Federal regulators are developing information security rules for the financial services industry to protect customer data. But executives at affected banks, brokerages and insurance companies say mandating stringent security requirements - such as encrypting stored or transferred data - will increase their costs and potentially impair data-sharing arrangements they have with business partners.
Corporate legal, business and information technology departments will all be involved in implementing the rules, and "when you add up those collective costs for a big organization, it's clearly in the millions of dollars to get [compliant processes and systems] up and running," said Bill Bradway, an analyst at Meridien Research Inc. in Newton, Mass.
As such, company officials are urging regulators to instead issue the security requirements as guidelines, not regulations, thus giving financial institutions flexibility to tailor information security programs to their specific needs.
"The financial services community has repeatedly shown leadership in the security area," said Edward Schwartz, chief information security officer at Nationwide Financial Services Inc. in Columbus, Ohio. "Wouldn't it be reasonable to say [to regulators], . . . Let us try to do it in such a way that doesn't have an unnecessary financial impact on our business'? "The pending rules are a requirement of the Gramm-Leach-Bliley Act, the sweeping financial deregulation legislation approved last year that allows banks, insurance companies and securities firms to merge. The act requires regulators - in this case, the Federal Reserve, Federal Deposit Insurance Corp., Office of the Comptroller of the Currency and Office of Thrift Supervision - to write rules aimed at safeguarding customer information.
No Date Set
The new rules are due to take effect in July. But regulators have yet to issue final rules, and agency officials haven't said when they will be completed.
Meanwhile, officials at financial services companies are considering how the rules will affect them.
Blaise Bettendorf, chief financial officer at The Summit National Bank in Greenville, S.C., a regional bank with US$200 million in assets, has been getting price quotes from vendors to find out how much it would cost to have regular systems testing conducted by independent third parties, a potential requirement of the new rules for banks and other institutions. So far, she said, the price quotes have been "hefty," ranging from $20,000 to $80,000, she said.
Companies that have well-defined, integrated IT architectures will be in a better position to comply with the regulations than will organizations with a hodgepodge of systems that have been cobbled together through a string of acquisitions, said Bradway. "Organizations that have not yet completed their consolidation to a common architecture may be looking at the same problem times 10," he warned.
At Nationwide, which has $115 billion in assets, a rule requiring data encryption could add overhead to network bandwidth and server CPU, said Schwartz.
Encryption requirements may also impede data transfers by making the already difficult job of interfacing with a plethora of different systems "very complex," he said.
More important, Schwartz said, any need for encryption "may have already been mitigated by all the other [security] controls that we do as a matter of course." He said he wants the federal rules to offer that flexibility.
"Institutions want to have some guidance from regulators, but they don't want to be boxed in by them," said Charlotte Bahin, regulator affairs director at America's Community Bankers, a Washington-based trade group. "They want to be able to incorporate the elements of the security plan that would be most appropriate for them."