Treasury Today Country Profiles in association with Citi

SWIFT responds to hacks with new customer security programme

Hacker hacking payment system on computer

In an effort to restore confidence after a number of fraudulent payment cases, the international financial network SWIFT last week announced a belated package of new security measures. We take a look at the key points.

A new package of security messages were announced by SWIFT late last week, amid growing calls from the global financial community to strengthen its defences against cyber threats.

The response comes after a bank in the Philippines became the fourth financial institution to be attacked by hackers using the SWIFT network, which facilitates transactions between more than 11,000 banks in 200 countries. That incident follows a number of other high profile incidents beginning with the infamous Bangladesh central bank heist in February, after which separate incidents involving institutions in Vietnam and Ecuador also came to light. Now recent reports indicate that investigators are examining possible breaches in as many as 12 banks linked to the global payments network.

Although SWIFT has repeatedly pointed out that its network had not been compromised and the thefts were the result of other banks’ systems being hacked, the Belgium-based cooperative is said to have been stung by criticism over shortcomings in its security provisions.

“We are the global bank-owned cooperative at the heart of the global payment system, a system that is facing a persistent threat,” SWIFT CEO Gottfried Leibbrandt said when announcing the plans in Brussels last week. “We are stepping up to the plate as our owners and overseers expect us to.”

The five point plan

So what will “stepping up to the plate” actually mean in practice? According to the press release sent out by the organisation on Friday last week, the programme will focus on five strategic initiatives, each aimed to tackle the security flaws highlighted by the recent breaches.

As a top priority, SWIFT will aim to improve information sharing across its global community through encouraging banks to inform others when they are attacked. Conversely, the group has also pledged to keep its community informed of any further incidents as well as providing “information on best practices and innovation in cyber defence”.

A second measure that will be considered is requiring customers to use existing security measures, such as two-factor authentication of payment instructions (which are currently optional on the system). Remote monitoring capabilities of customer environments will also be strengthened.

Another initiative will be the enhancement of SWIFT’s guidelines and audit frameworks to address concerns that it has not been as ready as it should have been in the past to cut off members whose security is not up to scratch. The group will create audit standards and certification, plus compare banks' compliance level with ‘baselines’ to ensure that all their clients have appropriate security measures in place around their SWIFT terminal.

Finally – an especially relevant measure for corporate treasurers – SWIFT has promised enhanced support for third-party providers. This will be achieved, the groups say, through certification programs, partner programs and the organisation of industry events (such as Sibos) where such providers can engage with the group’s customers.

A safer SWIFT?

As industry experts have been quick to point out, the fundamental question now facing SWIFT is one not unlike that which has arisen in respect to other, previously lower value, financial transactions as well as messaging systems like email. It is, simply, how to reliably prevent or detect spoofed messages while still allowing legitimate messages to be processed quickly efficiently and in a manner that supports its payment and funds transfer services.

To that end, Simon Viney, a director of Cyber Resilience at cybersecurity firm Stroz Friedberg, says SWIFT’s plan to evaluate its enterprise-wide approach to cyber governance, including the risks associated with its business partners and third-party suppliers, is a positive step.

“Organisations are as strong as the weakest link,” Viney told Treasury Today, “and attackers often only need to bypass one control in order to successfully divert funds or steal sensitive data. Reviewing and, where necessary, enhancing the cyber controls across the end- to-end payments and funds transfer process is therefore essential. As SWIFT acknowledges, improving information sharing of actual incidents and ‘near misses’ is key to allowing the community to react to the evolving threats.”

Viney cautions that cybercrime is an almost inevitable feature of the increasingly connected world in which we live for which there are no ‘silver bullets’. SWIFT is therefore right in its determination to look at the problem holistically, rather than merely focusing on one element – such as two-factor authentication – as some commentators have recently done.

“There is no security panacea, as the experiences of many banks which have adopted forms of two-factor authentication for their online banking customers have demonstrated,” Viney says. It is important, he adds, that we focus on the overall cyber governance and risk management approach taken by SWIFT and its customers. “Cyber resilient organisations adopt robust controls to resist cyber-attacks, but also recognise that how they detect, react, respond and learn from the experience are at least equally important.”