US community bank association ICBA is backing efforts by Washington-based banking industry consortium Bits to force software vendors to provide a higher "duty of care" on sales to the financial services sector, with Microsoft a prime target for reform.
Bits' efforts to shore up vulnerabilities in bank IT infrastructures are codified in a set of 'Business Requirements' that call upon the software industry to make security a fundamental component of software design; support older versions of software (such as Microsoft Windows NT) past the end of their estimated life cycle; and provide better security-trained and security-certified developers on product teams.
In addition, the Business Requirements encourage software vendor compliance with sector-security requirements before software products are released and the development of a patch-management process that is more secure, more efficient and less costly.
According to Bits, the cost of software vulnerabilities and patch management to the financial services industry is approaching $1 billion annually.
Speaking at an invitation-only cyber-security summit last month, Bits CEO Catherine Allen noted: "Financial institutions are ultimately responsible for ensuring the safety and soundness of financial services. We are working with vendors to see that the products offered to our members are safe and reliable, and will not burden companies with applying costly fixes."
The initiative has been welcomed by ICBA vice chair and Bits representative David Hayes: "The cost of addressing these issues is just as material for smaller banks as larger banks. Improving the security of the financial services sector's critical infrastructure is an issue of paramount importance to community banks and their customers."
According to the 2002 ICBA/InFinet Community Bank Technology Survey, approximately 59% of the respondents use Microsoft Windows NT. "Given this market penetration, it will be extremely onerous and costly for community bank users to prematurely migrate to successor applications due to a lack of product support," says Hayes.