The Society for Worldwide Interbank Financial Telecommunication, or Swift, has the ability to oversee security on its network and demand far more of its members to coordinate those efforts. But its current structure may not be the best suited to do that.
In the absence of other options — such as a separate governing body or third-party fraud operation — Swift wants to put its foot down and boot bank members with weak cyber security measures, as CEO Gottfried Leibbrandt recently declared.
After an $81 million hack into the Bangladesh Bank brought to light what turned out to be a series of attacks within the Swift network, ideas about what to do are flowing freely, but which has the most merit?
The magnitude of the 11,000-plus financial institutions network and the technology power behind hackers, especially nation-state operations, make it clear that Swift's members may be out of their league if they treat this threat the same way they treat security individually.
The biggest issue: Despite Swift's clear message on security, the agency does not have the teeth — yet — to force the least secure banks on its network to take action.
"It isn't often that you have an executive take such a hard stance on cyber security," Brad Bussie, direct of product management for STEALTHbits Technologies, said in an e-mail. "What is really needed in the marketplace are harsh penalties to discourage others from falling prey to repeated breaches."
Individual bank practices, or lack of them, is at the core of Swift’s concerns.
Swift is a governing body that just happens to function like a switch operator on a network. As such, Swift's role is setting rules. The question now is, how can those rules be leveraged to improve security?
The clearest step would be to reevaluate the basic requirements needed to participate in Swift, said Jo Webber, CEO of data security vendor Identity Finder.
"Swift is a 20- to 30-year-old system and it was a different world when it was built," Webber said. "The global economy has grown since then, and the system was never set up to handle this volume. So it was creaky anyway, and now you have hackers trying to take advantage of it."
Swift has been able to secure its messaging system, but it has no control over what happens to that coding when member banks are using it or providing access to others.
"It would be interesting to put a governing body over this sort of thing, but really Swift just has to establish certain requirements that any member bank using the system would have to follow in terms of managing their codes," Webber said.
It could become a political mess within the financial services industry if a movement ever began to establish a central body to oversee Swift and its member banks, said Todd Feinman, Identify Finder's president.
"And if you bring in a third party, that is yet another organization with access to all of the information, so you might be exacerbating the problem by trying to fix it," he added.
Many banks or corporations handling a lot of sensitive data have created the position of chief data officer in the last six months to more clearly oversee the handling of data and how it is being classified, Feinman added.
Swift does not have a chief data officer, though it does have a privacy officer whose job it is to monitor and secure data that Swift holds through personal data protection and security control policies. That position does not oversee the data that banks handle. Swift's security framework covers entry, access, cryptographic and availability controls. Swift did not make an executive available for comment for this story.
Of all the things Swift could address, it could probably best serve its member banks by establishing requirements that the banks' data be classified in a way that the most sensitive data is protected with limited access, while the massive amounts of other data that is dated or not even needed is removed from the same parts of the network as the most sensitive data, Feinman said.
If all banks followed the same procedure, it would be far easier to keep sensitive data out of unauthorized hands, and it would make it far more difficult for hackers to get their hands on anything of value once they are in a network, he added.
However, Swift must also consider that the security flaws are a symptom of the resources available to each bank on its network.
"Swift has dictated the rules that banks should follow, and the best practices," said Gareth Lodge, a London-based industry analyst with Celent. "The issues have come about primarily because those smaller, less sophisticated banks have not followed them."
That shortcoming is at the foundation of how an attack on the Bangladesh Bank, rather than directly on Swift, resulted in hackers being able to use Swift codes to compromise the bank’s network.
"This has been compounded by the fact that the banks have either not realized themselves or have not flagged the issue," Lodge said. "Given that networks such as Swift are based on trust, Swift and the recipient banks have to assume that everyone else is following the rules."
Even though the heist at the Bangladesh Bank sent shock waves throughout the industry, it may have been the best wake-up call Swift could have received.
"The $81 million is not chump change, but it could have been a lot worse if a human hadn't stepped in and spotted something that wasn't right," said Identity Finder's Webber. "Swift is now stepping up to the plate and demanding a level of control. They can take the lead on this, because they are at the center of this wheel."