Financial firms are joining forces to mitigate security, privacy risks
OCTOBER 20, 2003 (COMPUTERWORLD) by Patrick Thibodeau and Lucas Mearian
Some of the largest financial services firms in the country are banding together to develop a set of best practices for moving their real-time IT processes offshore.
These companies, in a sector that’s collectively an aggressive user of low-cost offshore IT services, aim to reduce the risk of shifting live operations, including production application support, to India and other countries.
Offshore development has traditionally focused on application development and maintenance—coding work that doesn’t involve access to live production systems or data. But IT shops will take more of their core operations offshore if management of security, privacy and other risks can be adequately addressed.
Once companies start managing their production applications offshore, foreign-based providers will theoretically have access to live data, said Jim Salters, director of technology initiatives and project development at the New York-based Financial Services Technology Consortium, or FSTC, which is developing the best practices. There is “an increasing scale of risk and reward in the kinds of functions you take offshore,” Salters said.
The reward is potentially lower costs. U.S. companies have been racing to use offshore services, and market research firms such as Gartner Inc. are predicting an acceleration of the rush. By the end of next year, Gartner expects that one out of every 20 IT jobs at user companies will have moved offshore.
“The floodgates have just opened,” said Kumar Mahadeva, CEO of Cognizant Technology Solutions US Corp., a Teaneck, N.J.-based offshore services provider. “At this point, we got into a situation where the industry as a whole is almost constrained by how fast it can grow,” he added.
Offshore outsourcing of production support and other IT infrastructure operations is a niche activity today. But analysts at Meta Group Inc. predict that in the next several years, as much as 40% of production support may be managed offshore.
Two months ago, the members of the FSTC—a who’s who of financial services companies, including J.P. Morgan Chase & Co., Bank of America Corp., Citigroup Inc. and Wells Fargo & Co.—met to discuss how they could reduce offshore risks.
Work is under way to examine offshore security, privacy, business continuity and contract-cancellation issues associated with offshore management of onshore applications. The goal is to complete a best-practices report by the end of the year.
The FSTC will also work with vendors and financial services groups such as the financial industry consortium BITS in Washington. The group recently updated two outsourcing guideline documents to include overseas production support.
The BITS reports offer guidelines for complying with regulations. The second of the two documents, available for public comment through Oct. 28, suggests guidelines for security audits, vendor management and cross-border relationships.
“What we were looking to do for our members is develop risk mitigation tools that the industry can use to identify and understand the controls service providers are using ... around things like access [and] communications,” said Faith Boettger, the senior consultant in charge of the BITS initiative.
The FSTC seems to be taking a more tactical approach. For instance, it will look at data-masking technologies and offer guidelines on technology features. IT vendors are looking for technology guidance from the group, said Salters.
By participating in this effort, companies may be sharing competitive information. But Salters said that if any firm makes a mistake in managing offshore operations, there could be ramifications from lawmakers and regulators for everyone in the industry. “It’s really not considered a proprietary issue at this point,” he said.