Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:09 PM
Connect Directly

E&Y Survey Highlights Security-Consciousness Gap

Talk is cheap, but loose lips sink ships. Banks strive to find the appropriate level of communication between stakeholders on topics related to information security.

A recent Ernst & Young survey of 56 financial institutions in the U.S. and Canada reveals that there's room for improvement in companies' information security practices, particularly in the frequency and quality of communications about incidents, security policies and business unit requirements. The survey sample included 22 insurance companies, 17 commercial or consumer banks, 13 investment banks, and four other financial firms.

The top five reported problems: viruses/worms, employee misconduct, denial-of-service attacks, loss of customer data, and amateur hackers. From these threats, security has attained a higher profile within the industry. "There has clearly been an elevation of information security to a senior leadership position within the organization, as well as to the board level," says William Barrett, partner at Ernst & Young LLP.

But the topic may not make the agenda often enough. "It's still a little surprising that 43 percent do board-level security reports annually or longer," says Barrett. "Where you have identified gaps in information security or would want to have a quarterly update to the board of directors around how you're closing those gaps."

There's also a growing consensus among financial institutions that company shareholders should hear about the status of information and physical security programs, with 60 percent in favor of such reporting. Already, a related disclosure will be required under the Sarbanes-Oxley Act. "When management makes an assertion about its internal controls, the external auditor is going to render an opinion on management's assertion in their annual report," says Barrett.

Inside the organization, the survey data suggests that information security personnel should increase their contact with managers. Only 35 percent of respondents currently meet "monthly or more often" with business unit leaders to understand their needs and objectives, and an equal number reported doing so annually or less frequently.

Comment  | 
Print  | 
More Insights
Register for Bank Systems & Technology Newsletters
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.