To help its member banks avoid the nightmare of a data breach, the Society for Worldwide Interbank Financial Telecommunication (Swift) is requiring they take the necessary security steps to establish a strong baseline of cyber defense.
And Swift intends to make sure its banks all follow the same procedures.
Starting Jan. 1, the banks will have to comply with Swift's Customer Security Controls Framework, a set of 16 mandates and 11 advisory controls that represent best practices. Swift put the framework in place this year, viewing the process as one in which most — but not all — banks would be able to comply by the deadline, at which time they will have to prove compliance through a security attestation process.
"What we continue to see is that compliance with these types of best practices for security really mitigate against the end-point security risks, which is where we see the greatest risk and vulnerability in the ecosystem today," said Pat Antonacci, managing director of the customer security program at Swift.
Indeed, most of the cyber attack trouble that Swift had to deal with occurred within the network of a member bank, such as in the Bangladesh central bank in 2016 — not on the Swift messaging network.
"We built the control framework and underlying controls off of industry-recognized standards like NIST, PCI and ISO, so we didn't do it in isolation," Antonacci said. "We looked at it from what are the best practices around cyber security and how can we make that link with the Swift ecosystem and, specifically, the Swift infrastructure."
Swift established three major objectives through the framework — securing a framework, knowing and limiting access, and detecting and responding to fraud events.
The mandates will come at a good time, as some Swift participants don't currently monitor Swift activity or potential fraud, said Shirley Inscoe, senior analyst with Boston-based Aite Group.
Inscoe said she recently interviewed 19 large North American financial institutions, 17 of which are direct Swift participants. Ten of those 17 did not have monitoring procedures in place, she said.
"It will take some time for all members to evaluate, make decisions and plan how they will meet the new security requirements," Inscoe added. "IT resources are always busy with planned projects, and those resources may be needed as part of implementation projects."
Every Swift member will be affected, she said. "Major changes don't happen quickly, however cyber threats are real, and hopefully, prioritization will be done as quickly as possible by the majority of members."
The mandates cover topics such as restricting internet access, protecting critical systems from the general IT environment, reducing attack surface and vulnerabilities, physically securing an environment, preventing compromise of credentials (strong password policies and multi-authentication methods), managing identities and segregating access privileges.
Swift is also asking member banks to detect anomalous activity affecting the system or transaction records through malware protection, software and database integrity, and logging and monitoring procedures. In addition, the banks must have incident response plans in place and a process for sharing information and offering security training.
On the surface, it would seem most banks would not find the mandates or guidelines to be difficult, or even too far removed from what they currently do. Mostly Swift, as it does with its Global Payments Innovation initiative, wants its member banks following similar procedures.
"It is always a case of the haves and have nots" in terms of being able to comply to new mandates quickly, said Steven Grossman, vice president of strategy for cyber risk management provider Bay Dynamics.
"There are large global banks that are a result of mergers and acquisitions, and many of those have legacy systems, and they suffer from complexity and overload of regulations," Grossman said. "On the other side of the curve, you have small banks, especially those in less developed countries, that don't have the resources and haven't been able to focus on this."
The Swift customer base, after all, does consist of 11,000 banks, financial institutions and some corporate clients across more than 200 countries. Such a widespread mix of clients makes common mandates even more vital.
"Swift is always very careful to note that it was not their network that was breached, it was the network of the bank itself," Grossman said. "When you have a breach environment on a network that has connectivity to another network, then that other network is exposed."
It's a case in which the size of a bank doesn't guarantee anything in terms of thwarting cyber threats.
"It's not a matter of whether a bank is big or small, it's a matter of whether a bank is tech savvy or not," Swift's Antonacci said. "It's the biggest challenge for banks, corporates, or investment managers that are on the ecosystem."
For those that are tech savvy, the new Swift security mandates may represent nothing more than taking current best practices and making sure they adopt them in the same manner against the Swift ecosystem and the messaging area in their Swift transaction flows, Antonacci added.
"We're only stronger together," he added. "In the end, the compromises that have all occurred have been on the edge (of the ecosystem), but as a cooperative and leader in this space it was appropriate for us to build a framework to help clients have best practices in cyber security and information sharing."
As with any security measures, Swift is emphasizing that the Customer Security Controls Framework is not the "silver bullet" to stop fraud. Rather, it is established to detect anomalous transactions so Swift members can protect themselves and also know the level of compliance and readiness of counterparties.
"Cybersecurity is not an added value," Antonacci said. "It is something you have to do so that the ecosystem end-to-end is secure, and to ensure that across the entire community."