Audit Committees in 2007 are concerned about identity theft, compliance and reputational risks. And they should be as the BSA/AML Examination Manual of 2006, the UK’s Serious Organized Crime Agency, FBI, FINCEN and the GAO cite identity theft as a source of funding for terrorism and/or organized crime. Information security breaches and lack of compliance with government regulations can shatter consumer trust, reputations and the safety and soundness of internet banking with volatile deposits departing for safer banks and brands.
7 key questions for Boards of Directors on identity theft and information security governance include:
What are our operational (legal) risk exposures and operational losses for information security governance per Basel and CAMELS? One benchmark is compliance with consumer protection laws under the FTC ACT.
In a scenario analysis, what are relevant litigation and regulatory enforcement cases?
What impact will operational risks have on our capital, credit ratings and CAMELS ratings?
Are disclosure statements accurate and complete for GLBA 503, FDICIA Section 112, Sarbanes-Oxley and Suspicious Activity Reports?
What are the board-approved risk tolerances, using effective metrics, for operational risk exposures and operational losses?
Do we have adequate internal controls with independent risk verification, effective metrics and periodic board reports on information security governance?
Do we have adequate resources for managing and reaching Board-approved risk tolerance levels?
For background information and a model for managing these questions, please visit the Information Security Governance Framework.
Converging trends in the Spring/Summer 2007 are creating perfect storm conditions for litigation, regulatory enforcement actions and the quantification of operational risks due to non-compliance on information security programs on identity theft and consumer protection regulations. These trends include: (1) the implementation of Basel on operational risks and operational losses on information security programs and identity theft and (2) the April 23, 2007 report from the President's Identity Theft Task Force which states: "Beginning immediately, appropriate government agencies should initiate investigations of and, if appropriate, take enforcement actions against entities that violate the laws governing data security. The FTC, SEC, and federal bank regulatory agencies have used regulatory and enforcement efforts to require companies to maintain appropriate information safeguards under the law. Federal agencies should continue and expand these efforts to ensure that such entities use reasonable data security measures."
Visit the "Compliance" section to learn about: | (1) the expanding maze of overlapping federal regulations that are mapped and organized into a series of risk matrixes within the "Information Security Governance Framework". | | (2) a scenario risk analysis with comparable litigation and regulatory enforcement cases. | | (3) exposure to unfunded liabilities (operational risks). | | (4) Board-approved risk tolerance metrics with a peer analysis. | | (5) Board obligations to validate, verify and manage Board-approved risk-tolerance metrics. |
The matrixes cited in the Compliance section are unified in the Information Security Governance Framework.
Contact members of the IP Governance Task Force to obtain a customized Information Security Governance compliance analysis for your Board of Directors. |