1. BITS Proprietary and Confidential © BITS 2003. Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior Director, BITS Presentation to Global Dialogue World Bank Group September 10, 2003

2. 2 BITS Proprietary and Confidential © BITS 2003. Agenda Overview of BITS Key Security and Technology Risks BITS Security-Related Risk Management Activities –BITS Product Certification Program –IT Service Providers Effort –Fraud Reduction and Identity Theft Prevention and Assistance

3. 3 BITS Proprietary and Confidential © BITS 2003. A BIT about BITS Created in 1996 to foster the growth and development of electronic financial services and e-commerce for the benefit of financial institutions and their customers. A nonprofit industry consortium that represents the 100 largest financial institutions in the US (banks, securities and insurance). Works as a strategic brain trust to provide intellectual capital and address emerging issues where financial services, technology and commerce intersect.

4. 4 BITS Proprietary and Confidential © BITS 2003. Key BITS Accomplishments Crisis Management –Leading crisis management coordination efforts for the sector –Creating the BITS/FSR Crisis Communicator –Driving dialogue to address telecommunications interdependencies Best Practices –BITS Voluntary Guidelines for Aggregation Services –BITS IT Service Provider Framework –BITS Guidelines for Mobile Financial Services –BITS E-Insurance Technology Risk Transfer Gap Analysis Tool White Papers –Fraud Prevention Strategies for Internet Banking –Financial Identity Theft: Prevention and Consumer Assistance Product Security –Security profiles and testing for e-commerce products

5. 5 BITS Proprietary and Confidential © BITS 2003. Security and Technology Risks Continuing growth in new e-finance applications, movement of these applications to public networks, and expanding customer access via new channels Increase in outsourcing arrangements Complexity of software and systems Escalating rate and nature of cyber attacks, viruses and worms Poor quality of software “Patch management” challenges Identity theft and privacy protection Infrastructure interdependencies (e.g., telecommunications networks, power grid) Regulatory requirements and operational risk capital requirements

6. 6 BITS Proprietary and Confidential © BITS 2003. BITS Security-Related Activities Product Security –Urging software manufacturers to improve software quality. –Developing best practices for patch management. –Improving baseline security of products used in the financial industry through security requirements and software testing. Critical Infrastructure –Developing the National Strategy for Critical Infrastructure Protection. –Supporting and strengthening the Financial Services Information Sharing and Analysis Center (FS/ISAC). –Founding and participating in the Financial Services Sector Coordinating Council for Homeland Security and Critical Infrastructure Protection.

7. 7 BITS Proprietary and Confidential © BITS 2003. BITS Security-Related Activities Operational Risk –Developing a common body of high-risk factors that influence operational risk models. –Establish metrics and measurement methodologies. Regulatory –Assisting financial institutions in complying with new cyber security and other security requirements (e.g., customer notification in response to security breaches). –Facilitating industry dialogue with regulators.

8. 8 BITS Proprietary and Confidential © BITS 2003. BITS Product Security Program A three-year development effort involving 32 BITS member companies, 23 outside organizations and over 100 security professionals from technology vendors, government agencies and leading financial services firms. Criteria represent minimum baseline product security requirements for a set of security features including: –Identification –Non-repudiation –Authorization –Confidentiality –Data and system integrity –Data disposal –Audit –Authentication –Security administration –Guidance documentation

9. 9 BITS Proprietary and Confidential © BITS 2003. IT Service Providers Effort BITS IT Service Providers Working Group – Raises awareness, develops voluntary guidelines, and shares successful strategies to assure the security and privacy of third-party services in support of the financial services industry. BITS Framework for Managing Technology Risk for IT Service Provider Relationships – Provides criteria against which relationships can be evaluated and managed. –Update published for comment September 2003. BITS IT Service Provider Expectations Matrix – Reduces risk, helps institutions comply with regulatory requirements and eliminates gaps in the audit or assessment process. –RFI available for public comment through September 30. BITS/American Banker Financial Services Outsourcing Conference – Held November 6-7, 2003 in Washington, DC.

10. 10 BITS Proprietary and Confidential © BITS 2003. Fraud Reduction/Identity Theft Prevention and Assistance Quarterly Loss Reporting Program – Participants saw, on average, a 3% annual decrease in losses per account vs. an industry increase of 1% between 1999 and 2001. (Program administered by the American Bankers Association.) BITS/FSR Fraud Reduction Voluntary Guidelines – Efficient and consistent procedures to prevent identity theft and restore victims’ financial identity. Uniform Affidavit for Identity Theft – Allows for collection of transactional detail to be shared with law enforcement to help build cases and shut down fraud rings. The affidavit may be shared with other companies where the victim holds accounts. (Created with the Federal Trade Commission.) Publications – White papers on truncation, identity theft and Internet fraud.

11. BITS Proprietary and Confidential © BITS 2003. For More Information John Carlson Senior Director E-mail: john@fsround.org Telephone: (202) 589-2442 www.BITSinfo.org