Do IT security pros in the financial sector have to worry about the current economic environment?
There are companies that are being merged and companies that are disappearing from the face of the earth. If I was sitting at one of these companies that were in jeopardy, my concern about disgruntled employees would probably go up. I would pay more attention to my access control reports. I would also pay more attention to monitoring privileged user activity. None of these things should be new or be changing in this current economic climate. Companies that have put together effective information security programs are not going to be doing anything different other than acting or following up with what they already have in place.
Steven Katz, Former CISO Citigroup, JP Morgan and Merrill Lynch
If you look at the mergers, I think Bank of America has a really good process of bringing on acquired companies, changing access rights and provisioning people. So that should be a fairly smooth event. You now have a number of investment brokerages that are becoming bank holding companies. The SEC regulations are different from the FFIEC [Federal Financial Institutions Examination Council] regulations. For companies that already have a strong information security program in place it's not going to be much of a stretch. For those that don't, they'll need to go back and figure out what they need to do to conform to the FFIEC regulations. What typically would happen to ongoing security projects during a merger?
The company being acquired would probably put things on hold because their infrastructure and data structure is going to change. And the acquiring company is going to want to put their practices, policies and programs in place. Any company being absorbed into another one; the fact that it's being absorbed due to financial issues is no different from an acquisition under any other circumstances. Generally you put in a steering committee, you do a detailed gap analysis and you put together a program to get your policies and procedures into place. It's generally well thought through. Bank of America has done a lot of this a bunch of times. I know that J.P. Morgan Chase did an extremely good job when they acquired Bear Sterns, but they had a lot of practice acquiring other companies. How long does it take for a company to meld the data structures and security policies together? Does it take a long time?
The length of time depends upon the oversight group sitting down and assessing where they are and determining where the gaps are. Nothing is really taken down until new systems are put in place. It's going to be gradual. The last thing you want to do is make the cure worse than the disease. You will always have technical risk oversight groups that figure out what functions and policies do we have in place at the acquiring company and what functions and policies at the company being acquired and making sure that there's a process to ensure the segregation of duties and ensure that they are paying a lot of attention to activity monitoring reports. What happens when a company goes completely out of business? Who picks up the pieces?
Companies typically have an orderly process to phase things out. Both Bear Sterns and Lehman, from what I know, their technology risk programs were maintained and there was an orderly process to deidentify folks and deprovision folks. Companies recognize that there are two issues to deal with. One is the shareholders, but the other is what you are doing for your customers. There is still a requirement to maintain confidentiality and integrity of your confidential customer data. In both cases there was essentially a controlled process to figure out how long it was going to take to merge the company records and employee records into a new company. Who typically makes up the oversight committee?
It's going to be IT, it's also going to be technology risk and security, certainly audit and compliance and business will be at the table. They're all actively involved. Your external auditors are going to be very much a part of it. I am certain that the examining body for the acquiring company will be actively engaged to make sure the process moves smoothly. There's good news and bad news in being a regulated entity. The bad news is that you're a regulated entity and you have a lot of folks looking at what you are doing. The good news is that in times of crisis like this, they're going to help you make sure that you stay on the straight and narrow. In this uncertain economy, do you think companies will continue to spend on security technologies, including encryption?
Yes. I think the companies recognize that there is a trust relationship with their customers. The last thing they want to do is add an additional threat to the problem. To the extent that there is a valid business reason for protecting customer information, and encryption comes right into that, they're going to continue to do that. It may take a little longer. The business case may have to be made a little more clearly. Your risk calculations are going to have to be carefully scrutinized.