Banking and Financial Services Services
According to Business Week, a poll of 20 of North America's 50 biggest banks shows that compliance spending grew 159% on average for the five years through 2006 - far faster than profit growth. The Deloitte Center for Banking Solutions, which conducted the survey, says the 20 banks now spend an average of $83.5 million annually to stay on top of Sarbanes-Oxley and other laws and regulations. Of that total, approximately $14 million is spent on information technology.
For that annual expenditure, the key questions for these banks remain:
- IT Governance, Risk and Compliance process: Do we have one?
- Quality: Are we obtaining reliable results?
- Cycle Time: How long does it take to get reports?
- Cost: How much is it costing us?
- Resiliency: Can the process adapt to change?
The Challenge
The banking and financial services industry faces tremendous scrutiny by both domestic and international regulatory bodies, particularly in light of the sub-prime lending crisis and its impact on the public and shareholder trust in the industry. In general, regulations and mandates aim to ensure the integrity of financial reporting information and the privacy and protection of personal information stored and transmitted in bank information systems.
It's quite the challenge to know where this data is stored and what controls are already in place to protect it. On top of that, ongoing risk assessments require that those controls be tested routinely. The challenge is further compounded by the complexity of the organizations in terms of the geographic distribution of offices, data centers and business units, the state of ongoing mergers and acquisitions, and the data-intensive business processes. And finally, add to the mix the hundreds - even thousands - of suppliers typically utilized by these enterprises to deliver services to their customers. It's easy to understand how an organization's visibility into its risk posture gets clouded.
Key IT-related risk and compliance regulations and mandates that banks and financial services enterprises must comply with include:
- SOX 404 (Sarbanes-Oxley Act, section 404) – requires publicly traded companies to protect the integrity of financial reporting information
- PCI DSS (Payment Card Industry Data Security Standard) – ensures ongoing risk assessments to protect personal credit card data
- Gramm-Leach-Bliley Act (GLBA) – requires protection of consumer information
- California SB 1386 – also requiring protection of personal information, this law is on track to become a federal law
- EU Data Protection Directive – requires protection of personal information for businesses operating in EU countries
- Basel II – requires operational risk plans in relation to information security threats and related controls
The Solution
Agiliance IT-GRC 3.0 provides banks and financial services enterprises with the ability to:
- Establish a resilient IT-GRC business process providing a holistic, real time view into risk and compliance across the enterprise, including partners and vendors
- Implement a robust operational IT risk program including conducting eSurveys throughout the organization, developing key risk indicators for IT, and assessing threats using COSO and AS/NZ 3460 standard methodologies
- Demonstrate continuous multi-regulatory compliance with a “test once, comply with many” capability, dramatically reducing the cost, quality and cycle time of testing and reporting
- Integrate and automate technical controls by leveraging existing IT investments in security and change management systems by taking in data from vulnerability scanners, CMDBs, IdM systems, Segregation of Duty systems, and other systems, to automatically generate reports, drill down to critical controls, and establish priorities based on areas with the highest risk
- Migrate over time to standard control frameworks such as ISO 17799/27001, CobiT, NIST and FFIEC
- Create enforceable policies and monitor controls across functional and geographical boundaries