They have some, problem is they are generally monitored by the auditors who are often in bed with their clients, particularly for large accounts so they may raise the issue but generally aren’t going to flag it or make enough waves to get a change made, at least with the current state of security and auditors in the US. Also, security risk is obscure enough that it isn’t going to prevent a “clean opinion”. I don’t think auditors are really equipped well to do it outside of the largest firms, and even then, they are far more financially oriented than security/ops oriented.
I don’t think we will see much change until there are strong ISO type certifications for levels of security and the shareholders demand (or govt enofrces compliance) that those standards be met and maintained. Are there already ISO standards or what are the benchmarks for security? I don’t know.
