12:17 PM
Insurance Industry May Drive Bank Security Policies
By Ivan Schneider, Bank Systems & Technology
Information security has become a red-hot topic in the financial services industry, and not just because of pressure from regulators and customers. Insurance companies could start to exert more pressure on their counterparts in other financial services segments, observers predict. "We're going to see our friends from the insurance industry come in and require even greater levels of security, in order to get the kind of insurance coverage you want," says Steve Katz, CISSP, president and CEO of Security Risk Solutions, based in Melville, NY, and former chief information security officer for J.P. Morgan, Citibank and Merrill Lynch.
It's a simple matter of risk minimization. "In today's world, if you build a factory, and you want to insure the contents of the factory and the building itself, the insurance company says, 'Unless you have adequate fire protection technology, we're not going to insure you,'" says Katz.
Similarly, Katz expects insurers to require banks to counteract higher threat levels with increasingly stringent security standards as part of policy renewals. That could drive adoption of, essentially, whatever technology the insurers deem necessary.
Katz advises startups in the information security field, including San Francisco-based nCircle and Portsmouth, NH-based Cogentric. The former provides network exposure management tools, and the latter, security information and risk management tools.
Both solutions help companies to manage their information security programs and policies, which is a departure from past approaches that required internal development and integration. "You bought point solutions, IDS intrusion detection systems, and vulnerability assessment products, but you never really had a way to assess relative exposure or to assess the validity of the intrusions," says Katz. "In many cases it was just a lot of manual number crunching and trying to do the best you could without the tools that the industry badly needed."
"Even in the big institutions, where it was possible to develop in-house security management solutions, the level of results and the amount of work that was involved often didn't give you the information you really wanted," adds Katz.