Sources say financial-industry regulators are concerned with all third-party outsourcing arrangements, period. In 2002, the Office of the Comptroller of the Currency issued risk-management guidance for banks that use foreign-based third-party service providers. Though there hasn't been any specific regulatory action from the securities-industry regulators, Sarbanes-Oxley does require CEOs and CFOs to certify the integrity of their financial data, and even security officers and CIOs may be asked to be signatories. "The intense focus on data security and who's accessing what information has made this a board-level issue and not just a CIO issue," says John Plansky, the Boston-based chief executive of securities solutions for offshore service provider Wipro Technologies.
To limit exposure, the projects securities firms are sending offshore are mainly related to application development; rarely are live applications hosted on third-party service providers' networks. Firms are keeping their data servers in the U.S., not in India. And when it comes to testing applications in the production environment, they are not sending real data - names, addresses and Social Security numbers are fake. "Any time any data is shipped to India for testing, it is all mock data - no real clients, no real positions," says Charles Cortese, managing director in the technology department at Lehman Brothers, which outsourced application development projects to Wipro Technologies and TCS last year.
Jonathan Gossels, president of SystemsEXPERTS Corporation, a security and network management consultancy based in Sudbury, Mass., warns that a number of things can go wrong when outsourcing application development. One of the dangers is that a programmer could insert hidden code through a back door, he explains. That could allow someone to access that at a later date and gain control over the application itself or over the data that the application interacts with, Gossels adds.
"What's scary about that is, in many circumstances, it's undetectable," he adds. "So the danger is real, [but] the solution is not to stop outsourcing, because the economics are driving firms to do it," says Gossels. When it's snowing, the airlines don't stop flying, he suggests. They fly the planes further apart or they de-ice the wings. For the financial-services industry, the solution is to put in place what the Street calls "compensating controls," explains Gossels. This refers to the money that financial firms are going to have to spend, and the processes and the tools they'll need to implement "to make sure that when the software comes back in-house, it only does what it's supposed to do," says Gossels. Ivy is Editor-at-Large for Advanced Trading and Wall Street & Technology. Ivy is responsible for writing in-depth feature articles, daily blogs and news articles with a focus on automated trading in the capital markets. As an industry expert, Ivy has reported on a myriad ... View Full Bio