As a powerhouse of the financial services community, Fidelity Investments takes pride in its online products and services and overall Web strategy. But for an institution serving over 16 million individuals with custodied assets in the $1.6 trillion range, Fidelity must also take great care and consideration when it comes to managing and mitigating the risks associated with its e-commerce activities. As financial services firms are coming to realize, along with the convenience and efficiency of online financial services come certain risks such as security, confidentiality of customer information, denial of service attacks and hackers, just to name a few.
Jerry Archer, senior vice president of information security and technical risk in the personal investment and brokerage departments at Fidelity, is no stranger to these risks and describes a stringent policy of monitoring, assessing and testing to control risks for Fidelity's various online services. First and foremost at Fidelity, says Archer, is the identification of customers and the subsequent authentication process, "to make sure that we're dealing with the customer that we think is our customer." He adds that the customer identification, even at the earliest stages such as signing up new customer accounts, is vitally important and must be in line with regulatory issues as well. Specifically, Archer adds, "we need to know our customer from the perspective of-are they suited to have brokerage accounts, margin accounts, options and so forth."
The evolution of strong firewalls and multiple levels of defense are also important for Fidelity. "Making sure that people such as criminals and fraudsters cannot get access to our systems or our accounts or in any way damage the firms books and records or interfere with our customers doing business with us, is certainly paramount," continues Archer.
So how does Fidelity ensure that its online services are adequately protected and the risks addressed? "We constantly audit ourselves internally and bring in external vendors," says Archer. He adds that external firms are also brought in to do penetration testing and pinpoint possible weaknesses in Fidelity's defenses. In addition, Fidelity works closely with various federal agencies to identify different kinds of online threats.
Leo Clarke, principal of TechRiskLaw, a Washington-based consulting firm, agrees that constant monitoring of online risks is important. Clarke advises firms to use a matrix for evaluating their online risks. "On one side you have the risks you've identified and on the other you have the frequency," explains Clarke. "To estimate how often in the next year, for example, could that risk come to fruition, this would be the frequency." The last part of the matrix would be the severity of the risk or the range of loss for each time the event happens. The matrix can also be broken down by each risk area, with a separate matrix assembled for each specific issue and detailed information to drill down into each area.
Archer notes that Fidelity has "multiple teams to assess risk. We have an internal auditing group, which continuously audits our systems and our processes and those kinds of things and we have a corporate security group that we engage on a regular basis to do security reviews with us. In addition we have external auditors, and consulting organizations to both audit and do security reviews." Finally, Fidelity also brings in "specialty organizations," as Archer puts it, or experts, for the penetration testing. These organizations attempt to get through the firewalls and other defenses as well as looking at vulnerabilities from the inside.
Apart from the overall monitoring and assessments, Fidelity also has specialized processes for the identification and authentication of its customers. The customers are identified both online and offline, with credit checks and "the normal course of looking to make sure that the facts a customer portrays in an application for, say, a brokerage account are consistent," explains Archer. In the future, Fidelity is also looking to tap the services of a third-party identification services provider. But the identification and monitoring don't stop there. "Once the customers have become part of the regular Fidelity customer set, we monitor their activities on an ongoing basis," Archer says.
Once a financial firm has identified and assessed its e-commerce risk areas, then comes the risk mitigation or transfer. The firm must decide whether the risks are intended risks, or simply risks of doing business, or risks that could have potential losses that are not contributing to the revenue flow for the firm. The firm must then decided whether to get rid of the risk, purchase insurance to cover that risk or transfer the risk in some way.
Ty Sagalow, executive vice president and chief operating officer at AIG e business solutions, an insurance provider for e-business risks, says that financial services firms are especially susceptible to e-commerce risk. He says that the liability due to the amount of monetary funds they are dealing with, as well and the personal and confidential customer information that is safeguarded on the firms network on behalf of their clients makes financial firms vulnerable in many ways. He advises that financial services firms undergo overall security assessments on an annual basis, in addition to constant monitoring of systems. Sagalow says his group sells insurance policies covering e-commerce risk to various types of businesses, including several financial services firms although he would not disclose any clients. Depending on the size of the firm, Sagalow says clients can purchase policies from $500,000 up to as much as $25 million to cover potential financial losses from e-commerce activities.
While Fidelity's Archer is familiar with these types of insurance policies against e- commerce risk, he says that firms of Fidelity's size have to basically be "self insured." "The fundamental fabric of a financial services organization is the trust of its customers," says Archer. "So it behooves us to spend a great deal of money, effort, time and resources in making sure that we mitigate the risk totally and that we retain the trust of our customers." Archer adds that Fidelity also addresses the physical risks of its technology initiatives with redundancy both vertically and horizontally. "There is no single point of failure, we have a very strong disaster recovery capability and there is business recovery should multiple sites get hit at the same time," says Archer.
Archer emphasizes that the trust of the customer is the most important reason for mitigating e-commerce risks, making sure they are satisfied and comfortable with conducting transactions online. "For us, being safe, sound and secure are the three most important things that we can do for our customers to create the trust that comes back to us and propels us forward as a business," Archer declares.