Posted by: David Schneier
Audit, bank, banking, bcp, CISO, compliance, compliance officer, FDIC, FIL, GLBA, information security, regulatory, Regulatory Compliance, Security, vulnerability test
We were watching a baseball game the other night when one of Microsoft’s recent IE8 security commercials aired. It’s the one where a fictitious bank is set up and people off the street, deceived by its appearance, wind up turning over boat loads of personally identifiable information (PII) with little apparent concern. My son loves the commercial (e.g. they ask one man if he prefers boxers or briefs) and it occurred to me that my family finds the bit to be entertaining. Not so much for me. Quite frankly it sort of freaks me out because I know that sort of thing happens every day for real (remember I’m the guy who checks for hidden cameras over ATM’s and tugs at the card reader to make sure it’s a permanent part of the machine).
But lately I’ve been wondering if it’s even the criminal element that presents the greatest threat to my PII. I worry that the banks themselves may be slipping just a bit in keeping up with their regulatory obligations regarding my privacy based on news from the field.
Our practice routinely calls on financial institutions with our services. We’ve spent an enormous amount of time and energy paring things down to what we believe are the most relevant areas based on guidance from the oversight agencies and from practical experience. And so when we engage a current or prospective client in dialog we’re typically cutting right to the chase in order to make the most efficient use of their time. We’ll hear a wide range of responses when asked how they’re managing a variety of key control activities (e.g. it’s managed internally, we use a software solution, our audit department does that, etc.) and for the most part it rings true. However lately we’re being greeted with a noticeable uptick in one response in particular: “The examiners didn’t even look at that so we’re not worrying about it right now.”
Not to belabor the point but as I’ve already mentioned we’re not offering exotic services. Quite literally everything we have to offer to our clients should make the short list of must-haves for any CISO or compliance officer. How can the examiners not cover any of these things?
To be fair, it’s typically not a reflection on ability but rather available hours. I’ve blogged before that when things are missed it’s almost always been because the fieldwork only allows for so many hours and you start with the riskiest areas first and work your way down from there. So if the examiner needs 80 hours to cover the landscape but only has 40 hours to get it done they have to focus where they think they most need to. But still, how do you not make sure that there’s a current business continuity plan in place or check to make sure that the infrastructure has been tested recently to ensure there aren’t significant vulnerabilities present? Internally we’re very kind to the entire examination process over the past year or so because safety and soundness has really needed to be at the forefront of the regulatory efforts. So we balance our concern about what’s being overlooked with an understanding that the examiners are likely doing the very best with what they have to work with. But still…..
I was reminded recently that the FDIC budget for 2009 included an increase in the number of examiners available by 30%. At the time it was announced, I figured it was a move intended to ensure that compliance was being properly enforced across all areas during a very turbulent period in our banking history. However nearly two years later I wonder what’s happened? How can I reconcile an increase in the number of examiners with an apparent decrease in information security oversight?
If you think I’m exaggerating consider that over the past decade the FDIC has released three or more Financial Institution Letters (FIL’s) addressing information technology guidance every year right up until mid-2009. Since then there have been no updates at all relating to IT or information security. After never going more than a few months offering updated guidance over a 10-year period, they’ve had nothing new to publish in 14 months. How is that even possible?
On one hand, I’m hearing that examiners aren’t always looking at key compliance activities and on the other hand, I’m seeing an apparent drop off in IT guidance from the chief banking oversight body. For someone like me who worries about these things on both a personal and professional level, this is not good. When I watch that IE8 commercial I’m not laughing; I’m wondering how anyone would even know if that sort of thing was going on right now for real?