Outsourcing's New Risks
By Chris Costanzo
A proliferation of security risks is changing the way banks handle outsourcing relationships.
|
Related
Chart
|
In terms of sheer scale, the hacking of more than 10 million card accounts held by an independent sales organization earlier this year was the worst ever in financial services — worse than the heist of 3.7 million accounts from Egghead.com in 2000.
The computerized assault on Omaha, Neb.-based Data Processors International underscored the vulnerability of financial institutions to security breaches via independent third-party organizations. While the industry and regulatory agencies have been alert to this exposure for some time, the threats continue to proliferate.
Increased use of Internet technology, for example, is calling into question practices that have been around for years to assess the security of third parties. And the rise of offshore outsourcing is generating new concerns about how those relationships should be overseen. Finally, given the terrorist attacks of Sept. 11, 2001, a greater focus on disaster recovery and business continuity planning has become necessary.
The escalation of all these issues puts the onus on individual institutions to stay informed and take protective measures. When risk involves third parties, there is a temptation to let the outsource service providers deal with the problem. The recent card-account debacle, after all, occurred within the murky, non-regulated arena of the independent sales organization, not on a bank's watch.
Such complacency would be a mistake, however. Banking customers who suffer adverse consequences from a security breach are not going to let the institution evade responsibility, even if a third-party organization was at fault. Since banks are uniquely positioned as trusted intermediaries, their reputation is always on the line. "It doesn't take a lot for security to become an issue," says Faith Boettger, a senior consultant at BITS, the technology group for the Financial Services Roundtable. "Even one failure impacts everything."
To respond effectively to electronic threats, financial institutions need to work closely with third-party partners to make sure the latter understand the importance of security. Charlotte-based Wachovia Corp., for example, subjects its third-party partners to "a lot of due diligence," says chief e-commerce officer Lawrence Baxter. Compared with the early days of electronic commerce, when investing in new services such as electronic bill presentment and payment topped the agenda, today's e-commerce priorities are risk management, disaster recovery, security and privacy, Baxter says.
To this end, executives are embracing "vendor management" programs that monitor how well service providers are adhering to their contracts. This new discipline has the added benefit of helping institutions catch potential security lapses among third-party providers.
Institutions might also consider getting involved in industry initiatives aimed at bolstering security. New York-based American Express Co., for example, has deployed its vice president of Internet technology and strategy to be the current president of Liberty Alliance, a diversified group of companies seeking to develop an open standard for identifying users on a network. Such affiliations help an institution stay on top of technologies needed to thwart the latest threats.
Moving Target
The financial industry as a whole cannot be criticized for ignoring the issue of third-party risk. For more than two years now, the Federal Financial Institutions Examination Council, an umbrella organization for five regulatory agencies, has been issuing a series of guidelines and bulletins aimed at clarifying banks' duties in managing risk in third-party relationships, as has one of its member agencies, the Office of the Comptroller of the Currency. In October 2001, Washington D.C.-based BITS published its own framework to help banks summarize their obligations on this front.
As helpful as all this work is, the experts are chasing a moving target. One of the traditional tools used to judge service providers, for example, is the Statement on Auditing Standards No. 70, or SAS 70, developed by the American Institute of Certified Public Accountants. A SAS 70 exam discloses in a uniform format the findings of independent auditing firm examinations, alleviating the need for service providers to undergo independent audits for all of their clients.
Although SAS 70 was first developed to determine the financial soundness of service providers, it has been updated to include various information security components. Still, many experts say the standard fails to encompass the wide variety of new security and disaster recovery risks that abound today. "Now any 13-year-old can download software tools and launch cyber-attacks," says Lari Sue Taylor, director of enterprise information security and recovery for Boston-based FleetBoston Financial Corp. Taylor co-chairs the security and risk-assessment working group for BITS.
These risks were highlighted by the massive infiltration of credit card accounts at Data Processors International. Though no fraud involving any of the stolen numbers was reported, the attack set off waves of precautionary measures among banks, with some deactivating the accounts involved and issuing new cards, and others stepping up security measures.
Perhaps the most upsetting aspect of the incident was a realization that banks had little control over the situation, even though their cardholders were potentially affected. The hack underscored just how vulnerable the industry can be to service providers that are not rigorous about security.
The CERT Coordination Center, a unit of Carnegie Mellon University's Software Engineering Institute, which provides technical advice and identifies trends in hacker activity, says the number of reported intruder incidents has increased almost fourfold in two years, from more than 21,000 in 2000 to more than 82,000 in 2002. When SAS 70 was introduced in 1992, by contrast, there were only 773 such incidents.
Redundant Examinations
The aging of the SAS 70 standard has caused friction between financial institutions and their third-party providers, as Ronald Braco can testify, having seen both sides of the issue. A former senior executive at J.P. Morgan Chase & Co., Braco now serves as senior vice president of e-business at Jacksonville, Fla.-based Fidelity Information Services (formerly Alltel Information Services).
As a banker, Braco recalls, a vendor's completion of a SAS 70 audit did little to inspire his confidence that a system was foolproof; numerous other audits and checks were still required. As a processor, however, Braco is aware of the vast resources third parties must expend when responding to requests for a multitude of non-standardized audits. Though different banks may conduct an audit of the same system, the results for one bank cannot necessarily be shared with other banks. All this auditing "eats up a considerable amount of time," Braco says. "And it gets a bit redundant."
Matthew Lawlor, chairman and chief executive officer of McLean, Va.-based Online Resources Corp., heads the Electronic Financial Enablers Council, a group within the Herndon, Va.-based Electronic Funds Transfer Association. Lawlor points out that vendors are getting hit with requests for a variety of audits from the full gamut of regulatory agencies, as well as the banks.
"There's not only redundancy regarding the questions asked by banks, but also a wide area of interpretation of the rules and regulations on the part of the examiners," he says. "There's a lot of inefficiency, a lot of confusion."
Robert Engebreth, director of technology risk management at the Office of Thrift Supervision in Washington, D.C., acknowledges the problem, which he attributes to rapid changes in technology. A bank can control third-party risk in many different ways, he says, and it takes experienced examiners to evaluate the different methods. Examiners can also interpret the same situation differently, which adds to the inconsistency of assessments.
The problem is easing, Engebreth says, as examiners gain more experience in judging Internet applications. Also helping is the publication of new guidelines for examiners by the FFIEC, the examination council. Recent updates specifically address information security risks. Previously, each individual agency had been issuing its own guidance. Now, institutions and vendors have a more concise set of regulations to follow, he says.
Even so, enough frustration with the process still lingers for regulators, vendors and banks to try to seek some common ground through BITS. After soliciting feedback from all parties, BITS intends to establish by the end of the summer a set of requirements that would meet 80% to 90% of what every financial institution needs, says FleetBoston's Taylor.
Establishing these requirements will not necessarily be easy. Some of the applications are quite technical, and many applications integrate with other ones. A provider of front-end online banking software, for example, may link to a provider of account aggregation services. "So where does the regulator stop?" Lawlor asks.
There's also a risk in providing too much information to auditors. The more information about how data is protected that leaves the company, the less secure that data becomes. "It's a fairly complex issue," Braco says.
Offshore Risks
Following the terrorist attacks of Sept. 2001, disaster recovery and business continuity planning took on a new urgency. BITS, for example, began working with the industry to review its framework for disaster recovery policies and ensure institutions document things such as their risk analyses, recovery objectives, uptime guarantees, recent test results and event management plans.
One issue, Taylor says, is whether institutions and outsourcers should be required to test their connectivity to each other from their respective back-up sites. BITS expects to hash out these issues and publish new guidelines for disaster recovery shortly.
The Federal Reserve Board, the OCC and the Securities and Exchange Commission in April clarified disaster recovery requirements for core clearing and settlement organizations. In an interagency white paper, the agencies decreed that organizations should be able to resume clearing and settlement activities within the same business day on which a disruption occurs, with the goal of achieving recovery within two hours after an event. But they backed off from initial attempts to prescribe specific mileage requirements between back-up and primary sites, noting that flexibility in establishing arrangements is important.
The shifting terrain of disaster recovery mirrors the overall challenge of managing outsourcing risk. Underscoring the magnitude of the challenge, Needham, Mass.-based Tower Group Inc. estimates that spending by consumer banks globally on IT outsourcing will reach $37 billion this year — $9.7 billion for wholesale banks. Technology advances and new business models such as offshoring surely offer benefits, but they also create new risks that must be managed diligently.
Offshoring, or offshore outsourcing, is a particularly nettlesome problem. With cheaper offshore labor shaving about 40% off typical outsourcing costs, few large institutions can afford to ignore this option. The largest 100 global financial services firms are expected to transfer $356 billion of operations and two million jobs overseas over the next five years, which will increase the percentage of financial firms sending work overseas from 30% to 75% within two years, according to Deloitte Research, a division of New York-based Deloitte Consulting.
Despite the efficiency benefits, offshoring also brings unique risks. The most obvious are prospects for war, civil unrest or other turmoil in the host country, which affects the manner in which institutions need to evaluate and prepare for business continuity, says Ward Holland, Wachovia's chief sourcing officer for strategic initiatives.
Offshore outsourcing puts additional pressures on information security systems because the outsourced data requires a higher level of encryption. The encoding and decoding of data prevents the outsourcer — or viruses introduced by the outsourcer — from penetrating the bank's network, says Holland, who is based in Charlotte.
Various employee-risk issues also differ significantly in offshore arrangements. While background checks of employees involving credit-bureau information, criminal records or even drug testing results are fairly routine occurrences in the U.S, the ability to conduct the same types of reviews in other countries is not assured. In some offshore arrangements, foreign workers come to the U.S. to act as interpreters. In these cases, risks can emerge when the contracted workers lack the proper visas to work here. Domestic firms must find ways to monitor those practices.
Managing all these additional risks requires extra oversight. "The silver bullet is having a dedicated program management office responsible for developing, monitoring, and upgrading the practice," Holland says.
The Office of the Comptroller of the Currency, noting an increasing number of questions cropping up from banks about regulations covering offshore outsourcing, issued a bulletin on the topic in May 2002. It pointed out that bank risk management obligations remain constant, regardless of whether the outsourcing arrangement is offshore or domestic. "You can't just use as an excuse the fact that the operation is 3,000 or 6,000 miles away," says Hugh C. Kelly, special advisor for global banking at the OCC.
Vendor Management
One of the best ways to guarantee security gets hard-wired into an outsourcing arrangement is to manage the relationship with that goal in mind. In a fortunate confluence, the need to more forcefully ensure security in third-party relationships is emerging just as the concept of vendor management is taking hold.
Vendor management involves diligently overseeing vendors to make sure they are doing what they are supposed to be doing. Such programs help clients and outsourcers align their expectations and keep vendors from getting complacent. It is a reversal from the old days of outsourcing, when processing that was out-of-sight was often out-of-mind.
Strict vendor oversight is especially handy for making sure changes to software programs do not cause security snags. "When changes occur, the company needs to verify that the outsourcer has processes in place to assess any exposures that might result," says Boettger of BITS.
American Express, for example, has mounted an extensive vendor management campaign to oversee the $4-billion, seven-year outsourcing relationship it struck with Armonk, N.Y.-based IBM Global Services last year. Glen Salow, executive vice president and chief information officer at American Express, advises bank to "hammer away" at the third parties they work with to ensure they understand the importance of security. Amex keeps its third parties sharp on security through strong due diligence exercises. "We conduct painfully detailed reviews," Salow said.
As group vice president of e-commerce risk management at SunTrust Banks Inc., Brad Keller is embracing vendor management as a way to mitigate the security risks of working with third-party providers. Atlanta-based SunTrust categorizes its vendors according to the size of their contracts and the criticality of the services they provide. Then, according to Keller, it identifies individuals in the bank tasked with "owning" those relationships.
The bank currently is upgrading the program by expanding its oversight of online service providers. According to Keller, SunTrust recognizes that online vendors, simply because they operate on the Internet, represent far weightier risks than traditional service providers. Each advance in Internet technology brings with it new opportunities for hackers to compromise systems. "We have to analyze and assess if that vendor is changing as technology changes," Keller says. "It's a more fluid environment."
Under the improved vendor management program envisioned by SunTrust, the centralized e-commerce risk management group headed by Keller will work with business units that have substantial online functions to help them draw up contracts with vendors, identify vendor objectives and put monitoring mechanisms in place. "We'll help provide the owner of that relationship with the tools needed to manage it," Keller says.
A corollary to managing security is protecting the privacy of customer information. SunTrust's vendor management practices helped it ensure that all the third parties that manage customer information for the bank meet customer privacy provisions required under 1999's Gramm-Leach-Bliley Act. Last year, SunTrust re-examined hundreds of contracts to ensure that vendors were adequately protecting customer information, Keller says.
Reviewing the privacy and security policies of its third-party partners, as well as the Web sites that SunTrust links with, continues to be a major function of Keller's department. The group also monitors the Internet to ensure its third-party partners or others do not use SunTrust's brand in an unauthorized way. Finally, it tracks legislation and makes sure SunTrust is responding to any changes in security or privacy laws.
Such active vigilance in managing third-party risk will likely become standard operating procedure in the years ahead.
Ms. Costanzo is a freelance writer based in Brooklyn, N.Y.