Historically, financial institutions that have experienced security breaches or costly exposure to operational and other kinds of risks have tended to keep these incidents under wraps.The conventional wisdom was that it was bad for the brand and bad for the business to talk about these situations. But times have changed -- the developments of the past couple of years in the financial services industry have served to demystify risk management in many ways. At the same time, with e-crimes and other kinds of online security breaches becoming more sophisticated and prevalent, some industry players are calling for more openness and collaboration as a way to try to identify and prevent attacks before they compromise critical customer information.
Both trends were discussed at this week's Bank Systems & Technology's 2009 Executive Summit in Pasadena. Katherine F. Vitale, Associate Director, Operational Risk, RMA (The Risk Management Association, Philadelphia), discussing "Operational Risk: The Future of the Discipline," outlined ways that operational risk can become more embedded in banks' culture. Referencing a recent study conducted by RMA in conjunction with McKinsey, Vitale noted that operational risk "is a universal discipline of growing importance -- it's more than a support function." Furthermore, Vitale stressed, "How you deal with your operational risk says a lot about the culture."
The study showed there has been considerable progress in this regard, she noted. For example, there is acknowledgement that operational risk can add value to processes and decisions, and companies increasingly are placing a high value on having transparency into potential operational risks (for examples, in the development of new products). But there are still some gaps, Vitale added.
"There are opportunities for tangible improvements," she told the Executive Summit audience. "The industry needs to strengthen the basics, especially analytics, reporting and capital quantification."
Another operational risk-related challenge facing the financial services industry is the escalating pace and complexity of e-crimes -- hacking, online theft, and attacks on networks and critical customer information. Executive Summit attendees heard from Kris Herrin, CTO, Heartland Payments Systems (Princeton, N.J.), who discussed his company's response to the massive penetration of its payments networks by Russian hackers that took place during 2008 and was reported early in 2009.
Although Heartland had some insights into the specific tools that were being used by the hackers, "What we didn't realize was the meticulous organization and drive these hackers had," he acknowledged. "We didn't realize how organized they were." In fact, these criminals turned out to be as organized, technically adept and results-focused as the most capable banking IT organization. But rather than going on the defensive or hiding the scope of the breach, the company has been very public about what happened and is striving to improve industry communications about online threats.
A big part of Heartland's response to the breach has been to try to change the industry's approach to cybercrime -- primarily by striving to share intelligence about threats among other processors and financial institutions. According to Herrin, Heartland's CEO, Bob Carr, "wanted Heartland to be the Tylenol of the industry." One step has been the creation of the Payment Processor Information Sharing Council, which Herrin said was formed "to facilitate trusted information sharing among processors."
Herrin's intention was to provide full disclosure about what had happened with Heartland's records -- or, as he put it, "I opened the kimono," adding, "We want to make sure this doesn't happen to anyone else, and make sure the merchant is not a target for the bad guys."
Katherine Burger is Editorial Director of Bank Systems & Technology and Insurance & Technology, members of UBM TechWeb's InformationWeek Financial Services. She assumed leadership of Bank Systems & Technology in 2003 and of Insurance & Technology in 1991. In addition to ... View Full Bio