NEW YORK (10/10/2003) - A recent spate of laws stemming from two concerns -- terrorism and personal privacy -- has many banking institutions scrambling to understand the implications for IT security.
The problem of terrorist money laundering, a perceived increase in threats to personal privacy and a perception of widespread instances of corporate scandal have, together or individually, been the main political drivers behind recent laws such as the Gramm-Leach-Bliley Act, the Sarbanes-Oxley Act, the USA Patriot Act and California's S.B. 1386 privacy law, according to Sam DeKay, assistant vice president for the Bank of New York Inc.
"To a large extent, these regulations have defined our profession," said DeKay, speaking here at the second annual Cyber Security in the Financial Services Sector Summit, sponsored by the Information Management Network. But many information security professionals don't yet understand exactly what the new laws require of their companies, especially IT staff, he said.
This month, for example, the U.S. Treasury Department published a clarification to Section 326 of the Patriot Act, which requires financial institutions to have a process to identify customers and periodically check data about them against watch lists maintained by the Office of Foreign Asset Control in the U.S. Treasury Department. But while the Patriot Act requires financial institutions to develop the ability to detect and report money laundering by suspected terrorists, there are more than 46 specific subsections that cover enforcement requirements -- all of which may differ depending on the size and complexity of the organization in question, said Jim Murphy, product manager at Scotts Valley, Calif.-based Web and e-mail filtering company Surfcontrol.
Carl Eyler, chief information security officer at the New York branch of Banco Santander Central Hispano, said his organization and others like it are wrestling with the question of who internally is responsible for interpreting the technical requirements of the new laws. "What we've noticed when you look at these regulations to interpret the broad requirements is that it tends to be a group effort," said Eyler, pointing to the need for all departments take part in the review. "We have to look at these regulations from two different points of view. There's the letter of the law and there's the flavor of the law."
According to Eyler, compliance officers, risk managers and IT security managers must work together because they all see the laws from a different perspective. "From an operational security point of view, I'm looking at the letter of the law," he said. "In my company, IT security is a risk function, not an IT function."
IT security is also a risk function at the U.S. Senate Federal Credit Union, said Ira Greenstein, the credit union's chief technology officer. "In our case, Gramm-Leach-Bliley is completely applicable to everything we do, and we do everything from a holistic approach with a comprehensive compliance program," said Greenstein.
"But the main new challenge from a technology perspective was trying to find instances of personal data leaving our virtual premises," he said. The Gramm-Leach-Bliley Act requires the credit union to find a technical means to identify this data. One of the solutions was to tag certain files and subdirectories that contained personal data, allowing the credit union to track and trace data in a way that wasn't overly burdensome for the IT staff, Greenstein said.
Eyler said his organization is now focusing on access control and data segregation "so we know where the data is, who owns it and who has access."
Nick Akerman, a lawyer with New York-based Dorsey & Whitney LLP, said California's S.B. 1386 allows people to seek damages if they aren't notified that personal information has been compromised. The law also provides for punitive damages if a company's IT security controls are found lacking or nonexistent, said Akerman. "Basically, the sky is the limit."
Akerman said one way to avoid liability under the California statute is to simply encrypt customer data. But the real key, he said, is to train the entire workforce on the law so that everybody knows which incidents must be reported and disclosed.
Senior management doesn't get a pass, said Lucas Kowal, manager of internal audit at Morgan Stanley. Despite Sarbanes-Oxley, internal auditors should be focused on verifying management's participation in IT security decisions, he said. "We want to know ... does management sponsor training and testing?" said Kowal. "And does management give approval for the resources that IT security needs?"