The higher these operational risks, the higher the capital requirements. It is therefore key to minimise these risks as much as possible. As such, the new Basel recommendations are a clear incentive for banks to use sophisticated risk management methodologies, use advanced methods for calculating their capital requirements and enhance their control environment.
An advanced Managed Security Service can clearly help financial institutions to quantify IT risks and identify which steps have the highest marginal impact to reduce those risks as an overall reduction of operational risk will lead to lower capital requirements. For a financial institution, reducing the capital requirements with even a few base points has drastic profit and loss implications.
Apart from sector specific requirements such as the Basel Accord, more generic legislation on computer crime and privacy (e.g. the Data Protection Act of 1998) form a clear incentive for financial institutions to streamline security risk management on a company-wide level.
Operation complexity of e-security driving the adoption of managed security services
One of the many challenges for FSPs during an economic downturn is maintaining their security posture with shrinking resources. With hackers and viruses becoming ever more sophisticated, security has stopped being a series of protective product installations and become instead a full-time, 24x7x365 process. It is simply not enough to deploy point products, or even families of products, and assume that the organisation is safe. All of the various products require ongoing maintenance, frequent patches, updates and proactive management. This is obvious for signature-based systems such as virus scanners and intrusion detection systems, but perhaps not as obvious (but equally important) for devices such as firewalls.
As such, there is an increasing 'stealth trend' for large financial institutions to outsource this maintenance and management process to managed security service providers. This represents a significant sea-change in attitudes towards both security and what companies will entrust to a third party outsourcing partner.
There have been numerous instances of FSPs allegedly outsourcing their security. When you read into the details this is not quite the case. Financial institutions are outsourcing some aspects of their security infrastructure. Typically this will be the operational aspects of the primary IT defence and detection systems, such as firewalls and intrusion detection systems (IDS).
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.