Regulatory Enforcement of IT Security: Slap on the Wrist vs. Padlock on the Door

Regulatory Enforcement of IT Security: The times demand a more aggressive approach to data security.

During the wholesome years of banking (the old "3-6-3 Rule") the only IT concern was how far off the mark the nightly posting run would compute after the reconcilers did their audit. The task of satisfying the bank examiners was considered a walk in the park and everyone knew it. Now, even after a dramatic transition from batch processing to online and sometimes real-time, plus all the influences that the Internet's double-edge sword has rendered, IT exams are still a walk in the park. But data security in banking is like the Mississippi River. Just when you think it's under control, new threats appear from places unknown, and seasons past, even though it's not raining where it's flooding.

Here's the problem, folks. Bank IT examiners examine, but they don't enforce with vigor. The process, on paper, sounds effective. They show up at a bank unannounced. A team disperses with access to any piece of the bank. Some exams are more intense than others for reasons only the examiners know. The team writes a report of its findings, including some flimsy recommended corrections. The report is submitted directly to the Board of Directors, thus assuring that would-be perpetrators (aka bank employees) would be side-stepped. And then the process is repeated a year or two later, depending on adequate appropriations granted by the Congress. Previous deficiencies linger in the examiners' reports, but they are overcome by all the yada yada yada. Bottom line, the whole thing is a ceremonial non-event, but no one's complaining.

For all parties concerned, this process feels good. Bank examiners feel good about documenting their discoveries. Their bosses can claim effectiveness if ever challenged -- "We warned them!" Directors enjoy telling management to shape up, thus showing they're on top of things. Management responds by claiming that theoretical perfection is typical of bureaucratic idealism without regard for investment goals expected by stockholders. Everyone goes home happy.

Looking at this ineffective oversight from 30,000 feet, one gets the feeling that worse things could happen in banking than to worry about system interception. And they're right. There is no record of any bank, big or small, ever failing because of a data security breach. Would that the same could be said for 366 banks that failed in the past three years as a result of financial defaults.

But in the spirit of caring about one's own turf, let me suggest that bank CIOs can do better by becoming their own examiners. The times demand a more aggressive approach to data security. Just look at mobile banking -- wider access to the banks' data vaults from billions of new users, using an inexpensive device, operated from anywhere, encouraged by banks to "do your own thing and save us the trouble," and new breeds of unethical users having learned proven techniques that were given up by previous-generation hackers. In this one massively popular movement alone, potential data breaches become a whole new threat for any bank. Thus the risk gets bigger almost overnight with every million new users added. And based on research and press reports citing bankers who are leading the charge and welcoming the unbanked to enter the fray, does this sound a bit like subprime lending, where the excluded could now own their own homes, no money down? The walk in the park should become more of a trek through the jungle.

This is what I would do right now as CIO of any bank. I call it CYS (Cover Your System):

Put away the emotional interference caused by bank examiners and address the bank's issues seriously.

Pull together the eight managers that drive IT for the bank. Invite the bank auditor, security officer and compliance officer.

Their assignment: "Bring me a list of any and all weaknesses in our IT system, based on your own tough examination, as well as the departments of your peers. Defending the deficiencies is not necessary. Finger-pointing is permitted this one time. Identifying all of them is the mission at this point."

"Identify the hurdles that got in the way of your past proposals to tighten security."

"Tell me how long the deficiencies have existed and why they have not been corrected. I know one reason -- I wouldn't approve the funds you requested."

"Address every deficiency reported by the examiners since day one and provide a status of each."

"When was the last time the bank engaged an official third-party examination of data security?"

"Which ones were performed by the bank's external financial audit firm (aka friends & family)?"

"What has our primary tech vendor offered as a security assessment? Beware, partner (their word) and independent (my need) are a contradiction in terms."

"Offer your guess as to why Citi uses the same security firm that the CIA uses."

"Identify EVERY breach that has occurred in the past."

"Which ones were not reported to the authorities?"

"Which one or more of you would recommend hiring a third-party IT security firm to conduct a hard-nosed audit even if the results showed you were the weakest link in our security?"

"Report back in 30 days and be prepared to create Phase Two -- a plan for correction."

CLARIFICATIONS: The old "3-6-3 Rule" was based on giving 3 percent interest on accounts, charging 6 percent interest on loans, and the banker being on the golf course by 3 p.m.

I have dealt with examiners of all kinds for about 41 years, and not just in banking. As a consultant I have worked for the IRS, DOJ Antitrust Division, FDA, State Department, Medicare HCFA, and DOL CEP. I like examiners because there's one theme that runs through the fabric of what they do -- "We want to make sure you carry out your responsibilities according to the laws of the U.S." Who can argue with that? And why wait until one of the Big Four takes a hit, or maybe the Big Three (where was Citi?) now that they have put their mobile payments eggs in one basket (ClearXchange).