Written By: Darren Morris – Corporate Finance
SWIFT, Society for Worldwide Interbank Financial Telecommunication, has executed 28 million payment messages per day, as published in their May 2017 report. SWIFT connects more than 11,000 banks and financial corporations worldwide. As SWIFT processes the international payments of banks, the amounts and volumes at stake are huge, and 212 countries are connected through their banks and financial institutions.
But the number of major cyberattacks has seriously affected the credibility of the trading system. For instance, $10 million was stolen from a Ukrainian bank in June 2016. The largest attack in 2016 removed $81 million from the bank accounts of Bangladesh’s central bank, Bangladesh Bank. By exploiting internal weaknesses within the bank, and thanks to internal complicity, hackers were able to obtain the codes to send messages on behalf of the pirated bank and to make fraudulent transfers.
The SWIFT network has been regularly improved and integrated by banks directly into their systems. The ways in which banks have connected SWIFT to their own systems depend on each bank and can be partially or totally automated. The threat of cybercriminals is particularly difficult to eliminate, as the attacks can be imported into the network by any of its members.
SWIFT strengthened its own employees’ skills with cybersecurity partners.
In July 2016, SWIFT partnered with Fox-IT and BAE Systems, two European companies specializing in cybersecurity. Cybersecurity experts joined the team of the SWIFT inter-bank messaging system. “The inevitable focus of criminals on the heart of the financial system means that the financial services industry must guarantee operational cyber defenses against funded, motivated and organized attackers,” said James Hatch, BAE Systems Director of E-Services, stressing how vital it is that the entire industry works together to defend its systems and networks.
SWIFT created a dedicated Customer Security Intelligence team, bringing together a strong group of information-technology (IT) and cyber experts to investigate security incidents within customer environments. The expert firms have complemented SWIFT’s in-house cybersecurity expertise in response to multiple attacks and work closely on analysing security breaches and solving them. These investigations are going hand in hand with strengthened sharing of information between users of the SWIFT network.
“Information about our customers, including those on failed attacks, is essential to continue to protect our community,” said Craig Young, SWIFT’s chief technology officer. “The information we have already collected from pirated banks has allowed us to identify new malicious software.”
Sharing information between SWIFT and its clients becomes key.
Beyond reinforcing its internal skills, SWIFT has put in place strategic actions and designed a battle plan to reduce hacking opportunities; it has decided to protect itself by increasing the transparency of the behaviors of its clients. Just after the Bangladesh Bank hacking, Gottfried Leibbrandt, SWIFT’s CEO, indicated that “SWIFT services and its software were not compromised”, but “every individual customer of SWIFT is responsible for the safety of his environment.”
That is why the first pillar of SWIFT’s anti-cyber-criminal program relies on sharing incidents-related information with its bank clients, and SWIFT is helping them to strengthen their own security protocols. Many banks are now calling and sharing with teams of experts, informing them about possible fraud.
SWIFT, however, also announced the strengthening of security measures on its network.
Authentication parameters of the participants have been reinforced. Certification and audit processes of SWIFT messages have been tightened and tailored to the types of network users (large banks, regional banks or small institutions). SWIFT wants to create tools to identify anomalies and recall fraudulent payments. Security around its providers’ ecosystems will also be made tougher.
Finally, and recently, the interbank information-exchange network has asked its clients to evaluate their resistance to a series of cyber-defense criteria.
In concrete terms, the international banking system will require all of its 11,000 members to provide a declaration of conformity to 27 cybersecurity rules. “We give them six months from July to carry out a self-assessment on 16 mandatory criteria and 11 optional criteria. Among other things, institutions will have to justify the level of segregation of their networks, the security of their fire walls, their antivirus systems, etc.,” stated Alain Raes, director of Asia-Pacific and EMEA (Europe, the Middle East and Africa) at SWIFT.
Anxious to improve its image after the giant frauds that took place via its network in 2016, SWIFT hopes to encourage virtuous behavior and create a “self-emulation” among its members. “If all our customers comply with these cybersecurity rules, this should make the lives of criminals significantly more difficult,” claimed Raes. He will not, however, take the initiative to ban the “bad students” from SWIFT. “It is the local legislators who must make such decisions, on the basis notably of the information we have provided them.”
SWIFT indicates that by the end of 2018, it will have provided national banking regulators with a list of banks connected to its network that have not complied with its cybersecurity recommendations. And to promote even more transparency, the network will make available to its customers the cyber-defense evaluations of all of the banks to which it connects.
Communication of this information to banks and regulators should help reduce SWIFT cyberattacks in the future.