With banks worldwide feeling the heat of recent cyber attacks against Swift messaging participants, and the financial telecommunication cooperative's reputation taking an even bigger hit, Swift is making public a five-step plan to tighten security measures.
Swift, the Society for Worldwide Interbank Financial Telecommunication, is seeking improved information sharing amongst global financial institutions; stronger security requirements for customer-managed software; development of security audit frameworks; and support for the banks' increased use of payment pattern controls to identify suspicious behavior. In addition, Swift wants to incorporate certification requirements for third-party providers.
Calling cyber risk "the main thing to keep me awake at night," Swift CEO Gottfried Leibbrandt on May 24 informed attendees of the new plan at a financial services conference in Swift's home base of Brussels, Belgium.
"Cybersecurity is part of our DNA, it is not just an afterthought," Leibbrandt said. "It is not just hardware and software but people, processes, procedures, checks and in fact a whole organization for whom failure is not an option."
Leibbrandt's talk comes at a time when the global financial industry is looking for a way to defend against attacks on such a key facet of moving money around the world.
As he had noted previously, Leibbrandt said the Swift network, software and core messaging services have not been compromised and that the organization is making it a top priority to assure it does not get hacked directly.
It's an unknown at this point whether Swift's heightened focus on security goes far enough to protect participating banks.
While Swift's core values are security, uptime, cooperation, coordination and standards application, many in the industry are now questioning how well Swift performs those functions, said Nancy Atkinson, wholesale banking expert and senior analyst with Aite Group.
"To defend and protect the Swift system, Swift must ensure that participants are fully complying with state-of-the-art security measures, and that fraud can be identified and stopped quickly and efficiently," Atkinson said.
The measures outlined by Leibbrandt are "absolutely necessary in today's IT environment," Atkinson said. Regardless of Swift's position in the recent fraud attacks, the organization "is being blasted across news reports" and thus must take steps to review policies and procedures with any organization with which they interface, she added.
A series of cyberattacks this year rattled the global inter-bank messaging system and opened the door for debate about what role Swift should take in protecting the banks it serves.
The major heist took place in February when hackers stole $81 million from Bangladesh's account at the Federal Reserve Bank of New York. Details of that attack, with sophisticated malware infiltrating an environment operating Swift Alliance Access for messaging, has put banks on high alert.
Swift should be trying to do even more than what it has outlined in its plan, said Patricia Hines, a senior analyst with Celent focused on wholesale banking and global transaction services.
"Swift has infrastructure and authentication methods for third-party Swift Service Bureau providers, along with a certification program," Hines said. "Due to the threat to the global financial system from these bank breaches, it doesn't seem unreasonable to require that banks connected directly to the Swift network comply with the same requirements as third parties."
Swift is taking the proper steps to help banks make the most of its data, Hines said.
"Swift has the data and could help by offering banks a solution to flag suspicious activity," Hines added. However, there are operational and legal challenges in delaying payment instructions while a suspicious transaction is cleared with the bank, Hines said.
"Banks should be doing more by sharing information on data breaches so that other banks can learn from their mistakes," she added.
Leibbrandt called the Bangladesh fraud incident "a watershed event for the banking industry" and noted that Swift had warned users in April that it was aware of similar attacks, possibly in which malware attached to a PDF reader was opening the door to steal money from accounts.
Banks that are compromised in this manner "can be put out of business" and no financial institution can rest in thinking only certain accounts have been compromised in the past, Leibbrandt said.
"It's also a problem because the financial system is hugely interconnected and it operates on trust," he added.
Leibbrandt made it clear that Swift cannot assume responsibility for securing its customers' environments, but wants to help initiate stronger security habits through its new plan. Swift did not respond by deadline to inquiries about the security plan's timeframe or how participating banks would confirm to Swift that they, in turn, had a plan in place to address the new initiative.
The security concerns come at a time when Swift is also engaged in a similar push for more information sharing and communication as part of its Global Payments Innovation initiative in order to smooth and speed up cross-border transactions.
Swift provides its messaging platform and communication standards to more than 11,000 banks and securities organizations in more than 200 countries.
"We are the global bank-owned cooperative at the heart of the global payment system, a system that is facing a persistent threat," Leibbrandt said. "We are stepping up to the plate as our owners and overseers expect us to."