Why Managed Security Services are so Popular in Financial Institutions
by Carl Annicq - EVP Corporate Account Program and Business Development for Ubizen - Friday, 20 June 2003.
'Managed Security Services' seems to be one of the new buzzwords in the ICT sector. When signing up with a Managed Security Service Provider (MSSP), this company will take over the real-time monitoring, management and support of your security devices on a 24x7x365 basis. These devices can include firewalls, VPNs, intrusion detection systems, anti-virus systems, etc., and a strong Service Level Agreement (SLA) is put in place to ensure the quality of service delivered by the MSSP. Don't be mistaken, selecting a managed security service does not mean you outsource the whole 'security problem'. As a company, you are still responsible for your own security policy. There are two principle reasons why the concept of managed security is so well received by financial institutions around the world. The first reason has to do with legal requirements and recommendations. The second reason resides in the operational complexity of e-security.

Legal requirements leading to new e-security challenges

Financial organisations and service providers (FSPs) are confronted with numerous legal requirements and recommendations. One such predominant regulation is the 'Basel Capital Accord' from the Basel Committee. More than a decade has passed since the Basel Committee on Banking Supervision (the "Committee") introduced its 1988 Capital Accord (the "Accord"). The original framework described a capital measurement system for financial institutions, stating that these need capital available in the amount of 8% of their credit risk. The Accord is enforced by regulatory agencies in the so-called G-10 countries, and is applicable to all Internationally active banking institutions.

The business of banking, risk management practices, supervisory approaches, and financial markets each have undergone significant transformation since 1988. That is why in June 1999 the Committee released a proposal to replace the Accord with a more risk-sensitive framework. This Basel II Capital Accord is expected to be effective as of 2006.

The 1988 Accord focussed on the total amount of bank capital, which is vital in reducing the risk of bank insolvency and the potential cost of a bank's failure for depositors. The 1998 Accord set a capital requirement simply in terms of credit risk (the principal risk for banks), though the overall capital requirement (i.e., the 8% minimum ratio) was intended to cover other risks as well.

In 1996, market risk exposures were added as a second separate type of risk and were given separate capital charges. The new framework of Basel II will introduce operational risk as a third type. The Committee has been working with the industry to develop a suitable capital charge for these operational risks; for example, the risk of loss from computer failures, poor documentation or fraud. Based on work to date, the Committee expects operational risk on average to constitute approximately 20% of the overall capital requirements. IT risks, such as the risk of being hacked and the risk of online fraud, are important elements in this.

The higher these operational risks, the higher the capital requirements. It is therefore key to minimise these risks as much as possible. As such, the new Basel recommendations are a clear incentive for banks to use sophisticated risk management methodologies, use advanced methods for calculating their capital requirements and enhance their control environment.

An advanced Managed Security Service can clearly help financial institutions to quantify IT risks and identify which steps have the highest marginal impact to reduce those risks as an overall reduction of operational risk will lead to lower capital requirements. For a financial institution, reducing the capital requirements with even a few base points has drastic profit and loss implications.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th