Chapter 2. Overview Of E-security Risk Mitigation₄₄

At a Glance

This chapter of the Handbook identifies, defines, and discusses, under eight pillars, policies, processes, and an overall infrastructure that can foster a secure electronic environment for the financial services sector. It is intended for policymakers working with financial services providers, especially executives, chief information, and security officers. The technical sections should be of special use to those who administer electronic security systems, bank examiners who evaluate the adequacy of electronic security, and those who deal with the associated day-to-day risks inherent in electronic transactions.

Security in e-Finance

A recent series of papers on e-finance identified electronic security as crucial to enabling electronic finance to meet business and consumer expectations and deliver the benefits provided by technology and leapfrogging.45 E-security touches the heart of the new economy; the potential benefits to global markets and the international community are substantial. However, the process of building a global electronic economy merits deep discussion of emerging business and policy issues: how should we define and protect privacy?, what do trust and confidence mean in a digital environment?, how can one determine the appropriate level of security and how can one measure the return on the security investment?

Due to the ever-changing nature of technology, this Handbook does not treat all these issues nor does it attempt to provide definitive answers. Rather, it offers a view of what has transpired to date, the gaps that are opening in the electronic security area, and some possible approaches for bridging those gaps. It also acknowledges some of the efforts underway around the world aimed at resolving these issues.

What is electronic security?

Broadly speaking, electronic security is any tool, technique, or process used to protect a system’s information assets. Electronic security enhances the value of a network and is composed of soft and hard infrastructure. The soft infrastructure components are the policies, processes, protocols, and guidelines that protect the system and the data from compromise. The hard infrastructure consists of hardware and software needed to protect the system and data from threats to security from inside or outside the organization. The degree of electronic security used for any activity should be proportional to the activity’s underlying value. Appropriate security measures will mitigate (but not eliminate) the risk for the underlying transaction, in proportion to its value.

Electronic security will require more attention as new technology creates new risks and as technologies converge.

E-finance is the use of electronic means to exchange information, transfer signs and representations of value, and execute transactions in a commercial environment. E-finance comprises four primary channels: electronic funds transfers (EFTs), electronic data interchange (EDI), electronic benefits transfers (EBTs), and electronic trade confirmations (ETCs).

Although e-finance offers developing market economies an expanded opportunity for commerce, the capability poses a number of serious risks. All four channels of e-finance are susceptible to fraud, theft, embezzlement, pilfering, and extortion. Most of the commerce-related crimes that take place over the Internet are not new— fraud, theft, impersonation, and extortion demands have plagued the financial services industry for years. However, technological advance opens up new dimensions of depth, scope, and timing. Technology creates the possibility for crimes of great magnitude and complexity to be committed quickly and anonymously. In the past, stealing 50,000 credit card numbers would have taken months, perhaps years, for highly organized criminals. Today one criminal using software tools freely available on the Web can hack into a database and steal that number of identities in seconds.

44 This Chapter is drawn from a report produced by Thomas Glaessner, Tom Kellermann, and Valerie McNevin for The World Bank (2002) entitled: “Electronic Security: Risk Mitigation in Financial Transactions.” See link at:

http://wbln0018.worldbank.org/html/FinancialSectorWeb.nsf/SearchGeneral?openform&E-Security/E-Finance&Publications

45 See a number of works by Glaessner, Kellermann, and McNevin including “Electronic Safety and Soundness: Securing Finance in a Digital Age, Public Policy Issues (October 2003). This Monograph is the culmination of efforts over the past three years and builds upon a series of papers. These include: “Electronic Security: Risk Mitigation in Financial Transactions” (May 2002, June 2002, July 2002), “Electronic Finance: A New Approach to Financial Sector Development?” (2002), and “Mobile Risk Management: E-Finance in the Wireless Environment” (May 2002). All papers are available at: www.worldbank1.org/finance

Recent surveys suggest that in the United States, 57% of all hack attacks were initiated in the financial sector last year. Many breaches such as one incurred by the U.S. Treasury result from a failure to implement appropriate risk-management processes or from the use of off- theshelf commercial software without a layered approach to security, involving personnel policies, communications guidelines, and regular updating of the technical means deployed, such as virus scanners and firewalls. The results of well-publicized security breaches range from financial and reputation loss to a potential backlash against electronic transactions stemming from mass consumer distrust of the e-finance and e-commerce media.

The network-mediated economy presents unparalleled opportunities for both the creation of wealth and the theft or destruction of it. In assessing its promises and weighing these against potential pitfalls, policy and decision makers should educate themselves about the role that e-security plays in ensuring safe and reliable business transactions via the Internet.

The electronic security industry is growing and globalizing; it will present public policy challenges in the areas of competition policy, potential conflicts of interest, and certification.

E-security companies and vendors generally fall into three categories: access, use, and assessment. Today’s industry includes companies that provide active content monitoring and data filtering, develop intrusion detection services, place firewalls, conduct penetration tests to expose hardware or software vulnerabilities, offer encryption software or services, and create authentication software or services that use passwords, tokens, keys, and biometrics to verify the identity of the parties or the integrity of the data.

In addition to e-security, many vendors supply a multitude of interlinking services to the e-finance providers in various countries. These services include hosting companies, Internet Service Providers (ISPs), and providers of financial services. Telecommunication companies in emerging markets are often the key providers of cellular, satellite, and microwave services as well. Such companies may also supply hosting services and de facto money transmission services. In some cases, they may also provide certain electronic security services.

The cross-linking ownership of the e-security and e-finance industries raises complex questions of competition policy and potential conflicts of interest. In the case of competition policy, do the multiple roles played by telecom companies act to inhibit competition, particularly in emerging markets where the technical expertise to provide such services often resides in these companies? What about assuring the integrity of the services provided and company policies on reporting security breaches promptly and accurately? Moreover, outsourcing trends in this industry highlight the importance of reviewing the extent of downstream liability involved with this complex set of vendors. Typically, contracts between financial entities and their providers use service-level percentages as a performance guarantee on a sliding-cost scale, but they do not build in sufficient remedies to address product performance from a security perspective.

The public interest case for regulation of electronic security within the financial services industry must be recognized. Important trade-offs exist between electronic security and such areas as costs, quality of service, technological innovation, and privacy. Formulation of regulation and policy needs to take explicit account of these trade-offs.

Traditionally, the telecommunications industry has been regulated as being essential to public health, interest, and welfare. Hence, a core component of its regulatory model was to expand service to give everyone access. In many countries, access to basic service is now considered a necessity of modern life. Historically, the financial services industry has been regulated by the premise that trust and confidence are paramount to the orderly movement of trade, goods, and money. And, given that a special trust is conferred on financial entities, they must conduct their business in a safe, sound, and prudent manner. Convergence of the telecommunications industry and the financial services sector through the Internet heightens the importance of and the necessity for sound public policy and informed regulation to ensure that government, business, and people continue to have access to secure financial services.

Efforts to develop public policy to improve or establish electronic security measures should take into consideration the following eight important pillars:

(i) An adequate legal and enforcement framework;

(ii) Technical and managerial arrangements to ensure electronic security of payment systems;

(iii) Robust supervision and prevention, to creates better incentives to implement appropriate layered risk-management systems, including electronic security for financial services providers;

(iv) A framework within which private insurance companies can insure against and monitor e-risk, thereby helping to improve standards in this area via the underwriting covenants they require;

(v) Digital signatures;

(vi) Information sharing;

(vii) Education of citizens, employees, and management on security issues; and

(viii) A layered security structure.

Pillar I: Legal Framework and Enforcement

Countries adopting electronic banking or electronic delivery of other financial services (e.g., distribution and trading of securities) must consider electronic security concerns as they develop their laws, policies and practices. They must promote the use of security to protect back-end and front-end electronic operations and should reform their criminal laws to address cyber crime.

In the policy design process, an e-finance legal framework should take the following areas into accounts:

• Electronic transactions and electronic commerce

• Payment systems security

• Privacy

• Cyber crime

• Anti-money laundering

• Enforcement infrastructure

Together, these six areas of policy, law and enforcement should address the basic relationships among all participants and the transactional activity that flows through the payments system. A cornerstone of an e-finance legal framework is to recognize the legal validity of consumer electronic signatures, transactions, or records. The legal framework should prefer technologyneutral solutions, provide basic consumer protections for electronically based transactional activity, promote interoperability, and address evidentiary issues.

Electronic Transactions

Electronic transactions law should define what is meant by an electronic signature, record, or transaction, recognizing the legal validity of each element. The policy should be especially careful in defining an electronic signature. Definitions should be technology-neutral to the greatest degree possible, in order to allow various technical solutions to enter the marketplace.

Payment Systems Security

Development of policy for payment systems security should consider all entities that directly affect the system. All such entities should operate in a secure manner so as to protect the integrity and reliability of the system. Further, policy could require timely and accurate reporting on all electronic -related money losses or suspected losses and intrusions. And finally, policies could require that the financial institution and related providers have sufficient risk protection.

Privacy

Privacy law should encompass data protection and use, consumer protection and business requirements, and notices about an entity’s policy on information use. The European Union (EU) continues to be the leader in providing privacy protection to its citizens with the 1995 EU Directive on Data Protection. At a minimum, the privacy law should embrace the fair information practice principles, including notice, choice, access, minimum information necessary to complete the transaction.

Cyber Crime₄₆

Every nation should have in place laws addressing abuses of a computer or network that result in loss or destruction to the computer or network, as well as associated losses. The law should also provide the tools and resources needed to investigate, prosecute, and punish perpetrators of cyber crimes. An example of such laws and directives may be seen in the Council of Europe’s Convention on Cybercrime, discussed at length in Part 4 of this Handbook.

Anti–Money Laundering

These statutes should define money laundering and encourage international cooperation in the investigation, prosecution, and punishment of such crimes, giving special attention to money laundering threats inherent in new or developing technologies.

Enforcement

Perhaps as important as the legal framework will be the need to enforce the provisions of e-security laws within and across national boundaries. Many different types of computer intrusions originate through activities conducted in countries with weak legal and enforcement regimes for electronic security, making international cooperation essential.

Pillar II: Electronic Security of Payment Systems

Payment systems are a critical component of any financial system. Policies to mitigate risk to payment systems should address the following five problems:

1. The definition of money transmitters.

2. Reporting requirements.

3. Regulation.

4. Warranties, indemnification, and liabilities.

5. Security requirements for service providers.

Definition of a Money Transmitter

A money transmitter is any commercial enterprise engaged in the transfer and exchange of monetary instruments and currency. Often these non-depository entities are involved in the “money service business” and serve as third-party automated clearinghouse providers.47 In considering the security of the electronic payment system, regulators should recognize that a new paradigm for money movement has evolved in a sophisticated IT environment. The significant amount of money that flows around banks instead of through them has a significant impact on the global payment system, monetary policy, and economic forecasting.

Reporting Requirements

The failure to report security incidents, particularly in the financial services area, enables further engagement in unsafe and unsound activities and further losses to those who use such payment systems without check or prevention. One approach is to place an affirmative duty on executives48 to report incidents.

Regulatory Initiatives

Regulators should consider how broadly to extend supervision and enforcement over transmission vehicles. The primary reason cited by most people for refusing to use electronic transmission vehicles is fear that the information is not adequately protected. Proper protection could strengthen consumer confidence and market discipline, paving the way for greater use of electronic financial systems.

Indemnifications and Warranties

Financial institutions could require warranties and indemnifications from businesses that create software and hardware or supply it to financial services providers. They also could require the companies that provide these products to be liable if losses occur as a result of software or hardware “holes.” Entities providing services or products to the financial services industry could, perhaps, be held to a higher standard of care or required to explain up front that its product is not configured or otherwise appropriate for use in this sector. A variation on this solution is to require a disclaimer on hardware or software stating that it should not be used to create, move, or store confidential, privileged, or sensitive information and that if it is used for those purposes the manufacturer cannot be held liable.

Standards for Service Providers

Service providers to the financial services industry also could be held to a higher standard than those not interacting directly with that industry. Again, this effort would go a long way toward building trust and confidence.

46 The Council of Europe, Convention on Cybercrime, “http://conventions.coe.int”

47 These services may include money order issuance, wire transfers, currency exchange, and so on.

48 Particularly Chief Information Officers and Information Security Officers.

Pillar III: Supervision and Prevention Challenges

In addition to monitoring the payments system and supervising money transmitters, there would be a benefit to revisiting the regulatory, supervisory, and preventive approaches to ensuring security for financial services providers. This is particularly true for businesses that engage in electronic banking or provide other online financial services.

Capital Requirements

The new Basel guidelines for capital, especially those dealing with operational risk, do not address the problem of measuring either the risk to reputation or the strategic risk associated with electronic security breaches. Hence, there is a question of how best to measure a bank’s operational risks when the information about computer security incidents is not accurate and when defining reputation damage is difficult. Given the problems involved in measuring capital adequacy in cases of electronic security risk, one effective approach might be to use the examination process to identify and remedy electronic security breaches in coordination with better incentives for reporting such incidents.49 In addition, authorities could encourage or even require financial services providers to insure against some aspects of e-risks (e.g., denial of service, identity theft) that are not taken into account within the existing capital adequacy framework. As the private insurance industry becomes more active in this field, this approach may be feasible, subject to the overall soundness and health of the insurance industry and its structure in emerging markets.50

Downstream Liability

The legal or regulatory framework could create incentives for hosting companies, application service providers, and software, hardware, and e-security providers to be accountable to the financial services industry.

Supervision and Examination Processes

The Basel Committee on Banking Supervision’s Electronic Banking Group (EBG) was formed to make recommendations for needed additions, changes, or improvements in supervision and examination to accommodate the new technologies. In 2001 the EBG released Risk Management Principles for E-Banking, which includes specific principles calling for proper authorization and authentication measures, and internal controls and comprehensive security of e-banking assets and information. The areas of supervision and examination will undergo major reorientations over the next few years. Just as the security industry experienced a paradigm shift with the mass introduction and dependence on PCs and the Internet, so must bank supervision realize that the center of gravity in the financial services industry is changing.

Coordination of agencies within and across borders

One key issue facing most countries is the need to improve information exchange between regulatory and law enforcement agencies. Many countries have several agencies for gathering critical information, but often the data is not shared by these agencies or with the agencies of other nations (sometimes for legal reasons). The issue of information exchange between agencies in both domestic and international contexts is beyond the scope of this Handbook. However, as governments try to leverage scarce resources in order to regulate and battle crime in the electronic environment, information sharing and international cooperation are key issues.

49 See the discussion of Pillar VI in this executive summary.

50 In many emerging markets, the insurance industry itself may need to be restructured and be stable; however, crossborder provision of such coverage may be an option.

Pillar IV: The Role of Private Insurance as a Complementary Monitoring System

Financial supervisory agencies are still developing regulatory standards. Due to the difficulties inherent in monitoring complex transactions taking place over rapidly changing technological infrastructures, it is important to seek complementary private solutions to monitor risks. The insurance industry already is playing a role in this area despite the defects present in the information that is used to price e-risk coverage. Over the next few years, in the United States market alone, the growth in e-commerce liability insurance and e-risk coverage may total as much as $2.5 billion annually.

Still in its early development, insurance related to e-commerce liability and e-risk has problems in firstand third-party coverage. The pricing of cyber-risk insurance is also in need of further development, but to accomplish this, the insurance industry needs a better base of information on security breaches and associated risks. Current underwriting practices for this form of insurance have paid insufficient attention to the special risks that wireless technologies bring to the delivery of financial services. Insurance providers could require that explicit electronic security standards for wireless technology be identified and used to mitigate these risks before they underwrite e-risk policies.

The global insurance industry can serve as an important force for change in electronic security requirements. First, it can strive to improve the minimum standards for electronic security in the financial services industry. The global insurance industry could advocate the use of enhanced layered electronic security as a business prerequisite, for example. Second, insurance companies could require that financial services entities use vendors that meet certified, industry-accepted standards to provide electronic security services as a way of mitigating their risks of underwriting coverage. Third, insurance companies could encourage regulators to require that financial services entities provide and improve the quality of data and information on incidents so they can conduct better actuarial analysis on e-risks and return on investment. Finally, the industry could promote solutions that require e-security vendors and other e-enabling companies (hosting, etc.) to engage in risk sharing and to bear appropriate liability for security breaches.

Pillar V: Certification, Standards, and the Roles of the Public and Private Sectors

Both public and private entities should work cooperatively to develop standards and to harmonize certification schemes. Two categories that require particular attention in terms of certification deal with electronic security service providers and transaction elements.

One possible approach in securing e-finance would be for financial regulators to require licensing of vendors that directly affect the payment system. Another approach would be to require the industry to certify vendors that provide electronic security services. Recently the security industry has developed a Security Expert certification. By using a certification approach, the industry benefits by providing consumers with a recognizable structure, accountability between the industry and its experts, and a means of separating the approved expert from the selfproclaimed expert. It also elevates the field of security to a professional status and creates an incentive for the industry to raise and protect standards.

A second area to consider is the certification of transaction elements such as electronic signatures. Certification can add value to a transaction, depending on who or what provides the certification and on the elements that are being certified. Certification may be offered by a governmental entity, such as a post office, or a private entity, such as a bank. Each of these scenarios presents unique structural and governance issues. In many countries private companies (financial services providers or non-financial companies) may be better equipped to provide the information infrastructure required to act as certification agents or to provide cross-certification.

The essential element to a successful certification scheme is that certification structures located in different jurisdictions must provide the same attributes to the transaction consistently and that a certifier’s scope of authority and liability must remain uniform across jurisdictional borders.

Although the use of PKI technology and certification authorities is often touted as the only accepted means of ensuring security, it is necessary to consider the costs and the cumbersome structure associated with PKI, as well as the legal inconsistencies associated with certification authorities. The practical element is that the solution be applicable across borders in terms of scope and liability, no matter what technology is used to perform the function.

Pillar VI: Accuracy of Information on E-Security Incidents and Public-Private Sector Cooperation

The lack of accurate information on e-security incidents is the result of the lack of knowledge or motivation to capture the data, measure it, and share it. Electronic security would improve worldwide through the enhancement of national and cross-border arrangements to facilitate sharing by financial services providers of accurate information on denial-of-service intrusions, thefts, attempted fraud, and so on. Failure to share information not only limits awareness but, even more important, it can limit the development of private sector solutions (including insurance). This lack of information may even serve to increase the cost to companies and financial services providers of insuring against such risks.

Greater public-private sector cooperation is needed in this area. For example, BITS’ Security and Risk Assessment Steering Committee is addressing security, safety, and soundness in existing and emerging payments, electronic commerce, and related technologies through the establishment of a Financial Services Security Lab. This Lab facilitates information exchange on security issues in the financial services industry. Furthermore, the Internet Security Alliance, the Forum of Incident and Response Security Teams (FIRST, with 56 worldwide offices), and the Computer Emergency Response Teams set up in various countries have shown that cooperation results in greater information sharing among law enforcement and private providers of financial services. A common element in all these programs is a reliance on confidentiality and trust; as a condition of receiving accurate information, the law enforcement and academic entities do not divulge the identity of respondents. In this area, the role of multilateral agencies to facilitate cooperation deserves examination. It is axiomatic that the more “connected” the economy becomes, the more important it is for each element to bear its portion of the burden. Today’s financial services industry was founded as an integrated system. The technological changes of the past decade have expanded and heightened the interdependencies of that system.

Pillar VII: Education and Prevention of E-Security Incidents

Statistical analysis reveals that in many countries throughout the world, more than 50% of electronic security intrusions are carried out by insiders. An undereducated workforce is inherently more vulnerable to internal attack. By contrast, a well-educated workforce that is conscious of security issues can effectively add a layer of protection.

Educational initiatives could be targeted at financial services providers (bothsystems administrators and management), at various agencies involved in law enforcement and supervision, and at users of online financial services. Initiatives might include the following:

• improvement of awareness and education of financial sector participants about cyber ethics and appropriate user behavior on networked systems;

• creation of institution-wide e-security policies on appropriate behavior and the corresponding channels for reporting intrusions or incidents in close coordination with any effort to improve worldwide information on intrusions;

• development of awareness in the banking community in emerging markets about the need for “incident response plans” in case an incident transpires;

• facilitation of cooperation and transfer of know-how among law enforcement entities, financial intelligence units (FIUs), and supervisory agencies in developed and emerging markets via such devices as more active exchange programs between personnel;

• design of focused courses for examiners under the auspices of the Financial Stability Institute or other training centers; and

• development of a cross-border university outreach program to promote the training of future e-security professionals, while also improving the education of users of online financial services.

Pillar VIII: Layered Security

Twelve core layers of proper security are a fundamental component for maintaining the integrity of data and mitigating the risks associated with open architecture environments. The twelve-linked chain defines what security should be online. The network is only as secure as its weakest link. Details on the twelve-layers of security are provided at the end of Part 3.

Provisos

Parts 3 and 4 of this Handbook cover a rapidly evolving area using a cross-disciplinary approach, integrating the economy, law, and technology as appropriate. Because of its rapid growth, e-security is often wrapped in myth. Most countries, including those that have greater experience dealing with it, still know little, and emerging markets know even less. The Handbook focuses relatively more attention on lessons learned in the United States because it is considered the birthplace of the Internet and has had a longer time to experience its benefits and pitfalls, as well as to create early standards.51 Just as important, the Handbook looks at the experiences and efforts of certain advanced economies in Europe, as well as of countries in Asia and South America. Clearly, however, there is much to be said about a) the specific problems of emerging markets in this area, and b) the areas of legislation and institutional arrangements that are required to improve electronic security worldwide. Without such efforts, the great potential offered by adopting electronic finance and commerce can be significantly compromised, because the trust and confidence of market participants will be detrimentally affected. The chapters to follow will offer:

a) methodologies of risk evaluation and loss analysis;

b) practical guidance on developing security policies and procedures that are appropriate for your organization;

c) general and specific advice for managers and employees on best practices in e-security; and

d) a series of checklists, with an array of comments from around the world on the topic of security in business operations, particularly with regard to the financial sector and e-commerce applications.

51 Historically, the Internet was derived from ARPANET, which was designed in 1969 by the Advanced Research Projects Agency, Department of Defense.