A consortium of six major banks and the country’s largest accounting firms said Wednesday that they were setting uniform computer-security standards, designed to ensure that the third-party computer providers they do business with are adequately protecting both their computer systems and the information those financial firms send them.
“This is good news,” says Avivah Litan, vice president and research director of Gartner Inc. “I don’t think it goes far enough, but it’s smart for them [the institutions] to do it in steps, if that’s what they’re doing. But they need to do it beyond the service providers. They need to do it themselves”
The idea is to minimize data breaches and save money. The firms hope that forming a common front will force third-party providers to maintain uniform computer-security standards, and avoid the security hodgepodge that gave rise in 2005 to a slew of embarrassing computer breaches. Those breaches, according to the nonprofit consumer advocate Privacy Clearinghouse, exposed as many as 52 million customer records to possible misuse.
That mess, which at one point last year seemed to be a cascade of announcements, drove one third-party processor, CardSystems Solutions Inc., out of business. It also precipitated a recent $10 million Federal Trade Commission (FTC) fine for data broker ChoicePoint Inc. ChoicePoint was itself defrauded in a scam that put the customer data of 145,000 people at risk. As part of that FTC settlement, ChoicePoint also had to create a $5 million trust fund for people who may have become identity-theft victims because of the breach. And Choicepoint must undergo biannual security audits through 2026.
Details of exactly what the standards are, or how they’re administered, are sketchy. They were developed by the IT Service Providers Working Group of BITS (Banking Industry Technology Secretariat), a unit of the Financial Services Roundtable.
Susanna Space, vice president of communications for the main consultant to BITS, the Santa Fe Group, says third-party providers for all sorts of outsourced computer services are covered, not just payments or cards processing. Catherine Allen, Santa Fe’s chairman, chief executive officer and founder, is also chief executive of BITS.
The main tool of the program is, apparently, a uniform questionnaire. “What happens is, the service provider looks at a questionnaire and answers [it], and then submits a report that several financial institutions can use. But there are assessment parties that are involved,” says Space. She declined to explain what role the assessment parties play, or whether on-site inspections and testing are part of the program.
The fact that the program’s members are much of the top tier of America’s banks and accounting firms gives the program one thing it really needs—teeth. No third-party processor is going to buck them and risk losing their business, and if they did, that sort of black eye would likely drive away other prospective customers. “If a person [financial institution] says we’re not going to share our security information with you, then very likely, the financial institution would not work with the service provider,” says Space. “Financial institutions have to ensure the security of services, whether they’re conducted inside the institution, or by an outside provider.”
The program, called the Financial Institution Shared Assessments Program, was developed in 2004 and piloted in 2005. The companies that developed the standards include Bank of America Corp., Bank of New York Co., CitiGroup Inc., J.P. Morgan Chase & Co., U.S. Bancorp, Wells Fargo & Co., Deloitte & Touche, KPMG, PriceWaterhouseCoopers, and Ernst & Young. The program was announced yesterday, Feb. 1; an inaugural meeting of the group will be held in New York on Feb. 9. (Contact: BITS, 202-289-4322)