providers because much software is developed internally, and for them to adopt these minimum-security requirements into their own software development process. That has been widely adopted by the financial services members. The challenge in this particular area has been the vendors saying, â€œUnless you require me to do this testing,â€ such as the common criterias required for some of the military procurement, â€œIâ€™m not sure we want to go through it.â€ So itâ€™s been more jawboning with them. The interesting thing is, is the more that weâ€™ve had the concerns about data breaches and more public understanding of these cyber security threats, the more interest weâ€™re getting from the vendor community.
So we think that that program, the BITS product certification program will continue to grow, and certainly the work that we did, the minimum-security requirements, itâ€™s a good body of work that can be used by any industry. It was something that was developed by the financial sector. It was vetted by our regulatory agencies, vetted by the vendor community, vetted by experts in information security, and its serves as a baseline for software application development. So that was one-step addressing, as I mentioned before, this dependency on the IT community that was one piece of that work.
The second is our shared assessments program, financial institution shared assessments program, and this came out of our work in managing third party service providers through BITS. The first step was, we developed a framework of what we needed to know and manage of third parties whether they were in Indiana or India that would meet our regulatory requirements. So we developed a framework of what an institution should be looking at.
The second step is we mapped questions against the regulatory requirements, so Gramm-Leach-Bliley, Sarbanes-Oxley, advisories that had come from the FFIEC on outsourcing and said, what are the kinds of things that we need to be auditing or assessing for, or the questions that need to be asked. Then that led to this development of a SIG. Itâ€™s really a questionnaire and an assessment tool, we call it an AUP, over the past year and a half. The questionnaire collects all the kinds of questions that should be asked of a vendor by a financial institution. The AUP is the assessment tool that goes back and looks at the controls that are in place that address the questions that have been asked in the SIG, the questionnaire. We developed this with the big four audit firms, with the financial services industry and with vendors who helped with a pilot. Six of our financial institutions, six vendors, and the big four actually conducted pilots last year to make sure that we had the right process in place.
We now have working groups. I think the number is up to 40 or 42 right now of members in these working groups, which are financial institutions, the vendor community, and the assessment community, looking at revisions, we just published 2.0 on the AUP, to the questionnaire. We have assessments underway right now. Our target is 100 different assessments this year and that will be both in the U.S. and in India that will be shared then by the financial community. What this does is it creates a much more rigorous assessment than a SAS 70. Itâ€™s complimentary to the SAS 70 but much more rigorous, much more focused on data security, and privacy, and customer information protection issues.
Secondly, it allows one audit of a vendor as opposed to 50 financial institutions going in 50 times and doing 50 audits. This is a consistent audit that then can be shared with those institutions. Thirdly, it coordinates all of the financial institutions so you have a common set of questions and a common set of assessment control processes so that the vendor does not have multiple institutions coming in with slightly different versions of what they think is a requirement of GLB or a requirement of Sarbanes-Oxley. So itâ€™s a much, much more cost effective and efficient effort. Itâ€™s also much more rigorous which is good for the industry and good for the vendors. So weâ€™re finding not only adoption within the financial community but enthusiastic response from the vendor community.
So we see this year as our major rollout year to try to get 100 assessments done, and then we see, weâ€™ll really launch much more rigorously in the following year. All of the assessment tools and the questionnaires are available on our website so that you can download them and try to understand what you in the vendor community need to do to be prepared for the assessments and for the financial community to know, coming out of some of the largest financial institutions and best managed in the vendor management area, theyâ€™re the players that really put this assessment tool and questionnaire together.
LINDA MCGLASSON: Cathy, weâ€™ve been described by some as an industry divided by those institutions who â€œget the need for security and do it wellâ€ and on the other side of the river are those who go through the motions for compliance sake because they donâ€™t either get the need for security, or they are unable to afford the level of protection needed in this wild, wild west of the Internet and pervasive computing environment that we all operate in now. In your opinion, what more can be done to bridge this divide between the two sides and all of those in-betweens?
CATHY ALLEN: Well, thatâ€™s an excellent question because I think itâ€™s one of the major challenges we have today. I do not see this problem about information security abating. In fact, I see it getting worse because the fraudsters and the bad guys that are out there are becoming more technologically sophisticated. They understand better how the financial systems work and itâ€™s where the money is. So I think weâ€™re going to continue to see challenges and we need to work as an industry and with others in the industry such as the IT industry to really try to address these issues. There is the divide, the large financial institutions, most obviously the BITS and Roundtable members are really sophisticated about this issue. The CEOs are well versed in it. Theyâ€™re concerned about it. They have the appropriate processes and technologies that are being invested in. But still we have concerns about breaches because, again, itâ€™s something that is, you cannot be 100% secure.
On the other side, the smaller to medium sized institutions just donâ€™t have either the resources or the sophistication that competes with the larger institutions. So part of what the industry has done is try to share best practices with them. Much of the work, if not all of the work that BITS does in the [indiscernible], we have affiliate memberships with the ABA and the ICBA, and CUNA who participate in the working groups and then share that information with their members and the smaller institutions. So thatâ€™s one way we try to have the larger guys help the smaller guys so to speak.
Secondly, we work very closely with the Fiservs, and Metavantes, and the processors that serve the medium to small sized players and try to get them to adopt the best practices that the industry has. The third area is the regulatory community, which has a vested interest in the smaller players being up to speed. They try to educate them. They provide them with the same advisory. When the examiners go in, they try to help those institutions put in place the kinds of policies and technologies that will help address the areas are really shared assessments program, and through that theyâ€™re trying to get the vendors that serve these smaller communities to have better practices, and again higher levels of security, which helps the industry in total.
But weâ€™ll continue to see challenges for the small to medium sized institutions just because of the investments that are needed, and unfortunately many of the bad guys see that vulnerability and are beginning to go after smaller institutions as a way to then interface into the larger network.
LINDA MCGLASSON: Cathy, the influx of phishing and other malware exploits seeing our institutions and our customers are soaring. What are some of the solutions you at BITS see that may offer some help for institutions, especially the mid and smaller sized ones who you just mentioned arenâ€™t afforded the same level of staff to fight the attacks at the same level of intensity larger institutions are?
CATHY ALLEN: Several things. A paper thatâ€™s about ready to come out that weâ€™re working on, on e-mail security really addresses one of things technologies that are, as I mentioned, the Fiservs or the Metavantes could implement. Weâ€™re also working with the Internet service providers for them to implement those best practices and technologies. So thatâ€™s one step.
Secondly, we have published best practices on Internet fraud, on phishing. We have a phishing network where our members provide instances that are happening and are sharing that with the industry, and how they handled those phishing attacks. So thereâ€™s a way to either go to our website and get some of the best practices or to participate in the anti-phishing network. A third way is to really talk to some of the larger players whoâ€™ve been through this multiple times and talk to them about what technologies theyâ€™ve implemented to address the phishing issue. So thatâ€™s all sort of the preventative technology area.
We just recently did a conference with the ITAC. BITS and the Roundtable put together a utility to help consumers for free if theyâ€™ve been victims of identity theft, and itâ€™s a utility that stands behind the member organizations. Through that, through this conference that we put together we talked about what do you do when you have a data breach? What are the kinds of communications you need to make? We put a white paper together thatâ€™s called Consumer Confidence in, again, how our financial institution needs to handle it, when theyâ€™ve had a breach, and how they communicate with their employees, their customers, the consumers and with the regulators. Again, that is something thatâ€™s on our website that is useful to medium to small sized institutions.
Then lastly, working with the regulators they have a number of what I would call educational advisories and information, and again when the examiners go into the institutions that they can provide as well. So there is information there. I think sometimes the problem with the smaller institutions is they, even if they have a CIO, that CIO has many other responsibilities. So itâ€™s a timing, just having the time to understand what you need to do is the problem.
LINDA MCGLASSON: Some of the recent guidelines issued by BITS focused on keeping consumer confidence high. I think you just mentioned one. Is this an indication of a growing problem of erosion of consumer trust and where do you see the level of consumer confidence in, letâ€™s say, online banking, and has the move to strengthen authentication methods per the FFIEC guidance helped at all?
CATHY ALLEN: We are concerned about consumer confidence. There are two studies recently out that talked about, the Poneman Study and a Visa Study that showed the one in five consumers are leaving an institution when thereâ€™s been a breach. Thatâ€™s a large number, because we all know the cost of keeping customers or acquiring new customers, and to have a customer leave just because you had a breach is a significant concern.
If you look at general numbers, youâ€™re seeing a decrease in I would say confidence in the Internet, in the technology per se. However, what we consistently see is that consumers do have a belief that their financial institution will make them whole, that their financial institution will help them if they become a victim of a breach or of an identity theft problem. So the confidence within their own institution is strong. Itâ€™s when thereâ€™s been a breach, those people who are concerned about privacy are the ones that are leaving. On the one hand, the confidence is still there and that their institution will take care of them. On the other hand, weâ€™re seeing some national studies that are saying when any institution is breached that there is a significant impact, and as I said, thatâ€™s one of the issues that the CEOs are very concerned about, this lack of consumer confidence.
Now, with regard to the FFIEC guidelines on authentication, most of the institutions are just implementing now stronger authentication and it varies by the levels of risk. I think you will see that contributing towards confidence. It certainly is something that needed to happen to have institutions focus on stronger authentication of who their customers are. However, many of the breaches that occur, authentication would not have helped them. Sort of the man in the middle problem, the breaches that may occur because they access a database or because viruses have been residing on a PC or on a server for some time. So thereâ€™s not a direct correlation in the reality of security breaches with having stronger authentication in the breaches that have occurred today.
LINDA MCGLASSON: Other than the e-mail security project that you guys are working on, can you comment on any other ongoing projects that the industry will want to look for from BITS in 2007?
CATHY ALLEN: Absolutely. Probably the biggest project weâ€™re taking on right now is on wireless security and weâ€™re going to be doing a thorough analysis of the devices, the networks, and the applications, including payments, whether or not there are appropriate levels of security. If there are not, what kind of best practices and recommendations we have for the financial sector as well as for the device manufacturers in the telecom and network providers. So that will be a big piece of work and it relates back to our CEO concerns about wireless. It also relates to the proliferation of wireless activity, and in particular payments through cell phones and through other kinds of wireless devices. So that will be a big area.
A second is in encryption, and looking at appropriate levels of encryption, stronger levels of encryption, and who manages keys. What happens when years from now, when you need to uncrypt or decrypt information, and who has the keys to be able to do that. We did a paper and best practices in 2006 on data storage and retrieval, physical data storage and retrieval, and out of that came best practices, which included encryption of data that may be on tapes or kind of the physical data component to it. So this next phase is going to look at some of the electronic storage of data and how encryption fits in.
In the fraud area weâ€™re looking at mortgage loan fraud, debit card fraud in light of some of the breaches that are occurring at retailers, looking at [indiscernible] payments risk where weâ€™re seeing fraud move from channel to channel because they may have gathered information in a debit fraud scheme but then used that for the DDA account or for a credit card fraud scheme. So looking holistically at how fraud occurs across the payments areas.
Then in the third party service providers, in addition to this massive rollout of assessments and in participation in shared assessments, weâ€™re looking at global assessments and how we can have a stronger coordination, collaboration with the regulators in examining third parties that may reside abroad and what other kinds of controls we might put in place that would assure that the kinds of security is in place that we need to have in place, and what special circumstances occur in the global environment. Those are just some examples of that and then on March 15th weâ€™re actually having an internal fraud forum where weâ€™re bringing together regulators, the technology providers, some examples of best practices on how firms are handling gangs of people or internal fraud that may occur from employees or teams of employees that maybe have been planted in the institutions.
Also, promoting a shared fraud database that Early Warning Systems is managing for BITS, and that is where institutions are putting the names of former employees whoâ€™ve either been fired and can prove that they were fired for fraud, or convicted, or confessed. Then institutions are able to ping against that database so that theyâ€™re not rehiring people that have committed fraud in financial institutions. So that internal fraud focus is one of the things that weâ€™ll do in a forum, and again weâ€™ll promote some of the activities that weâ€™ve already done in that area. In June, I believe itâ€™ll be June 19th and 20th, we will have a wireless forum, and that will bring people up to date with what weâ€™ve learned to date on the wireless area and take us to the next step.
Then, probably in the November/December time frame weâ€™ll do another forum that will be information security related. Donâ€™t have the topic yet, but as we all know these issues keep emerging and last year our forums were on cross channel payments risk. They were on the data breaches and how you handle them from a communications point of view. They were on AML and the link between AML and terrorist funding. So we try to do these forums which are invitation only, but open to the public on topics that really help the industry think about the problems, think about what best practices need to be developed and what kinds of efforts the industry needs on a collaborative basis.
LINDA MCGLASSON: Thatâ€™s a lot to look forward to. Finally, Cathy, do you have any words of wisdom or maybe encouragement for those information security practitioners out here in the financial services industry?
CATHY ALLEN: Well, first of all I love them. Theyâ€™re my favorite people because really theyâ€™re the heroes that are going to help us understand how to understand, to mitigate, and to really proactively address the information security breaches that we have. So itâ€™s a great field to be in and I have the utmost admiration for them. As you know, we have a security and risk assessment steering committee and working groups that are made up of many of the CISOs or information security professionals, and some of the best and brightest in our industry are in the field. Number one, I congratulate them and I honor them for the work that theyâ€™re doing.
The second thing I would say is for them to think holistically, to look at fraud and information security and where they come together. One of the things weâ€™re recommending to our member companies is that they break down the silos between the various fraud groups within an institution and the information security people. They need to have cross communications because much of the fraud because much of the fraud thatâ€™s occurring is starting with an information security breach.
Then the third thing I would say is itâ€™s as important to have your institution know how to communicate how to address these security threats to the board of directors and to their customers as it is to have the technologies, and processes, and people kind of skill sets in place. So itâ€™s really important that the information security people work closely with the corporate communications people to really have a program ready for when, not if a breach occurs in how they communicate to the board of directors and their stockholders, and how they communicate to their customers and employees. So, again that role of the information security expert needs to be broadened to think about the communications side as well as the technology side.
LINDA MCGLASSON: Cathy, thank you so much for your time today and we will look forward to seeing more of this great work that the BITS is doing for our industry. I just wanted to thank you for all of your answers.
Youâ€™ve just listened to a podcast with Catherine Allen, CEO of The BITS. Iâ€™m Linda McGlasson with CUInfoSecurity.com. Tune in soon for the next interview in our series with information security experts, cyber luminaries, and top financial institutional leaders.