|
Examining guidance under GLBA makes it apparent that application security and automated tools to assess application security vulnerabilities are essential to meet GLBA security targets such as risk assessment, preventing malicious code, testing of code and key controls, and updating controls in response to new vulnerabilities and changes in applications. The Cenzic Hailstorm? solution helps financial institutions comply with GLBA and other laws, because it automates risk assessment, checks for vulnerability to the injection of malicious code into Web servers, automates the testing of code and key controls during the software development process, and helps them respond to new vulnerabilities in the software development lifecycle.
I. Financial Information is Vulnerable
Financial Web applications hold out the promise of providing financial services better, faster, and with greater customer satisfaction. Online banking is now common, but Web applications for financial services also include bill payment, securities trading, loan applications, money transfers, and data aggregation. But Web-based financial services are not without their problems. Not the least of these problems is security vulnerabilities, which can result in legal liability.
Consider what happened to Sunbelt Lending Services, Inc. in Clearwater, Florida, a mortgage broker. The company is wholly owned by Cendant Mortgage Company. Sunbelt implemented a lead generation program on its company Web site, and ended up not enjoying much use. Although it eventually discontinued the application, it ended up caught in a Federal Trade Commission sweep of mortgage providers who fail to provide adequate protection over customer personal and financial information.
The FTC claimed Sunbelt failed to take adequate steps to protect customer information. Eventually, the FTC entered into a Consent Agreement with Sunbelt to settle the matter and, on January 3, 2005, approved an order requiring Sunbelt to submit to a security biennial assessment by a Certified Information Systems Security Professional (or similar security professional) for ten years. In other words, after expending money in legal fees
to defend itself, Sunbelt found itself on the hook to submit to an expensive security assessment process and to report on each assessment to the FTC.
In addition to cases like Sunbelt, recent news has brought a spate of serious breaches to the public's attention, raising new fears about the security of financial information. A new breach seems to hit the press almost every week. The cause of the recent spate of news stories is apparently recent laws requiring companies to notify customers when their private information is compromised (see Section VI below).
The impact of these security breaches can be devastating. Affected customers may face months or even years trying to recover from identity theft. The companies who lost the
information incur enormous costs in investigating and responding to these breaches. In addition, companies perceived as having lax security sustain losses to their revenue from the loss of reputation that can far exceed the cost of investigation and incident response. Finally, as shown by class action and securities fraud suits against ChoicePoint, liability for security breaches adds to the losses. In addition to private party lawsuits, federal and state regulators have the authority to bring enforcement actions against companies who fail to protect customer information and seek fines, injunctions, and expensive remedial action.
II. Legislators Respond
Security breaches are nothing new, though. In previous years, Congress heard testimony about security vulnerabilities and other abuses and enacted legislation to address the perceived abuses. Congress' efforts in the past were a sector-based approached to ensure the most sensitive of information was protected. Examples include:
- In the government sector: Privacy Act of 1974 (regulating the federal government's handling of sensitive citizen information) to protect against government misuse.2 - In the government sector: various laws relating to the security of federal agency information systems, such as the Federal Information Security Management Act, to clean up security vulnerabilities in federal systems.
- In the health care sector: the Health Insurance Portability and Accountability
Act3 (HIPAA) to protect patient privacy after perceived abuses.
- In the financial services sector: the Gramm-Leach-Bliley Act (see Section III below) to protect sensitive financial information.
- For public companies: the Sarbanes-Oxley Act (see Section V below) to address distortion of financial reporting to investors.
|
