Financial reforms affect data security

By Marcia Savage, Site Editor, SearchFinancialSecurity | Aug 2, 2010

0 comments

Digg

 Email

 Print

It will be some time before we know how the financial services regulatory reform bill signed into law by President Obama last week actually will be implemented, but the sweeping legislation has some possible information security implications, industry experts said.

The Dodd-Frank Wall Street Reform and Consumer Protection Act, spurred by the 2008 banking crisis, includes the creation of a new consumer protection agency at the Federal Reserve, gives regulators new powers to safely liquidate failed financial firms, and imposes new rules for transparency in derivatives markets.

Federal banking regulators will write the regulations to implement the law, a process that experts expect will be long and drawn out. Still, while the details remain to be seen, the law is another regulation that information security professionals will need to get their arms around, said Rocco Grillo, a managing director in the security/privacy practice at Protiviti Inc., a Menlo Park, Calif.-based risk consulting and internal audit firm. IT security has evolved in the past 10 years from an IT-centric control to more of a compliance control in order to meet increased regulatory requirements such as the Red Flags Rule, he noted.

"It's a lot more compliance," he said of the financial services regulatory reform law. "You'll see more financial institutions increase their compliance departments."

Michael Brauneis, a director in Protiviti's risk and compliance practice, said a provision in the law related to the creation of the consumer protection agency could lead to data security and privacy issues. The law calls for regulations that would allow a consumer to ask their financial institutions for any information they have in their systems about transactions with him or her.

"That's not a privacy issue per se, but it could lead to a huge degree of identity theft risk if the regulations and the processes financial institutions put in place [to comply] don't ensure effective controls around security when those requests come in and make sure the person requesting the information is actually the consumer and not someone trying to steal an identity," he said.

Overall data management may become a huge issue under the financial services regulatory reform law. The legislation includes the concept of a systemic risk regulator that would gather information from the industry at an aggregate level in order to prevent another banking meltdown, said Fritz McCormick, senior analyst at Aite Group LLC, a Boston-based research and advisory firm. Specifically, the bill -- when it was being finalized -- put forth the idea of an office of financial research that would collect data round forward-looking risk sensitivities, he said.

0 comments

Digg

 Email

 Print