IT Security: Room for Improvement

Financial services companies could still do better, but the unique concerns of the industry will result in valuable lessons to share with other industries and government.

A recent Ernst & Young survey of 56 financial institutions in the U.S. and Canada reveals that there's room for improvement in companies' information security practices, particularly in the frequency and quality of communications about incidents, security policies and business unit requirements. The survey sample included 22 insurance companies, 17 commercial or consumer banks, 13 investment banks, and four other financial firms.

The top five reported problems? Viruses/worms, employee misconduct, denial-of-service attacks, loss of customer data, and amateur hackers. From these threats, security has attained a higher profile within the industry. "There has clearly been an elevation of information security to a senior leadership position within the organization, as well as to the board level," says William Barrett, partner at Ernst & Young LLP (New York).

Security Gaps

But the topic may not make the agenda often enough. "It's still a little surprising that 43 percent do [board-level security reports] annually or longer," says Barrett. "Where you have identified gaps in information security or vulnerabilities you would want to have a quarterly update to the board of directors around how you're closing those gaps."

There's also a growing consensus among financial institutions that company shareholders should hear about the status of information and physical security programs, with 60 percent in favor of such reporting. Already, a related disclosure will be required under the Sarbanes-Oxley Act. "When management makes an assertion about its internal controls, the external auditor is going to render an opinion on management's assertion in their annual report," says Barrett.

Inside the organization, the survey data suggests that information security personnel should increase their contact with managers. Only 35 percent of respondents currently meet "monthly or more often" with business unit leaders to understand their needs and objectives.

Strained budgets and resources certainly make it harder to stay secure. But for financial institutions, it's a cost of doing business, not a luxury item. While it's relatively easy to determine information security spending, calculating the return on investment requires several hard-to-test assumptions about what might have happened in the absence of those investments. Sixty percent of respondents rarely, if ever, try to calculate such an ROI, with 18 percent only doing so "sometimes."

Financial institutions cannot simply worry about their own backyards. Insurance companies in particular have a significant stake in the security practices of their customers. On the one hand, carriers that underwrite security breach policies have a vested interest in boosting security among the insured. On the other hand, customers who are not insured against such losses may not be aware of their own exposures-which may cause contractual rancor down the line. "A lot of companies still believe that their traditional lines of coverage cover them for breaches of security," says Barrett. "Insurance companies have been working to try to educate companies about it, but it's still an uphill battle."

High Exposure

Thus, the financial sector may have valuable experience to share with enterprises in the corporate arena and the government sector alike. Indeed, fully 50 percent of survey respondents rated the government as having a "marginal" ability to secure its critical infrastructure in the event of a malicious attack or disaster. "The government can learn from the private sector in terms of closing the gaps around information security and physical security issues," says Barrett.