The Wall Street Journal on Feb. 1 reported that Wells Fargo, Bank of New York, Bank of America, Citigroup, J.P. Morgan Chase and U.S. Bancorp, backed by major accounting firms and a financial services industry group, are adopting common guidelines to which suppliers will be required to adhere.
Such service suppliers include telecommunications companies and data-service hosting companies such as IBM.
The program, called the Financial Institution Shared Assessments Program, aims to do away with what is now a considerable amount of wasted resources on the part of financial institutions as they call on service providers for information needed to appease auditors.
"Third-party providers are providing some information, but financial institutions are using their own resources to continue" seeking additional information on a broad array of security details, according to Faith Boettger, a senior consultant to BITS, the industry group behind the project.
The effort is aimed at making it easier on both sides: for the financial institutions that need the information, and for the service providers that are getting deluged with invariably disparate and often redundant requests.
"Service providers receive inconsistent audit information and requests," Boettger said in an interview with eWEEK. "Were looking at a standardized way of obtaining that information."
The new policy wont just touch on what level of encryption providers put on data or what security protects databases that contain customer information, although those are two of the granular details it will touch on. Rather, the policy will cover a providers entire security ecosystem.
The group is putting together a standardized questionnaire that will touch on service providers security policy, asset classification and control, personnel security, physical and environmental security, communications and operations management, access control, system development and maintenance, business continuity and regulatory issues.
The questionnaire will be released on Feb. 9, as will a set of agreed-upon procedures. On the same day, BITS also plans to announce the formation of a working group to ensure ongoing education and coordination of the program, Boettger said.
IBM, Acxiom, First Data, Viewpointe and Yodlee participated in a pilot of the program last year and have agreed to participate when the program is expanded this month, according to the Wall Street Journal article.
Priscilla Rabbayres, a global regulatory executive in the financial services sector for IBM, told eWEEK that IBM considers the financial institutions efforts to be of "enormous importance," particularly given the times.
"If we look back even a year ago, this was an important issue, but it really came to life with the California legislation of 2003 [that required enterprises to inform customers of security breaches]," she said. "Since then, with reports we see in the press on a regular basis, secure data has been lost through high-tech means, through low-tech means, pretty much any which way."
As it is, the FCC on Feb. 1 proposed fining AT&T for a missing privacy report. On the same day, the Boston Globe ran a full-page letter apologizing for packing bundles with paper containing the credit card numbers of some 200,000 subscribers.
Along with this increasing leakiness of data repositories comes auditors interest in them. "Regulators are looking at this very carefully," Rabbayres said. "Enforcement penalties are now becoming the norm. Everybodys on notice—not just financial services companies. It behooves them to ensure theyre appropriately handling confidential information of customers as well as confidential corporate information, because its being targeted."
Until fairly recently, Rabbayres said, the efforts by financial services companies to evaluate the security levels of service providers in order to satisfy auditors have been "somewhat diverse," she said.
"One service provider may look at one standard, another at another aspect," she said. "It hasnt been an easy prospect to know which service providers do provide state of the art" security measures.
At issue is consumer confidence. "With banks, for example, the transformation of the service industry depends on the confidence in online banking," Rabbayres said. "If consumers shy away because they think information wont be secure, that has a major impact on the business of financial institutions."
The program pilot looked at a range of security capabilities in place at IBM and other providers, Rabbayres said, including their methodology of assessment of security capabilities. That methodology deals with resilience, what kind of hardware and software is used, what processes are in place, and how providers interact with financial institutions.