July 10, 2008 - Tom Field

Early this year, I caught up with Steve Katz, the dean of banking CSO's (see Stephen Katz on Top InfoSec Issues of 2008), and he had some interesting insights on the year's top challenges for banking institutions.

Identity Theft Red Flag rules quickly comes to mind. With institutions facing a Nov. 1 deadline to be compliant with this new mandate, how can it not be top-of-mind?

What's your biggest regulatory hurdle of the year?

But what struck me from Katz was his perspective on the toughest part of Red Flags compliance. To me, it was security awareness - for employees or customers, take your pick. But to him, the greater challenge was dealing with boards of directors.

"Boards of directors are required to get involved in and understand and approve the identity theft management procedures and programs," Katz said. "You now have board involvement. Throw in a tremendous amount of involvement to get it right, and there are very few people I have spoken to recently that are talking about the Red Flags Act ... it is in effect now, and [we] don't know how many folks have put together an adequate program that [now] must have board approval."

So, reflecting on what Katz said, and thinking about the regulatory challenges that institutions face this year, I got to wondering:

What's your biggest regulatory hurdle of the year? Is it Red Flags, which requires you to document your identity theft prevention program and provide new levels of training to employees and customers alike? The clock is ticking with less than four months to go before Nov. 1.

Is it Pandemic Preparation, which now puts new demands on those business continuity/disaster recovery plans, which probably weren't adequately documented, communicated and tested to begin with ...

Or is it Vendor Management, which all of the major regulatory agencies have rallied behind as a focus for risk management and incident response activities this year? Recent bulletins from the regulatory agencies indicate that examiners perhaps aren't seeing the progress they'd like to see from institutions in this area.

Then again, perhaps your regulatory priority is something else altogether.

Love to hear from you - not just on what your main focus is this year, but what kind of progress you've made. Share your thoughts here, please. You may have words of wisdom for a banking/security leader who needs it, or you may inspire one of them to divulge the secret you've been seeking.

How many more shopping days til Red Flags compliance? Too few. Start sharing insights now!