Holding Management Responsible for Infrastructure Risk

guiltyIn a recent move, the Monetary Authority of Singapore (MAS) issued innovative new Technology Risk Management (TRM) requirements. Rather than simply addressing banking systems, these new requirements are based on guidelines which expand the focus of security regulations and compliance to include all financial service providers. And in a notable move, these new regulations make management liable for the performance and security of the infrastructure and data centers underpinning those services. These new MAS TRM regulations cover credit, market, operational, and technology risks, as well as internal controls and risks related to insurance businesses. The new guidelines apply to all financial institutions that the MAS licenses, approves, or regulates, and lack of compliance can lead to revoking of the license to trade.

In a similar vein, the recent enactment of the Consumer Financial Protection Act empowers American regulatory bodies to request details, going back seven years, from any bank about complaints relating to any of its financial products. The banks must provide these details within 15 days. To do this, banks need to be able to analyze complaint-related information through all communication channels — calls, chats and emails. They must be able to identify customer satisfaction and have a well-defined complaints escalation procedure. This is likely to redefine many banks’ consumer service divisions and generate new business for companies such as Fonetic, since, from mid-2011 to 2013 alone, the US Consumer Financial Protection Bureau received over 175,ooo consumer complaints.

Financial legislation enacted in Singapore or the US quickly becomes worldwide, since every major global financial institution either has a branch in these two countries or does business with a financial institution there. Once implemented in one branch, all divisions of these banks and their business partners must comply with the new guidelines.

As a direct consequence of these legislative measures, financial institutions will need to focus a lot more attention and effort on analyzing their current processes and capabilities to identify gaps in their TRM and Title X compliance. And there’s no time to waste — compliance audits are currently scheduled for January 2015.

Integrating IT operations and security teams is an important first step in addressing the network and IT aspects inherent in these new requirements, as global financial institutions must provide near real-time detection of security incidents and fast forensics and reporting after the incident. Worryingly, in many institutions IT operations and security are still two separate teams, with goals and objectives that are not fully aligned. The TRM operational risk and security rules allow just four hours of downtime for each critical system in a 12-month period. System downtime and system slowdowns are both viewed as incidents, and both are subject to the same reporting guidelines as security incidents.

The issues around looming team mergers are becoming a wider issue across the board, as business processes merge and corporate compliance policies require fully-integrated security capabilities. Data center, networking, messaging, and security teams are all affected by these changes — in just one example, Microsoft with Outlook and SharePoint (not to mention other major messaging and collaboration vendors) is moving to unify its apps environments. This realignment is taking a long time, coming as it does at a time when many corporate IT departments still retain separate messaging and collaboration teams.

As teams move towards mergers, management software needs be role-based to provide the relevant information to each team and to support them on the transition path. These types of management tools — such as Tripwire for security configuration management, vulnerability management, and log intelligence, and GSX for messaging — must be fully aligned with corporate governance, risk, and compliance goals. Failure to comply with TRM requirements may result in loss of their license or being barred from transactions through Singapore. Failure to comply with Title X may result in financial penalties and loss of corporate credibility.

The positive aspect of these (at times draconian) legislative measures is that top management and board members now have a personal stake in good corporate governance, in line with other measures such as SOX and the 8th EU Directive. If corporate IT and infrastructure teams can lay out a clear plan of action to attain compliance with the new measures, then financing is pretty much a given.