Financial Firms Join Security Audit Program

Five banks have become the latest U.S. financial organizations to join an effort to streamline the assessment of online banking security.

Bear Stearns , Goldman Sachs Group
, Wachovia , Morgan Stanley
and Regions Financial Corp have joined the Financial Institution Shared Assessments Program.

The Financial Services Roundtable designed the program in February to create a set of security standards that service providers need to match.

It changes the “rather
ad-hoc” methods by which individual banks judge the security of financial services, according to Michele Edson, program leader. The new members “demonstrate the support for the program,” she added.

Rather than conducting numerous individual interviews, the program audits service providers, the results of which can be used by other financial institutions.

Among the more than one-dozen service providers participating in the
program are VeriSign , Yodlee
and Iron Mountain .

Iron Mountain, which is one of the top providers of repository services in
the financial sector, said the program cuts cost and raises the bar for
security considerations.

Now, rather than answering one question a thousand
times, Iron Mountain completes a 1,600-question audit once, according to
Richard Reese, the company’s CEO.

Edson said the survey has been expanded to
ask questions about network and firewall security. The program expects to
complete 12 such audits in 2007, as well as increase its membership.

For service providers, the benefits of the program are many-fold, according
to Yodlee. For instance, a security audit could save a service provider at least $100,000.

“A typical scenario would be a service provider with 100 clients who answers 100 security questionnaires per year where 80 percent of the questions are
similar, and also completes a large number of onsite assessments,” said
Niall Browne, Yodlee’s information security officer.

The audits also provide a better way for banks to gain answers to security
questions, as well as provide service providers a way to measure their
security against an industry standard, he said.

The latest members were announced in the wake of this week’s $18 million online broker fraud and they join the more than 25 other financial institutions who already belong, including Bank of America, Citigroup and Wells Fargo & Co.

Monday, online brokers E*Trade and TD Ameritrade said they both had been
victims of identity fraud. In E*Trade’s case, the company paid $18 million
to reimburse customers affected by the scheme.

Earlier this year, research firm eMarketer reported lackluster adoption of online banking, rising just 3 percent in the end of 2005.

“Security is not a luxury to online banking users, and it cannot be for
online banks,” analyst Lisa Phillips said in the report.

News Around the Web