Financial industry fears feds' security rules

[William Knowles <wk () C4I ORG>]

http://www.infoworld.com/articles/hn/xml/00/10/09/001009hnfedrules.xml

By Patrick Thibodeau, Computerworld

WASHINGTON -- FEDERAL regulators are developing information security
rules for the financial services industry to protect customer data.
But executives at affected banks, brokerages, and insurance companies
say mandating stringent security requirements, such as encrypting
stored or transferred data, will increase their costs and potentially
impair data-sharing arrangements they have with business partners.

Corporate legal, business, and IT departments will be involved in
implementing the rules, and according to Bill Bradway, an analyst at
Meridien Research, in Newton, Mass., "when you add up those collective
costs for a big organization, it's clearly in the millions of dollars
to get [compliant processes and systems] up and running."

Industry officials are urging regulators to issue the security
requirements as guidelines rather than regulations, thereby giving
financial institutions flexibility to tailor information security
programs to their specific needs.

"The financial services community has repeatedly shown leadership in
the security area," said Edward Schwartz, chief information security
officer at Nationwide Financial Services, in Columbus, Ohio. "Wouldn't
it be reasonable to say [to regulators], . . . 'let us try to do it in
such a way that doesn't have an unnecessary financial impact on our
business'?"

The pending rules are a requirement of the Gramm-Leach-Bliley Act, the
sweeping financial deregulation legislation approved last year that
allows banks, insurance companies and securities firms to merge. The
act requires regulators, in this case, the Federal Reserve, the
Federal Deposit Insurance, and the Office of the Comptroller of the
Currency and Office of Thrift Supervision, to write rules aimed at
safeguarding customer information.

The new rules are due to take effect in July. But regulators have yet
to issue final rules, and agency officials haven't said when they will
be completed.

Meanwhile, officials at financial services companies are considering
how the rules will affect them. Blaise Bettendorf, CFO at Greenville,
S.C.-based Summit National Bank, a regional bank with $200 million in
assets, has been getting price quotes from vendors to find out how
much it would cost to have regular systems testing conducted by
independent third parties, a potential requirement of the new rules
for banks and other institutions. So far, she said, the price quotes
have been "hefty," ranging from $20,000 to $80,000.

Companies that have well-defined, integrated IT architectures will be
in a better position to comply with the regulations than will
organizations with a hodgepodge of systems that have been cobbled
together through a string of acquisitions, analyst Bradway said.
"Organizations that have not yet completed their consolidation to a
common architecture may be looking at the same problem times 10," he
warned.

At Nationwide, which has $115 billion in assets, a rule requiring data
encryption could add significant overhead to network bandwidth and
server CPU, Schwartz said. Encryption requirements may also impede
data transfers by making the already difficult job of interfacing with
a plethora of different systems "very complex," he added. More
important, Schwartz said, any need for encryption "may have already
been mitigated by all the other [security] controls that we do as a
matter of course." He said he wants the federal rules to offer that
flexibility.

"Institutions want to have some guidance from regulators, but they
don't want to be boxed in by them," said Charlotte Bahin, regulator
affairs director at America's Community Bankers, a Washington-based
trade group. "They want to be able to incorporate the elements of the
security plan that would be most appropriate for them."


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".