Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:40 AM
Connect Directly

Putting Security in the Bank

Under regulatory and threat pressures, financial institutions look for ways to fund, and market, security

NEW YORK -- Financial services companies are not only finding innovative ways to implement new security initiatives, they're also finding innovative ways to fund them.

ABN AMRO Bank N.A. now requires all the bank's application projects to allocate one percent of their funding to their security. It's all part of a movement among financial institutions to build security into services from the ground up.

Joe Bernik, CISO for La Salle Bank and head of information security for ABN AMRO Bank, N.A., says this ensures that a new application goes hand in hand with the organization's security, and the security aspect gets funded.

"If you have to mitigate security risk after the fact, it's a costly exercise," Bernik told attendees of the Cyber Security Executive Summit here today.

CISOs and risk management officials at major financial institutions speaking here say they are struggling to keep up with emerging threats and the ever-changing regulatory landscape. They face not only phishing exploits, but emerging application-level security issues, client laptop security, and compliance with regulations like strong authentication for online banking, which banks must deploy by the end of the year, according to FFIEC regulations.

But even with the progress firms like ABN AMRO have made in folding security into the application and service development process, there's still a long way to go. Bernik says his company is "trying" to routinely perform risk assessments on projects before they go live. "With risk assessment, when you do the assessment, you have to be in pre-production or something that's ready to be embedded in the app."

Regs like SOX have made it easier to get funding for security, CISOs say. "The regulators are doing the job for me" of getting the business side to take security more seriously, Bernik said. "I've had challenges in my business getting business owners to listen and take heart" in implementing security controls. The FFIEC's authentication reg is one such example, he said.

But as the regulatory buying craze slows down, financial organizations no longer have that ammunition, according to C. Warren Axelrod, senior vice president and business information security officer for the United States Trust Company. "You could say 'do it or the regulators will come in,'" he said. "But that's not so true now."

Banks are weighing the cost of strong authentication: Token-based authentication may make sense internally, but not for consumers, they say. "You're not going to pay $30 to $40 for each of your millions of customers," Axelrod said. Banks are looking for easy-to-use, simpler options for authentication, he said.

Getting funding for security is not just a matter of folding it into projects from the get-go, but also making it a selling point for your customers, financial execs say. Some large banks such as Bank of America, with its Passmark security, have already begun using security as a marketing tool.

"It's not about looking at point solutions," said Don Rhodes, policy manager for payments and technology at the American Bankers Association. "Think federated identities -- so that it's a revenue-steering solution and not a cost" issue, he said.

The bottom line is, for banks and financial services it's more about customer confidence in security. And marketing edge aside, it's a financial community issue. If one bank loses customer confidence, it hurts the entire banking system, says Dan Shutzer, executive director of the Financial Services Technology Consortium.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-05
jpeg-xl v0.3.2 is affected by a heap buffer overflow in /lib/jxl/coeff_order.cc ReadPermutation. When decoding a malicous jxl file using djxl, an attacker can trigger arbitrary code execution or a denial of service.
PUBLISHED: 2021-03-05
Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user could inject javascript code executing unwanted action in the context of the user's browser. The javasc...
PUBLISHED: 2021-03-05
Cross-site scripting vulnerability in in Role authority setting screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and ea...
PUBLISHED: 2021-03-05
Cross-site scripting vulnerability in in Asset registration screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and earlie...
PUBLISHED: 2021-03-05
Cross-site scripting vulnerability in in Add asset screen of Contents field of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.39 and earlier, and Movable Type Premium Advanced 1.39 and ear...