Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:40 AM
Connect Directly

Putting Security in the Bank

Under regulatory and threat pressures, financial institutions look for ways to fund, and market, security

NEW YORK -- Financial services companies are not only finding innovative ways to implement new security initiatives, they're also finding innovative ways to fund them.

ABN AMRO Bank N.A. now requires all the bank's application projects to allocate one percent of their funding to their security. It's all part of a movement among financial institutions to build security into services from the ground up.

Joe Bernik, CISO for La Salle Bank and head of information security for ABN AMRO Bank, N.A., says this ensures that a new application goes hand in hand with the organization's security, and the security aspect gets funded.

"If you have to mitigate security risk after the fact, it's a costly exercise," Bernik told attendees of the Cyber Security Executive Summit here today.

CISOs and risk management officials at major financial institutions speaking here say they are struggling to keep up with emerging threats and the ever-changing regulatory landscape. They face not only phishing exploits, but emerging application-level security issues, client laptop security, and compliance with regulations like strong authentication for online banking, which banks must deploy by the end of the year, according to FFIEC regulations.

But even with the progress firms like ABN AMRO have made in folding security into the application and service development process, there's still a long way to go. Bernik says his company is "trying" to routinely perform risk assessments on projects before they go live. "With risk assessment, when you do the assessment, you have to be in pre-production or something that's ready to be embedded in the app."

Regs like SOX have made it easier to get funding for security, CISOs say. "The regulators are doing the job for me" of getting the business side to take security more seriously, Bernik said. "I've had challenges in my business getting business owners to listen and take heart" in implementing security controls. The FFIEC's authentication reg is one such example, he said.

But as the regulatory buying craze slows down, financial organizations no longer have that ammunition, according to C. Warren Axelrod, senior vice president and business information security officer for the United States Trust Company. "You could say 'do it or the regulators will come in,'" he said. "But that's not so true now."

Banks are weighing the cost of strong authentication: Token-based authentication may make sense internally, but not for consumers, they say. "You're not going to pay $30 to $40 for each of your millions of customers," Axelrod said. Banks are looking for easy-to-use, simpler options for authentication, he said.

Getting funding for security is not just a matter of folding it into projects from the get-go, but also making it a selling point for your customers, financial execs say. Some large banks such as Bank of America, with its Passmark security, have already begun using security as a marketing tool.

"It's not about looking at point solutions," said Don Rhodes, policy manager for payments and technology at the American Bankers Association. "Think federated identities -- so that it's a revenue-steering solution and not a cost" issue, he said.

The bottom line is, for banks and financial services it's more about customer confidence in security. And marketing edge aside, it's a financial community issue. If one bank loses customer confidence, it hurts the entire banking system, says Dan Shutzer, executive director of the Financial Services Technology Consortium.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)
PUBLISHED: 2021-05-11
A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to ...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero in sRGBTransformImage() in the MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker processed by an application using ImageMagick. The highest threat from t...