Information Security News mailing list archives
Financial industry fears feds' security rules
From: William Knowles <wk () C4I ORG>
Date: Tue, 10 Oct 2000 18:53:01 -0500
http://www.infoworld.com/articles/hn/xml/00/10/09/001009hnfedrules.xml By Patrick Thibodeau, Computerworld WASHINGTON -- FEDERAL regulators are developing information security rules for the financial services industry to protect customer data. But executives at affected banks, brokerages, and insurance companies say mandating stringent security requirements, such as encrypting stored or transferred data, will increase their costs and potentially impair data-sharing arrangements they have with business partners. Corporate legal, business, and IT departments will be involved in implementing the rules, and according to Bill Bradway, an analyst at Meridien Research, in Newton, Mass., "when you add up those collective costs for a big organization, it's clearly in the millions of dollars to get [compliant processes and systems] up and running." Industry officials are urging regulators to issue the security requirements as guidelines rather than regulations, thereby giving financial institutions flexibility to tailor information security programs to their specific needs. "The financial services community has repeatedly shown leadership in the security area," said Edward Schwartz, chief information security officer at Nationwide Financial Services, in Columbus, Ohio. "Wouldn't it be reasonable to say [to regulators], . . . 'let us try to do it in such a way that doesn't have an unnecessary financial impact on our business'?" The pending rules are a requirement of the Gramm-Leach-Bliley Act, the sweeping financial deregulation legislation approved last year that allows banks, insurance companies and securities firms to merge. The act requires regulators, in this case, the Federal Reserve, the Federal Deposit Insurance, and the Office of the Comptroller of the Currency and Office of Thrift Supervision, to write rules aimed at safeguarding customer information. The new rules are due to take effect in July. But regulators have yet to issue final rules, and agency officials haven't said when they will be completed. Meanwhile, officials at financial services companies are considering how the rules will affect them. Blaise Bettendorf, CFO at Greenville, S.C.-based Summit National Bank, a regional bank with $200 million in assets, has been getting price quotes from vendors to find out how much it would cost to have regular systems testing conducted by independent third parties, a potential requirement of the new rules for banks and other institutions. So far, she said, the price quotes have been "hefty," ranging from $20,000 to $80,000. Companies that have well-defined, integrated IT architectures will be in a better position to comply with the regulations than will organizations with a hodgepodge of systems that have been cobbled together through a string of acquisitions, analyst Bradway said. "Organizations that have not yet completed their consolidation to a common architecture may be looking at the same problem times 10," he warned. At Nationwide, which has $115 billion in assets, a rule requiring data encryption could add significant overhead to network bandwidth and server CPU, Schwartz said. Encryption requirements may also impede data transfers by making the already difficult job of interfacing with a plethora of different systems "very complex," he added. More important, Schwartz said, any need for encryption "may have already been mitigated by all the other [security] controls that we do as a matter of course." He said he wants the federal rules to offer that flexibility. "Institutions want to have some guidance from regulators, but they don't want to be boxed in by them," said Charlotte Bahin, regulator affairs director at America's Community Bankers, a Washington-based trade group. "They want to be able to incorporate the elements of the security plan that would be most appropriate for them." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Financial industry fears feds' security rules William Knowles (Oct 10)