June 21, 2001

Good morning, Mr. Chairman, and other members of the Joint Economic Committee. I am Peggy Lipps, Senior Director of Security and Risk Assessment Initiatives for BITS, the Technology Group for The Financial Services Roundtable. I am here to present testimony on behalf of Catherine Allen, CEO of BITS, who regrets not being able to be here in person. BITS was established in late 1996 to focus on critical issues at the interface of technology, commerce and financial services. BITS is a not-for-profit industry consortium and a sister organization to The Financial Services Roundtable. BITS and the Roundtable's membership is currently open to the largest integrated financial services companies in the US. These include such diverse organizations as Citigroup, Bank of America, J.P. Morgan Chase & Co., Wells Fargo & Co., Capital One, Chubb, Prudential, State Farm, Raymond James and Goidman Sachs. BITS is not a lobbying organization; instead, we serve as a business and technology strategy consortium.

The BITS Board of Directors is chaired by James H. Blanchard, Chairman and CEO of Synovus Financial Corp. The BITS Board is composed of the Chairmen or CEOs of 20 of the largest integrated financial services companies in the US, representing the banking, insurance and securities industries. Representatives of the American Bankers Association and the Independent Community Bankers of America also sit on the Board, assuring representation of financial institutions of all sizes. The heads of information security for 50 of our member institutions serve as the members of the BITS Security and Risk Assessment Steering Committee.

Thank you for the invitation to appear before the Joint Economic Committee today. We would also like to acknowledge Senator Bennett personally. The Senator has met with BITS on the topic of security and risk management and was a keynote speaker, along with former Senator Sam Nunn, at the launch of the BITS Financial Services Security Lab.

I would like to discuss with you today these three major topics:

The financial services sector has long been a leader in security assurance. Vigilance and the dedication of enormous resources over time have allowed us to develop a wealth of expertise, experience and talent to address issues of security, risk management and protection against crimes such as fraud.

Online delivery of financial services depends on large and complex public as well as private networks— security must be built into every part of the system. The shift to electronic, and increasingly mobile, commerce extends the need for security all the way to the individual customer and to the implementing networks, servers, software and devices. Our industry is focused on protection of the integrity of the infrastructure for physical, as well as electronic, delivery of financial services and has taken steps to assure that the global architecture for financial transactions is as safe, secure and sound as possible. Our efforts and actions serve the entire e-commerce environment.

The financial services mdustly is dependent on the other core infrastructures— electric power, telecommunications, transportation— and they depend on financial services for their core operations. This interdependency is a key concern of both the private sector and the federal government, and the main reason Presidential Decision Directive 63 recommended a public-private partnership to address the issue.

The key to ensuring security for all participants in e-commerce is strong cross-sector involvement. No one sector can address these issues alone. Neither can the government. Models can be developed, and are being developed within the financial services sector, to assist all sectors in working cooperatively to ensure the safety, soundness and security of the infrastructures that collectively support our national economy. Appropriate cross-sector actions include interdependency vulnerability analysis, information sharing, awareness building, identification of research and development gaps, and contributions to the development of an informed and integrated national plan that both industry and government can use as a business case for action.

Inclusion: We involve all stakeholders in the process. This means including government agencies, regulators, and vendors in our security-related initiatives and Working Groups. We work closely with other industry groups on security-related issues. We have a strong relationship with financial institutions of all sizes, in part as a result the active participation of the Independent Community Bankers of America, American Bankers Association, America's Community Bankers and CUNA in BITS' Working Groups.

Education: We make sure that stakeholders are working from the same basis of knowledge. We serve in an educational role for our members, representatives of regulatory agencies, Members of Congress, industry participants, and consumers about risk issues and how to make the e-commerce and mobile commerce environments more safe and secure.

Proactive Efforts: We address the vulnerabilities involved with the financial services sector's infrastructure— including technology, processes, people and insurance— through appropriate industry-driven efforts such as establishing self-regulatory guidelines and testing products against security criteria.

Some examples of efforts to create and build a strong public/private sector partnership include:

BITS uses a risk management model focused on technology, processes and people to drive our security and infrastructure protection initiatives.

Technology— Our goal is to ensure that technology products developed for our industry incorporate features and functionality that comply with meaningful security criteria required for financial services. Vendors do not always include security protections because of the associated costs, time to develop new versions of products or lack of understanding of the risks to financial institutions. BITS takes a market-driven approach to influencing vendors and the product development process. Some examples of those efforts include the following.

Processes— As important as the technologies we use, the processes we implement create the critical infrastructure in which we operate. Processes are more difficult to test but, using self-regulatory guidelines and best practices, we can dramatically enhance the security of the infrastructure. Examples of how the industry has addressed security processes include the following.

People— People we employ, vendors we use, customers we serve and the agencies that regulate us have an impact on the level of security of the financial services industry's infrastructure. Through research and educational programs, often conducted in concert with organizations such as BAI, ECCHO, the American Bankers Association, the Independent Community Bankers of America and other industry groups, we are ensuring that the knowledge and skills, necessary to work as informed partners with the financial services industry, are provided to address security and risk management issues. We have participated in educational programs sponsored by, or developed for, federal agencies such as the OTS, OCC, Federal Reserve Board and the US Patent and Trademark Office. We speak at more than 100 industry events each year.

Insurance— Even with the best of processes and products, no system will be 100% secure. There will be gaps. Increased concerns over security-vulnerabilities— and the complexity of identifying and quantifying vulnerabilities from e-commerce related activities— are driving a need to review the role of insurance. This is both as a solution within an organization's overall risk management strategy and as an incentive to raise the level and quality of security within the interdependent critical infrastructure networks. BITS has organized an initiative to help define and fill the gaps and we have been working with the Critical Infrastructure Assurance Office (CIAO) to address the role of public and private sector involvement.


As we work within our industry sector, .and with other sectors, we have encountered some obstacles to cross-sector cooperation that we would like to bring to your attention. We believe we can overcome most of these, but some may require assistance from Members of Congress.

We propose that you and other Members of Congress consider the following recommendations in approaching this critical issue of infrastructure protection:

Mr. Chairman and Members of the Committee, I have given you our perspective about how serious the issue of critical infrastructure protection is to the financial services industry, the leadership that BITS, the PCIS and other members of the financial and security communities have taken; and some recommendations about ways Congress might approach this issue. We believe that the strong public/private sector partnership that is emerging is the right approach. We will work with your Committee and other Members of Congress to suggest more specifically where laws and regulations need to be aligned, where regulations should be applicable in order to have all players adhere to security and risk management priilciples, and where further education and understanding are needed.

I want to acknowledge the cooperation and assistance of the PCIS in preparing this testimony.

Thank you for this opportunity to testify. I am happy to answer any questions you may have and we would be pleased to meet with the Committee staff or any Members personally to discuss aspects of the testimony in greater detail.


Catherine A. Alien, CEO
Peggy Lipps, Senior Director
The Financial Services Roundtable
805 15fh Street NW, Suite 600
Washington DC 20005
(202) 289-4322 Phone
(202) 289-0193 Fax
www.bitsinfo. org


While new technologies create new opportunities, they also open the door to new kinds of attacks, new threats, and new vulnerabilities. Approximately 100 types of new vulnerabilities are added monthly to Mitre's Common Vulnerabilities and Exposures (CVE) list. Attacks include cyber-extortion of stolen data, mass theft of credit card information, automated denial of service, and cases of organized hacker groups acting collaboratively to target US e-finance and e-commerce sites. All these risks have the potential to negatively affect the economy, our nation's security, and certainly consumer confidence.

The Computer Security Institute (CSI) reported in March 2001 the results of its sixth annual "Computer Crime and Security Survey." The survey confirms that the threat from computer crime and other information security breaches continues unabated and that the financial toll is mounting. The most serious financial losses occurred through theft of proprietary information and financial fraud. Losses from viruses, insider abuse of network access, and system penetration by outsiders were also substantial. According to the Survey:

As a result of such attacks, the security products and services marketplace is predicted to grow at a rate of 28% every year through 2005. Spending on security among the largest 2500 global US-based firms will increase by 55% in the next two years.