Challenges spur IT risk management focus

16.06.2005
Von Thomas Hoffman

Regulatory compliance burdens, coupled with several highly publicized security breaches, are leading a growing number of IT executives to strengthen their IT and business risk management practices, according to attendees at an IT risk management conference in New York on Wednesday.

For instance, recent customer data breaches involving companies such as Citigroup Inc. and ChoicePoint Inc. prompted ABN Amro Bank to re-evaluate its data protection policies, said Joe Bernick, head of Americas technology risk management at the Netherlands-based bank.

As part of those evaluations, ABN Amro is considering which data needs to be encrypted and the risks associated with storing encryption keys off-site with the data, Bernick said.

"We need to understand those risks -- that"s a key initiative" at the moment, Bernick said. He was a speaker at an IT risk management conference presented by Robert Frances Group Inc., a Westport, Conn.-based IT executive advisory firm.

Those types of security issues are particularly acute in the financial services industry, where some customers are trusting their life savings with banks and brokerages. "Customers don"t care if you lost a data setting or a system -- they want to feel secure about where they"re investing their money," noted Bruce Pomerantz, head of IT infrastructure and architecture for corporate investment banking and markets at HSBC Securities (USA) Inc. in New York.

Several conference speakers noted how IT risk management issues are now addressed as business decisions, reflecting how tightly intertwined IT has become with the business. For Bank of America Corp., "it becomes an insurance equation at some point -- what are we willing to spend to avoid a risk event," said Graham S. Seel, global treasury services technology risk executive at the Charlotte, N.C.-based bank.

Getting ahead

One organization, Prudential Financial in Newark, N.J., gave itself a jump start in complying with regulations such as the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act. That"s because the financial services company created a "first-alert" database system eight years ago to help it review all new regulations it has to comply with and to help it create action plans for each affected area in the company, including IT, said Mario Mosse, the company"s vice president of corporate risk management.

The approach helped Prudential Financial to develop a separate automated database that it uses to store all of its Sarbanes-Oxley documentation procedures, Mosse said.

When Dow Jones & Co. begins working on large-scale IT projects, the Princeton, N.J.-based financial publisher makes additional investments in IT architecture and infrastructure systems to help support the new systems that are about to go into production as a preemptive risk mitigation strategy, said information security architect Jonathan Squire.

For instance, as part of its efforts to support changes in handling Visa and MasterCard credit card transactions, Dow Jones recently created a more scalable, centralized support system to handle fraud detection across different areas of the company, Squire said.

IT risk management considerations should also extend to contract negotiations with vendors, noted Warren Axelrod, director of global information security at Pershing LLC, a financial services firm in Jersey City, N.J.

"Usually, the more powerful negotiator tries to shift the risks [for the contract] onto the less powerful negotiator," Axelrod said. Another technique to mitigate risks in outsourcing deals is to ensure that the customer is achieving cost savings and the vendor is able to glean a profit, he said.