SAMIR KAPURIA
‘Tight timescales’

Cambridge-based digital security consulting firm @stake Inc., has launched its Basel II Information Security model for international banks around the nation and worldwide to comply with the Basel II Capital Accord.

The model is a 5-by-5 blueprint used for identifying, assessing and managing digital risk to assist international banks in assuring consumers and the government that business systems are secure, connected and available as they prepare to meet the requirements of the Basel II Capital Accord by the 2006 deadline.

With the recent announcement that conformance to the Basel II Capital Accord must be achieved by 2006, the banking industry now has a defined timeline for regulatory compliance and Samir Kapuria, director of strategic solutions for @stake, said that compliance is not unlike what banks faced for Y2K.

As with the Y2K challenge, banks have been given a calendar goal as a target for adherence. However, unlike Y2K, compliance is mandatory if institutions are to continue trading, according to Kapuria.

“Where Y2K was a surge of [information technology] activity oriented around ensuring information system availability, Basel II’s operational risk requirements have to include not just information availability but also confidentiality and integrity,” he said.

The Basel II Capital Accord is an amended regulatory framework developed by the Bank of International Settlements requiring all internationally active banks, at every tier within the banking economy, to adopt similar or consistent risk-management practices for tracking and publicly reporting exposure to operational, credit and market risks. As a result, banks need to plan, implement and maintain a comprehensive program of risk prevention, detection, analysis and management.

Chance and Choice

“We serve many large financial institutions within our client base and some of the challenges and feedback that our clients have relayed to us led to the development of the 5-by-5 matrix … and the themes from financial institutes for compliance. There needs to be a balance between measuring risk and preventing risk,” said Kapuria.

According to Kapuria, the greatest challenge banks face is defining how to quantify and measure risk, which Kapuria has segmented into two areas: chance risk and choice risk.

Being a target of chance risk (for example, dialing out for Internet service and being tapped by a virus unexpectedly through the dial-up service) or choice risk (in which a financial institution is specifically targeted by a malicious person or hacker) are elements that banks find challenging and require a systems platform to help define, said Kapuria.

“It’s these sorts of influences that make measuring risk a challenge,” Kapuria said. “There are new types of emerging risks, and 10 years ago virus and worms were not as big a topic as today. We have to create a platform to allow for easy adoption and acclamation to new types of risk.”

With that, @stake developed a 5-by-5 matrix that banks can use to identify core targets of risk and technology issues in an effort to adhere to Basel II compliance requirements.

“The key task is to be able to move toward compliance in what are now very tight timescales,” added Kapuria.

In order to prepare for digital information security conformance, @stake has prepared the 5-by-5 “blueprint” for achieving a successful compliance implementation once the requirements presented by Basel II are clearly understood by the institution.

Identification, assessment, development, compartmentalization and management make up the five aspects of the blueprint for banks.

Kapuria said it is important for banks to understand the scope of corporate compliance and risk management and identify critical technology infrastructure that enables corporate operations and operational risk, for instance, third-party relationships, technology and digital assets.

Banks also need to assess legal requirements, business requirements, operational capabilities, risk tolerances and threats and vulnerabilities in the existing infrastructure technology environment.

In defining compliance capabilities for Basel II, Kapuria said banks need to rank business functions and requirements based on information-type, reliance and criticality.

“Identify short-term and long-term goals, based on prioritization results,” he said. “Highlight areas that have high levels of risk and are critical to the corporate operations – identify these as urgent and address them first.”

Finally, banks need to conduct regular reviews of operational risk management, for instance, change management or management processes, said Kapuria.

“When it comes to preventing risk, I see a lot of banks investing in IT security spending in order to have a diligent process set up, but there is a huge wave of consolidation of the industry and complexity with that,” said Kapuria. “Many facets influence an industry’s digital risk management needs. Considerations of the commercial environment, intellectual property protection, data privacy and reputation preservation are several elements that determine the extent and type of risk associated with a particular corporate profile. In the financial services market all of these elements and more are critical, which has led to a relatively mature understanding of the need for effective risk management within the sector. The processes and outcomes to achieve compliance to the Basel II Accord will undoubtedly act as a framework for risk management in other industries.”

Based in Cambridge, @stake also has offices in New York, San Francisco and Seattle, as well as a new location in Chicago. Kapuria said the company also has opened offices in the United Kingdom.

“Analysts will say what they will,” said Kapuria. “But we are the large pure-play digital security consultant, and we are expanding.”