Data Security for Safe Compliance and Offshoring

When financial services executives and chief information officers sit down to discuss the topic of offshore outsourcing, the emotionally charged debate often centers on sending high-skilled IT jobs to low-wage countries such as India, China and Russia. But the second issue being discussed is security - data-security risks and privacy concerns, and how these issues can be mitigated.

The financial industry is used to taking precautions to mitigate the risk of hackers and intruders stealing data and unauthorized personnel viewing sensitive data within corporate headquarters. But when applications are developed overseas and code is developed through interfaces with the host company's network, Wall Street firms have less control of their data and, to a large extent, are relying on another company's security measures and data-access policies.

The most obvious risks revolve around the access, storage and transfer of data. And compliance with regulations and U.S. privacy laws - such as Gramm-Leach-Bliley, which requires financial-services companies to protect the privacy of customer data and prohibits them from sharing it with other entities without permission - are driving firms' efforts to secure their data.

But is offshore outsourcing any more prone to data-security risks than domestic outsourcing? Are the fears over data security being overblown by the media because of the political backlash against lost jobs

Sources say financial-industry regulators are concerned with all third-party outsourcing arrangements, period. Though there hasn't been any specific regulatory action from the securities-industry regulators, Sarbanes-Oxley does require CEOs and CFOs to certify the integrity of their financial data, and even security officers and CIOs may be asked to be signatories.The intense focus on data security and who's accessing what information has made this a board-level issue and not just a CIO issue.

To limit exposure, the projects securities firms sending offshore are mainly related to application development; rarely are live applications hosted on third-party service providers' networks. Firms are keeping their data servers in the U.S., not in India. And when it comes to testing applications in the production environment, they are not sending real data - names, addresses and Social Security numbers are fake. Any time any data is shipped to India for testing, it is all mock data - no real clients, no real positions.

Data-security concerns aren't limited to application-development projects. Since the large Indian offshore-outsourcing companies have expertise in the financial markets and may be running hundreds of applications for numerous financial firms, another concern is that an employee could be paid to show a firm's data to its competitors.Many sources, however, claim the risks of outsourcing to an offshore third party are no different than those a firm faces when it outsources development to a U.S.-based third party or a consultant like IBM or EDS.

It's the company's responsibility to make sure the environment is secured. It's no different than the environment we secure today as part of our business.