The New Basel Capital Accord (also referred to as Basel II) sets minimum capital requirements, refines an institution's internal assessment process and will mandate disclosure processes to encourage safe banking practices. To loan or not to loan. Evaluating risk is a natural preoccupation with the banking industry, so it’s not surprising that it is working on risk measurements that will have effects beyond the financial services industry. In January 2001, the Basel Committee on Banking Supervision issued a proposal for a New Basel Capital Accord that, once finalized, will give banks a methodology to evaluate risk. The New Basel Capital Accord (also referred to as Basel II) sets minimum capital requirements, refines an institution’s internal assessment process and will mandate disclosure processes to encourage safe banking practices. We spoke with Steve Katz, the former chief information security and privacy officer for Merrill Lynch and founder and president of consultancy Security Risk Solutions, for some insight on how the accord will affect corporate security organizations.CSO: What is Basel II, and whom will it affect?Steve Katz: The New Basel Accord will apply directly to U.S. regulated banks. It will require banks to set aside capital reserves to offset operational risks, which include information and physical security, HR security and business continuity planning. Banks will need a set of metrics to look at the components of their operation and the risks they have to manage. Some portion of that risk will be offset by transferring it to insurance companies, which will want to ensure they accept the metrics as well. What is interesting is that institutions and large insurance companies will probably use the same metrics as a basis for offering cyberinsurance to non-[Basel II] regulated companies. There are only three things you can do to risk: You can correct it, you can accept it, or you can accept some portion of it and transfer the rest. Insurance companies are nobody’s fools. They want to limit exposure and will require companies to have effective risk management programs and to document them.Do you think this will steer companies toward taking more of a risk management view of security in general?Absolutely. You’ll see more of a risk management view across the entire spectrum. It has to be a risk management issue not a security issue. You’ll also see operational risk management committees set up on the boards of directors similar to audit committees. They’ll make sure that there is a [a risk management] program in place.Though the implementation date is a ways off, are there preparations CSOs should be making?The accord will be finalized in 2004 or 2005. You’ll see regulators draft guidance documents and submit them for comment. CSOs should look at a couple of things: The Enron Act [a.k.a. The Sarbanes-Oxley Act of 2002], which requires the chairman of the board to sign off on [financial statements]. CSOs should also consider the implications of having the chairman and the CEO sign off on the operational risks. The CEO is signing off on technical risks, and from a security perspective, many CSOs are being required to do the same. In looking at the responsibility for both cyber- and physical security, the ball is very much in the CSO’s court especially with business continuity planning. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe