Security company Entrust seeks to exploit banking regulations, RSA buyout

Entrust's acquisition of Business Signatures aimed at helping banks meet FFIEC rules.

When regulators told U.S. banks last fall to improve their consumer authentication systems by the end of 2006, security product vendors started licking their chops. With less than six months until the deadline, vendors are still salivating, though some of their tummies are really starting to grumble, too.

That's because banks have taken their time addressing the new Federal Financial Institutions Examination Council (FFIEC) guidance. Investment Bank Roth Capital Partners recently found that while 69% of 135 financial institutions surveyed expect to reach compliance by year-end, just 16% have moved past the risk assessment stage.

"It's a pretty ambitious program. I actually feel quite sorry for the banks," says Chris Voice, CTO at Entrust, one of the security companies looking to cash in on the new requirements. "I was at a trade show last year and must have seen 100 vendors with FFIEC mentioned everywhere."

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

When regulators told U.S. banks last fall to improve their consumer authentication systems by the end of 2006, security product vendors started licking their chops. With less than six months until the deadline, vendors are still salivating, though some of their tummies are really starting to grumble, too.

That's because banks have taken their time addressing the new Federal Financial Institutions Examination Council (FFIEC) guidance. Investment Bank Roth Capital Partners recently found that while 69% of 135 financial institutions surveyed expect to reach compliance by year-end, just 16% have moved past the risk assessment stage.

"It's a pretty ambitious program. I actually feel quite sorry for the banks," says Chris Voice, CTO at Entrust, one of the security companies looking to cash in on the new requirements. "I was at a trade show last year and must have seen 100 vendors with FFIEC mentioned everywhere."

Voice says Entrust's $50 million acquisition last week of a fraud detection company called Business Signatures is partly aimed at helping banks that need to scramble to meet the FFIEC guidance. Business Signatures' passive monitoring technology allows for improved customer protection but without the need to mess around with back-end applications or change the end-user experience (as is the case with something like Bank of America's SiteKey service).

"We think it's a much faster, low-risk, low-cost way of getting to the FFIEC compliance, though ultimately we think banks will roll out technologies that involve changing the user experience, too," Voice says.

The fraud detection offerings complement Entrust's existing data protection (laptop security, e-mail security, etc.) and authentication products, including those based on Public Key Infrastructure.

The Addison, Texas, company isn't shy about the PKI underpinnings of some key products, whereas other vendors tend to treat PKI like a dirty word. Asked about whether PKI's time has finally come, Voice says, "I'm not sure it ever went away. The hype came and went, but we've had an ongoing PKI business and I don't see that changing."

The emergence of PKI-enabled passports and national ID cards, plus the ubiquity of PKI-aware applications, have validated public-key technology, Voice says. (Roth Capital, which discloses that it makes a market in Entrust shares, cites "government credentialing" as a promising opportunity over the next few years.)

Whether all this will add up to Entrust busting out financially remains to be seen, as the company seeks to reverse a nosedive in its stock price from around $6 last summer to less than $3 to start this week. The company, which spun out of Nortel 10 years ago, generated about $98 million in revenue last year and reported mixed second-quarter results last week. Earnings and revenue fell from a year ago, though product revenue showed some life and Wall St. was more or less satisfied.

Voice says that predictions by some that security companies would strike it rich in the wake of the Sept. 11 attacks hasn't been borne out.