Risk Management Agenda: 2008

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

January 8, 2008 - Linda McGlasson, Managing Editor

If 2007 is any indication, then 2008 is going to be a wild year for financial institutions facing a slew of risk management issues.

Hanging like the sword of Damocles above all is the subprime mortgage crisis, which sees institutions looking for ways to avoid foreclosures and challenges surrounding underwriting. These efforts will only further tax resources that otherwise could be channeled into information security issues.

And there are many information security issues to be faced.

Financial institutions, regulators, banking service providers, industry associations and information security experts - they all voice similar concerns about the top information security challenges facing the industry in 2008. Following is a list of the Top 10 risk management challenges -- and some strategies to meet them.

1) Keeping up with Compliance

What if you stretch your staff and budgets to the limit and still can't achieve compliance? This is a major concern of financial institutions - particularly the smaller ones.

"The smaller the institution, the harder it is to comply," says Justin Leapline, an audit and compliance consultant for Secure State, a Midwest information security assessment firm. "Because of the average size of most credit unions and small banks (less than 20 employees), they don't have the money or the people to take security seriously."

Historically, the Credit Union National Association finds that only about 10 percent of credit unions have a person dedicated primarily to compliance. The others generally rely on a senior officer to handle this area - on top of other, non-security responsibilities. Security, therefore, is put on the back burner, causing companies to miss things that may make them vulnerable to attack from both inside and outside of the company. The same, of course, is true at small banks.

The solution: Well, there is no shortage of new regulatory requirements coming down the pike. If your institution cannot keep up with the flow now, then it's time to either dedicate or expand your available resources. Non-compliance is not an option.

2) New Regulations

And if your current regulatory requirements aren't enough, here's a sampling of what to expect in 2008:

• ID Theft Red Flags - compliance deadline of Nov. 1. the question raised by Gartner distinguished analyst Avivah Litan, "Are financial institutions going to take this seriously and are regulators going to enforce it?" is already being answered by many institutions. (See: Finance Execs React to ID Theft Red Flag Rules)
• New FFIEC Requirements - update to the IT Examiners Handbook is expected sometime in 2008
• FFIEC Pandemic guidance - potentially the biggest business continuity issue of the year
• FDIC IT Risk Management Program amendments - the new IT exam questionnaire is out, and it deals with new issues such as vendor management. You can only expect other regulators to follow suit with new requirements.
• Anti-Money Laundering - the Bank Secrecy Act examination manual was revised in 2007, and there's every reason to expect new requirements in 2008.
• BASEL II -As banking institutions do more business internationally, then increasingly they must meet these recommended global banking standards.

Whether your institution is working toward compliance on ID Theft Red Flags or the recently released FFIEC Pandemic Guidance, "Make sure your risk assessments are current and up-to-date," says FDIC spokesperson David Barr.

That FDIC advice has already been taken to heart by Frank Bentz, Information Security Manager at Sandy Springs Bank. Bentz says one of the first risk management issues he will focus on is enhancing the bank's risk management process. Sandy Springs Bank, based in Olney, MD holds $3 billion in assets and is the second largest publicly-traded bank in Maryland. "We also look to acquire technology to improve security based upon the bank's risk and vulnerability assessment," Bentz says.

The goal of establishing enterprise risk management across her institution is one of Arlene Shinozuka's goals as director of compliance/security at Hawaii USA Federal Credit Union. The Honolulu-based federal credit union has $800 million in assets and 110,000 members. Shinozuka notes, "We will also focus on BSA, more specifically on suspicious activity monitoring and anti-money laundering monitoring."