If ever banking needed strong leaders, it's now. The industry has been forced to face the undeniable truth that its own innovative ways to extend more credit and make more money - and consumers' and investors' willingness to follow blindly into that breach - have brought the global economy to the brink. The guidance out of this catastrophe is coming from the Federal government, and the industry can only follow.
But there are two lesser, though still pivotal moments facing financial services in which bank CEOs and CIOs can flex their leadership muscles, and improve not only risk practices but reputations. The first relates to the Heartland Payment Systems data breach in which only God and the hackers seem to know how many accounts were compromised by a sniffer picking up data as it passed through Heartland's system unencrypted. Heartland CEO Bob Carr has called for the payments industry to finally solve the problem by encrypting card data from the point of sale until it reaches the card associations and back again. Plenty of products exist to make this happen; all it would take is Mastercard, Visa, American Express and Discover and the top issuing banks to step up and say, "do this" - either via the PCI Security Standards Council or through their own mandate and investment.
Pushing for industry change and massive investment at a time when many banks are in the red and card issuers are watching their default rates soar is difficult. But almost no risk management project is going unfunded these days, and end-to-end encryption sells itself in this light: Ponemon Institute's latest research estimates it costs $202 per record to recover from a breach, and more must be invested in the obviously hard-to-maintain PCI compliance. The de facto authority on breaches, Gartner VP Avivah Litan, says surely end-to-end encryption would be cheaper.
Yet Carr's call has been answered by little besides its own echo. Not a single processor or issuer has openly embraced the call to action. Mastercard, Discover and American Express wouldn't comment on the issue. Visa did, but took cover behind PCI and the expense processors would incur to implement encryption. Encryption's no silver bullet, but how many more Heartlands, Hannafords, TJXs and CardSystems must the industry - and consumers - endure before the five or ten executives with the power to fix this problem make it happen?
And one more thing. There's a similar opportunity for leadership, and the ability to effect industry-wide change, coming out of IBM's Data Security Council. The group is calling for the creation of an XBRL-based risk taxonomy that would allow institutions to report loss events in a standard way, building a massive history of events so regulators, and banks, could get a bead on global trends. It's a good idea that puts the industry ahead of regulators, banks should get on board.
