IT Compliance Institute, October 27, 2004:

Trends and Technologies

Banks Face New Instant-Messaging Rules

The FDIC's latest advisory can have a direct impact on your compliance efforts.

By Mathew Schwartz

This summer, the Federal Deposit Insurance Corp. (FDIC) issued guidance to the 5,300 banks and savings banks it regulates. The target: instant messaging (IM) security. In particular, the FDIC noted “the use of public IM may expose financial institutions to security, privacy, and legal liability risks.” Since IM use—whether approved or not—exists in many organizations, the FDIC articulated the need for “an effective management program” for all its banks. In other words, get the board of directors involved.

To discuss the FDIC guidance, how it differs from current Security and Exchange Commission (SEC) and National Association of Securities Dealers Inc. (NASD) requirements, and what organizations need to do, ComplianceNOW spoke with Jonathan Christensen, chief technology officer and vice president of products at Facetime, an IM security vendor.

Why did the FDIC release this guidance, and why now?

What you saw here was some people within the consumer protection group—specifically within the FDIC’s domain leadership expertise team, specifically within computer security—looking at changes in instant messaging usage and adoption across the industry, and coming to the conclusion that instant messaging and file-sharing networks pose very serious risks for consumers, as customers of [FDIC] member companies …

Then they went on to talk about the things their member companies should be doing to respond: first, to establish clearer polices and guidelines, then second, to look at the best-practices security measures you have to take.

There are 5,300 companies that are covered by this so … this is a good wake-up call.

Does the guidance get into technology specifics?

There is something a little contradictory in the advisory. Early on they tell companies they should do things with their firewalls to make sure instant messaging is blocked, then later in the document, in a [technical section], they actually say firewalls don’t work … [since] instant messaging applications … use port crawling and port agility … [Also,] they don’t talk about peer-to-peer (P2P) software, but they do talk about file-sharing networks.

How does the FDIC’s new guidance differ from other financial regulatory requirements?

The thing that’s different about this FDIC thing versus NASD and SEC last year was they were talking about records requirements … and essentially creating a paper trail. What the FDIC is talking about is creating best practices for consumer protection, and they expand the books and records requirements … [to encompass] identity hijacking, trojans, worms … So it’s much broader, and also much deeper and more prescriptive, than previous guidances from supervisory agencies.

Will many banks need to change to meet the guidance, or are they already compliant?

When we talk to customers, the thing we notice is, they’ll talk slowly—“We’d like records keeping but … it’s better if we don’t know about those security problems, because we don’t have the budget to deal with this.” But guidance such as this says … you need to deal with this.

Don’t most regulations today specifically prohibit “we didn’t know” excuses?

Analysts estimate that there are anywhere between 25 million and 50 million active instant messaging business users in North America, so … saying we didn’t know it was happening? We’re way past that point. This is now a mainstream desktop application. It’s now being used by every industry in every size company … [Also,] instant messaging capability ships as part of a normal operating system now—Linux, Mac, or Windows.

What exactly does an FDIC guidance mean?

I think the process looks like this: they give a guidance, and essentially what they expect is [that] if they do a review of a member company’s security plan, this guidance should be covered. If they say, "Where’s your section on this?" and if you shrug your shoulders and say "I’m not doing anything," they say, "See the guidance we sent?"

Then … unpleasantness?

Right. And it remains to be seen how much enforcement there will be. But if there’s an incident in one of the FDIC companies, and it’s very clear that viruses or HR violations … caused an information security problem, then it will be very difficult for that entity to say, “Oh we really didn’t know anything about this.” I think that’s really the purpose of the guidance. Then we’ll see what there is in terms of enforcement.

Are organizations facing regulatory requirements starting to understand IM dangers?

We’ve [already] seen a very high draw [from] compliance-conscious organizations, in terms of covering the user population of institutional traders. You’ve got a tool now that allows an institutional trader to multitask with multiple, simultaneous conversations, to transact a deal in real time, and that’s an incredibly powerful tool for that person. But the mechanics of that deal, they need to be able to reconstruct that. If there’s an audit, they need to show how that deal was put together. Rather than give up the tool, they look to … an auditing solution that gets them back into compliance.

Beyond IM monitoring and blocking, the report discusses file-sharing networks; can Facetime products block P2P?

Yes. We have essentially two components in our architecture … A product that sits on the LAN [which] is a policy server and also a place where you can keep books and records and auditing, and policy [enforcement]. [That] also has antivirus scanning, which is very [useful for] instant messaging and file-transferring networks. Then there’s … a hardened appliance which gets deployed in the perimeter … [It’s] a very targeted, intrusion prevention system … [with] blocking. Or it can selectively allow the instant messaging that a company wants available to its constituents. [For example] you may say that you want to block everyone but AOL IM, and you only want 500 users out of 10,000 to use it, because they’ve made a business case for it, and you want it audited, and with antivirus on top of that …

So does the FDIC guidance go far enough?

What we’d like is more clarity, as in, what are the requirements? I’ll give you an example. There are some people who think a best effort to get an audit trail is good enough. But if it’s trivial for non-sophisticated users to circumvent that mechanism, and thereby not be audited, is that good enough?

FDIC’s Guidance on Instant Messaging can be found at:
http://www.fdic.gov/news/news/financial/2004/fil8404a.html

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.