SWIFT Will Begin Enforcing Mandatory Security ControlsSeeks Stronger Cybersecurity Oversight from Banking Regulators
All financial institutions that use the SWIFT interbank messaging network must comply with its new cybersecurity standards - as well as a related "assurance framework."
See Also: The Global State of Online Digital Trust
SWIFT announced the changes on Sept. 27, saying that inspections and enforcement will begin Jan. 1, 2018. Draft standards will be released next month for a two-month vetting process; they'll be finalized and published by the end of March 2017. Then organizations - including those who connect to SWIFT via a service bureau - must self-attest that they comply with the standards, on an annual basis, or face being reported not just to regulators, but also other SWIFT members.
Gottfried Leibbrandt, CEO of SWIFT, says in a statement: "While customers remain responsible for protecting their own environments," the move is meant to ensure that rigorous cybersecurity discussions are taking place at all of the more than 11,000 institutions - across 200 countries - that use SWIFT's interbank messaging software and network, as well as between banks and their regulators.
"Our aim in setting out this framework is to support customers by helping to drive awareness and improvements in the industry's overall security. We will do this by maintaining a dynamic assurance approach, evolving the framework in line with the changing threat landscape, and making sure it complements emerging regulatory guidance."
The Society for Worldwide Interbank Financial Telecommunication, as it's formally known, is a cooperative owned by 3,000 banks, founded in 1973, that bills itself as "the world's leading provider of secure financial messaging services." It's now used by more than 11,000 banks globally to process 25 million communications daily that collectively account for billions of dollars' worth of transfers.
Customer Security Program Rollout Continues
But SWIFT has faced criticism from some industry watchers - and questions from legislators and regulators - following the February hack attack against the central bank of Bangladesh that resulted in attackers stealing $81 million from Bangladesh Bank's account at the Federal Reserve Bank of New York via fraudulent SWIFT messages. Since then, previous and apparently related attacks have come to light, and SWIFT has warned that attackers are continuing to wage "a wider and highly adaptive campaign" against banks.
Following the Bangladesh Bank hack, SWIFT has continued to assert that its platform was not compromised by attackers. It has also called on users to devote more attention to both their in-house cybersecurity practices as well as the security of the SWIFT-using banks with which they do business (see SWIFT to Banks: Get Your Security Act Together).
But SWIFT in June also announced a new customer security program designed to help banks better spot fraud and related hack attacks. Since then, it's continued to announce a raft of related efforts, including digital forensic investigation services as well as forthcoming fraud pattern detection tools for customers.
16 Mandatory Security Controls
Now, however, SWIFT will begin enforcing its new, mandatory framework, which it says its board of directors unanimously approved. Full details relating to the 16 mandatory controls - as well as 11 optional "advisory controls" - have yet to be released, although SWIFT says this will happen by the end of October.
SWIFT says inspections and enforcement will begin in January 2018, and it will report any customers that fail to comply with the 16 mandatory controls to regulators. It says that it will also randomly audit some customer banks, requiring them to provide more detailed proof of compliance via either their internal or external auditors.
In a bid for transparency - and no doubt peer pressure - SWIFT promises that all of its users will have access to each other's compliance reports, "allowing firms to assess [the] risk of counterparts with whom they are doing business."
The organization also notes that financial institutions are free to hold their business partners to an even higher standard. "This quality assurance process will not preclude customers from independently requesting additional assurance from their counterparts," SWIFT says. "In addition, customers will also be able to choose to disclose their compliance with a further 11 advisory controls that will supplement the 16 mandatory controls."
Regulatory Oversight Required
Key to this initiative succeeding, however, will be the participation of regulators. "We recognize that this will be a long haul and will require industrywide effort and investment, as well as active engagement with regulators," Yawar Shah, chairman of SWIFT, says in a statement. "The growing cyber threat requires a concerted, communitywide response."
Indeed, attacks against banks continue to surge. For example, The U.K.'s Financial Conduct Authority, which regulates the country's 56,000 financial services firms, says it's recently seen a surge in the number of breaches that banks have been reporting to it.
Speaking recently at a cybersecurity conference, Nausicaa Delfas, the FCA's director of specialist supervision, said that while breach reporting in the United Kingdom continues to be voluntary, attacks appear to be on the increase. "In 2014, we received five reports, in 2015 27, and 75 so far in 2016," she said. "Whilst this significant increase indicates more attacks are occurring, this may also suggest better detection and greater reporting to us on the part of firms, which we very much encourage."
On a related note, the SWIFT Oversight Forum last week issued a call to all countries' banking regulators, urging them to oversee their banks' cybersecurity procedures. In particular, SWIFT says that all countries' banks should be able to consult relevant cybersecurity guidance provided not just by third-party service providers, but also their banking regulators.
The SWIFT Oversight Board recommends that regulators emphasize a number of approaches, ranging from performing ongoing security risk assessments and implementing and testing security controls, to running security awareness and training programs and sharing information with other banks.
The central banks of the 11 countries in the G10 - Belgium, Canada, France, Germany, Italy, Japan, the Netherlands, Sweden, Switzerland, the United Kingdom and the United States - oversee SWIFT, with the National Bank of Belgium taking the lead role. The SWIFT Oversight Board also includes the central banks of Australia, China, Hong Kong, India, Korea, Russia, Saudi Arabia, Singapore, South Africa and Turkey.
But it remains to be seen whether regulators in emerging markets, in particular, will heed SWIFT's latest warnings and call for financial authorities to more carefully police their country's financial institutions.