Banks With Bad Cybersecurity Could Face SWIFT JusticeChanging Tack, SWIFT Considers Suspending Banks With Security Shortcomings
Is SWIFT now playing good cop/bad cop?
In the wake of the SWIFT-related theft of $81 million from the central bank of Bangladesh, and investigations into potentially related attacks against more banks dating back to 2013, SWIFT CEO Gottfried Leibbrandt initially said that his organization wouldn't impose data security standards on any of its 11,000 members.
"The system is only as secure as the weakest link."
"SWIFT is not all-powerful, we are not a regulator, and we are not a policeman; success here depends on all the stakeholders in and around the industry," Leibbrandt said in a May 24 speech in Brussels, during which he called on the banking sector to help banks better secure themselves.
But Leibbrandt appears to have changed tack, saying on June 1 that his organization is now weighing suspending banks found to have poor security practices. "We could say that if the immediate security around SWIFT is not in order we could cut you off, you shouldn't be on the network," Leibbrandt tells the Financial Times.
"There are pros and cons to that," he adds. "The pros are that it provides clarity that if you are on the SWIFT network you need minimum standards. ... I think the con is if you do it too heavy handed, you could drive people to unsafe channels."
SWIFT - formally known as the Society for Worldwide Interbank Financial Telecommunication - is a nonprofit cooperative owned by 3,000 banks that bills itself as "the world's leading provider of secure financial messaging services." Its network and software daily processes 25 million communications that collectively account for billions of dollars' worth of transfers.
Leibbrandt also tells the Financial Times that SWIFT has been in discussions with both the Bank for International Settlements as well as the Financial Stability Board about making SWIFT's security guidance part of their global security standards. He adds that SWIFT also is considering creating a program that will certify auditors to review banks' cybersecurity practices.
A SWIFT spokesman tells me that the organization is simply weighing all options.
"What we have said is that everything will be considered - including the merits of a disconnection or a suspension as a penalty for customers who have violated any security rules that we might hardwire," he says. "All these things - amongst many other things - will be considered and the pros and cons of the different alternatives weighed up. Customers will, of course, be involved in and consulted on the further definition of the customer security program, including decisions on such matters."
Weakest Link Warning
Seeing SWIFT raise the possibility of launching security audits for its participating banks and adjusting financial sector regulations speaks to the drubbing that the cooperative's public image has taken since the February Bangladesh Bank heist came to light in March (see Blocking Hack Attacks: SWIFT Must Do More).
Indeed, multiple regulators and legislators have been demanding to know how the financial services industry plans to lock down related weaknesses, and what risks SWIFT-using banks currently face (see Fraudulent SWIFT Transfers: Congress Queries New York Fed).
It's clear that SWIFT has to be seen to be doing something. The unanswered question, however, seems to be what to do about institutions that can't reliably repel hack attacks or spot when they've been breached (see SWIFT to Banks: Get Your Security Act Together).
For example, court documents recently came to light showing that Ecuador's Banco del Austro lost $12 million in January 2015 to attackers who infiltrated its systems and sent fraudulent SWIFT messages.
"The system is only as secure as the weakest link," says Ricardo Villadiego, CEO of anti-fraud firm Easy Solutions. And right now, there appear to be plenty of weak links that cybercriminals can continue to target.
In the wake of the bank-hacking reports, SWIFT initially pointed the finger at victim institutions' poor information security practices. But it's subsequently come out with a security action plan, including proposals to increase threat information sharing and fraud detection.
Security experts say it's unclear if such measures would help, especially because many banks already use such tools. Likewise, fraud detection is a difficult fit with many financial services firms pushing for faster payments.
On the other hand, some security experts have noted that most SWIFT-using banks haven't been using strong authentication to verify SWIFT messages. Such security controls could help block hackers' attempts to inject fraudulent message into SWIFT's network and thus help arrest the types of bank heists - and attempted heists - that have recently come to light.