A group of tech-minded U.S. financial services firms says it’s time for software vendors to own up to their responsibilities, and start building applications that aren’t so vulnerable to viruses, and are easier to maintain. Canadian companies seem to be on board with the strategy, although one industry group hasn’t yet formulated a plan to move it forward.
Earlier this year BITS (formerly known as the Banking Industry Technology Secretariat) and the Financial Services Roundtable, both of the U.S., released a joint policy statement calling on software vendors to improve their wares. The groups said software companies should ensure their products are secure and easy to patch.
“Rising concerns with respect to viruses, worms and vulnerabilities in software code led our CIOs and CEOs…to focus much more energy on this problem,” said John Carlson, senior director of BITS, a non-profit consortium of financial firms focused on technology. “It doesn’t seem to be going away. It keeps getting worse.”
BITS works with the Canadian Bankers Association (CBA). A CBA spokesperson said the organization is aware of the BITS proposal for beefed up software, but the Canadian group is still collecting information to create consensus among its members.
According to BITS, software vendors should:
• verify that their products meet financial services security requirements before the products are sold,
• develop patch-management processes that minimize costs, complexity and downtime,
• and continue patch-support for older, still-viable software versions.
“We are definitely seeing some positive results,” Carlson said. “We’ve invited many of the major software vendors to participate in a number of our meetings and conference calls, in which they discuss their efforts to raise the bar on their end.”
According to Ann Patterson, a BITS director in charge of the group’s product certification program, BITS has been working with Microsoft lately to help move the easy-patch-management and less-vulnerable software agenda forward with that company.
“We have very closely come to an agreement where we said, ‘Let’s just quit getting on each other’s back about it. Let’s collaborate, get something positive,’” Patterson said of BITS’ work with Microsoft.
In the summer BITS and Microsoft announced special support for Microsoft’s Windows NT 4.0 operating system, “to provide financial institutions…security updates for an extended period during which they will migrate their systems to more recent versions of Windows,” reads a statement from the two organizations.
“Microsoft’s alliance with BITS simply indicates the importance of partnership and collaboration to improve security for customers,” said Gytis Barzdukas, director of product management in Microsoft’s security business and technology unit.
Robert Garigue, chief information security officer and vice-president of BMO Financial Group, said the BITS policy statement is part of a larger debate regarding software robustness, especially as financial institutions face increasingly hefty regulations for data protection and customer privacy. He pointed out that solid software is important as financial firms rely evermore heavily on technology.
According to Jack Sebbag, Canadian general manager of McAfee Inc., an antivirus software vendor, in the first seven months of 2004 there were 39 “medium” and “high risk” viruses at large that financial services companies would have to guard against. By comparison there were just 29 such viruses in 2002 and 2003 combined.