SWIFT, Society for Worldwide Interbank Financial Telecommunication, the global banking messaging platform will have to comply with a new cybersecurity framework that aims to establish a baseline for security from 1st January 2018.
The new regulatory framework comes into being following the large-scale heist last year that resulted in Bangladesh Bank losing $81 million. It requires the implementation of security controls such as incident response, multi factor authentication and anomalous behaviour detection and security awareness training.
The new framework adds 16 more mandatory controls and 11 that are advisory, a change in scale that is significant and may change the rate at which financial institutions are being attacked. 11,000 banks in over 200 countries use the SWIFT network. As fast as the banks can transform technology, however, hackers always seem to be a step ahead.
The VP of Strategy at Bay Dynamics, Steven Grossman said, “SWIFT has a responsibility to establish the standard for transacting on its network. Just one bank having lax security controls in place lowers the bar and elevates cyber risk for everyone else who uses the platform. The framework affects banks of all sizes, that vary in cyber maturity levels, in developed and underdeveloped countries,”
SWIFT announced its new framework in September last year and explained that the ‘core security standards are based on three overarching objectives which address major areas of attention for customers’ SWIFT-related environments’. Alongside this, ‘self-attestation will start in the second quarter of 2017 when the standards will be made applicable to all customers connected to SWIFT, including those connected through service bureaus.’
For a framework being launched in 2018, it seems a little outdated and clunky. Some ask if this is because it is being used by outdated institutions.
Discussion has turned to whether or not the banking sector is an industry in which actions are only taken when something breaks.
Grossman stated that “most every industry is focused on their mission, which is usually to make money by fulfilling a need. Security is important as it supports or has the potential to interrupt that mission. I’m not sure we can paint the whole banking industry with a single brush, but some banks are certainly more proactive than others in how they address the risks and rewards of good cyber security practices. Regulations are an attempt at motivating those that lag to up their game. The SWIFT Control Framework is interesting in that it introduces an unprecedented level of transparency by revealing to all banks on the network who is and is not complying. It adds a peer pressure angle to ensure that everybody plays nicely in the sandbox, or they will be excluded from the game.”
SWIFT’s CEO, Gottfried Liebbrandt said “what SWIFT is doing is strengthening security. ‘SWIFT is fully committed to helping strengthen customers’ security and helping them improve their security measures and our aim in setting out this framework is to support customers by helping to drive awareness and improvements in the industry’s overall security. We will do this by maintaining a dynamic assurance approach, evolving the framework in line with the changing threat landscape, and making sure it complements emerging regulatory guidance.”
One of the ways SWIFT are helping to improve measures is with multi factor authentication and biometrics. The question being asked is ‘is this enough?’ or do we need blockchain to ensure complete security. These two technologies would be the most effective for a large-scale network like SWIFT – Risk Based authentication, were users are authenticated depending on their behaviour and risk, would be the next step, Grossman believes.
“It’s good to see that the SWIFT framework includes a requirement about monitoring for anomalous activity, which serves to help identify insider threats and compromised accounts, supporting a more complete authentication model. For example, if a user is attempting to log in from an unusual location at a usual time, they could be prompted for additional authentication methods or prevented from connecting altogether. Distributed ledger type technology like blockchain could provide additional capabilities in this area in the future, but is not mature enough for the type of scale, performance and security that a network like SWIFT requires right now.”
Are banks ready for the January 1st deadline? SWIFT Chairman Yawar Shah recognizes that it will be a long-haul process that will require effort, investment and engagement with regulators. “The growing cyber threat requires a concerted, community-wide response. This is also why the SWIFT board unanimously approved the framework and remains fully engaged in overseeing and driving the further development of SWIFT’s Customer Security Programme,” Shah said.
Grossman states that the “general feeling in the industry is that many companies are/will not be ready for some of the regulations being put in place (SWIFT, the NYS DFS Cybersecurity Regulation, GDPR, etc.). In the case of the SWIFT Controls Framework, I think that you’ll see a division between the haves and have nots, where the more established players will be able to comply, while smaller banks in lesser developed countries will struggle to be able to put the required people, process and technology in place.”
‘In addition to “I Comply” or “I Do Not Comply,” the attestation process allows banks to attest that they will comply by a given date and allows for an explanation. This will not stop peers from scrutinizing their transactions with them, or SWIFT from reporting them to supervisors, but it shows the right intent and direction. Everybody understands that security is a process that takes time, and sometimes the right intent and direction is the best they can do. It will be up to the community and supervisors to decide if that is good enough.’