After a year of turmoil and failure, the financial industry heads into 2009 facing the prospect of increased regulation while combating never-ending cyberthreats.
Experts expect lawmakers to create new operational risk regulations for the industry in the wake of a deepening recession triggered by the subprime mortgage debacle. A lack of fundamental business risk management led to the meltdown in the country's financial system, said Jonathan Gossels, president and CEO of security consulting firm SystemExperts Corp.
"There will be new regulations focusing on operational risk management, with compliance supported by IT infrastructure," he said. "All of this is in the context of extremely tight budgets."
While it will likely take a while for lawmakers to hammer out the new requirements, new personal data protection laws passed in 2008 will put pressure on the financial industry and other sectors. In Nevada, a law requiring encryption for transmission of personally identifiable information over public networks was enacted in October of this year. A Massachusetts law takes effect May 1 that requires businesses not only encrypt transmission of personal data, but also personal data stored on laptops and removable storage devices.
The Massachusetts law has a provision that organizations verify their service providers are compliant, which will continue to make third-party risk management a top issue for financial firms, said Mark Steinhoff, national financial services lead and principal at Deloitte & Touche LLP security and privacy services. The Red Flag regulation that took effect Jan. 1, 2008 also incorporates requirements for service providers.
Ron Woerner, a security officer at a large financial-services firm, expects other states will follow Massachusetts' lead and develop more stringent privacy and security laws, further muddying the regulatory waters.
"Financial companies will then need to spend more money ensuring compliance, taking money away from other needed security programs," he said.
Other new regulations financial institutions will face in 2009 include increased requirements for vetting commercial customers under a new federal rule that implements provisions of the Unlawful Internet Gambling Enforcement Act of 2006, said John Carlson, senior vice president of regulatory affairs for BITS, a nonprofit financial-services industry consortium and division of The Financial Services Roundtable. Compliance will be challenging, he said, because gambling laws vary among states and countries.
In addition, the Federal Financial Institutions Examination Council was expected in December to release guidelines on managing risk associated with remote deposit capture.
As financial firms grapple with new regulatory requirements in 2009, they will face a continuing onslaught of cyberthreats. In fact, the upheaval in the market will likely fuel an increase in online attacks, some experts said.
"Cybercriminals will take advantage of the confusion related to mergers and failures," said David Pollino, an information security professional working with financial services companies.
Securing clients' systems will be a major focus for financial institutions in 2009 as they fight mounting losses due to insecurity on the customer side, Woerner said.
"While many clients' knowledge and ability with computer security continues to improve, many will continue to put pressure on financial institutions to provide the needed security for them," he said.
Paul Smocer, vice president of security at BITS, predicted application security will be a hot topic in 2009. Financial institutions have taken steps to improve secure coding practices internally, but will examine third-party software security more closely, he said.
Financial firms have implemented safeguards that make network-level attacks difficult, so attackers have shifted their focus to the application layer, he explained.
Also expect to see a lot of attention paid to authentication in 2009, Smocer said. "That's primarily due to the types of malware that we've been seeing lately -- malware that's not easily detectable on end users' PCs," he said. "I think that will cause questions to arise with regards to the authentication schemes that are in place today."
Another top issue will likely be strengthening email security to reduce phishing scams via implementation of DomainKeys and Sender Policy Framework, he said.
On the fraud front, identity theft will remain a top issue, Woerner said. The arms race will continue, with "the bad guys getting more organized and savvy on how to compromise financial systems," he added.
There's always increased concern about fraud in an economic downturn, but now there's particular concern about mortgage fraud, said Rodney Nelsestuen, a research director in TowerGroup's financial strategies and IT investments group. In fact, reported incidents of mortgage fraud were up 45% on fewer loan applications in the second quarter of 2008, compared to the second quarter of 2007, according to the Mortgage Asset Research Institute.
Even with the economic crisis, financial institutions are opening up new channels to their customers, such as mobile banking, which will bring new security risks, Nelsestuen said.
However, tight budgets will put added pressure on the professionals in charge of managing risk and information security. "Security professionals will be forced to do more with less, so focus must be given to automation and prioritization, based on reliable data," Pollino said.
Yet the economic crisis could help some companies resolve a difficult problem, Woerner said.
"The slow economy will increase the need for sound risk management practices to better prioritize security, privacy and compliance projects. Many companies have difficulty prioritizing risk decisions," he said. "The economic downturn may finally provide the impetus to fix the eternal problem of security prioritization."