In February 2016, cyber-thieves stole $81 million from the Central Bank of Bangladesh by sending fraudulent messages through the SWIFT payment network. The heist sounded a wake-up call that if financial services firms wanted to protect themselves against similar acts of thievery, they would have to evolve their defenses, and quickly.
First, some background. SWIFT is short for the Society for Worldwide Interbank Financial Telecommunication, a global industry cooperative. More than 11,000 financial institutions in more than 200 countries and territories around the world use SWIFT’s messaging platform, averaging some 26 million SWIFT messages per day, and more than six billion in 2016, according to SWIFT figures.
The Bank of Bangladesh attack opened a Pandora’s Box, as criminal groups ramped up copycat attacks. SWIFT stopped short of disclosing the number of attacks, identifying the banks involved or disclosing how much money was stolen, but details of some of these attacks have become public. Far Eastern International Bank, for example, lost $500,000 in a cyber-heist, believed to have been launched by a North Korean Lazarus hacking group, suspected to be the same hacking group behind the Bangladesh heist. In another reported attack, Nepal’s NIC Asia Bank lost $580,000 in a cyber-heist in November 2017.
In all these attacks, security weaknesses in the compromised banks enabled cyber-thieves to gain administrator access to the banks’ payment environments, according to the SWIFT report. With this access, hackers not only stealthily monitored the banks’ operations—sometimes for months—but also were able to modify security defenses and the operation of software to enable their attacks by updating firewalls and bypassing security features.
SWIFT Chairman Yawar Shah highlighted the urgency of the situation in remarks at last year’s London Business Forum: “The disruptive forces of fraud and cyber have always existed and had to be dealt with in our industry; what is different now is that these threats are more organized, more sophisticated, and more global than ever before.”
As part of its efforts, SWIFT recently published a 16-page report, co-authored by the cyber-security division of BAE Systems, that describes how today’s cyber-criminals are infiltrating banks’ systems and networks and provides best practices for better securing them.
“The inevitable criminal focus on the heart of the financial system means that the financial services industry needs to ensure it has effective cyber-defenses against well-funded, motivated, and organized attackers,” said James Hatch, BAE Systems director of cyber-services.
Those in the financial services industry generally acknowledge that stronger safeguards against cyber-threats necessitates industry-wide collaboration, which is the impetus behind SWIFT launching its Customer Security Program (CSP), which aims to improve information-sharing throughout the financial services community and is comprised of its Customer Security Controls Framework.
“The disruptive forces of fraud and cyber have always existed and had to be dealt with in our industry; what is different now is that these threats are more organized, more sophisticated, and more global than ever before.”
Yawar Shah, Chairman, SWIFT
SWIFT’s Customer Security Controls Framework introduces both mandatory and advisory security controls. The deadline for SWIFT users to have implemented and self-attested to the 16 total mandatory controls was Dec. 31, 2017, and they must self-attest at least annually thereafter through SWIFT’s KYC Registry.
The SWIFT framework contains 27 controls in total, divided by eight principles, focused on the following three core measures, as summarized in the SWIFT/BAE report:
Secure your environment. Embed security into the design of the bank’s network architecture, including physical security measures—such as limiting access rights to authorized personnel as it concerns sensitive areas and ensuring processes are in place to actively control and monitor who is accessing those areas. Additionally, authorized personnel must be properly screened and trained.
Banks should further ensure that they have in place robust and clearly defined perimeter security, with appropriate prevention measures like firewalls and filters, and detection capabilities in case of intrusion. Through the construction of multiple barriers, they should segregate internal networks according to business needs and risk requirements and actively monitor internal networks.
The bank’s most critical systems should be isolated from the internet, and a further layer of defenses and detection measures should be deployed. “As a matter of course, you should install the latest versions of anti-virus and system software and immediately implement the latest security updates,” the SWIFT/BAE report states.
Know and limit access. After building defenses to prevent hackers coming through the front door, operating procedures and processes must be put in place to then limit and protect administrator and system privileges. This demands the implementation of strong ID management, with strict and actively managed profile and password rules to ensure basic access controls. Additional access controls—such as two-factor authentication across all sensitive or critical applications—should be used to provide another layer of defense.
In addition, banks must identify and protect access rights to all critical systems like interfaces to SWIFT and other payment gateways. “These access rules should clearly allocate rights and capabilities to separate roles and ensure that no single operator can—intentionally or otherwise—open systems to potential abuse,” the SWIFT/BAE report states.
Mandatory Security Controls
Detect and respond. Having in place adequate intrusion-detection capabilities is the third core measure. Banks should actively monitor networks and systems activity, including interfaces to SWIFT, for unusual behavior—such as users logging in at random times of the day or from new or unknown systems, or multiple failed password attempts. Where gaps in capabilities or layers of defense are identified, consider employing the help of cyber-security professionals to ensure the local environment is sanitized and properly defended with the latest anti-virus applications.
To be clear, SWIFT is focused on the infrastructure connected to its messaging platform, and thus its Customer Security Controls Framework is “not intended as a be-all and end-all framework for all banks,” says Steven Grossman, vice president of strategy at cyber-security software provider Bay Dynamics. “It’s all about strengthening the security of all 11,000 banks as they connect to and use the SWIFT messaging platform and making sure they know who is doing those transactions.”
“This entails strong authentication, monitoring the behavior of users with tools such as user and entity behavior analytics, making sure there’s a segregation of privileges so one person doesn’t have too much access and control, implementing proper segmentation between the banks and SWIFT environment, and more,” Grossman adds. “It’s really about making sure that those parts of the banks that are connected to the SWIFT platform, and the transactions they perform, have the strongest security at all times.”
Financial institutions must consider not just their internal cyber-security risks, but their interactions and relationships with counterparties as well. Understanding counterparties’ credit and compliance risks should be a determining factor in whether and how to do business with them, and cyber-considerations should form an integral part of these routine know-your-counterparty processes, the SWIFT/BAE report states.
As of January 2018, banks that use SWIFT’s messaging platform are now able to assess who they are doing business with by requesting their self-attestations against SWIFT’s Customer Security Controls Framework to ensure counterparties are taking the necessary precautions and protections.
“Financial institutions in major economies and high-risk jurisdictions are increasingly looking to adopt financial crime compliance tools to show correspondent banks that they have strong controls in place,” says Paul Taylor of SWIFT’s financial crime compliance division. “This enables them to be a lot more transparent in terms of the controls they have and the lists they are screening against,” he says.
That should provide some comfort to correspondent banks that their bank counterparties have security controls in place. “The argument there is if you’re a counterparty that doesn’t have risk and control solutions in place and a good framework and good diligence around how that works, then you might not necessarily be an attractive counterparty to continue business with,” Taylor says.
Findings from a recent anti-money laundering and sanctions compliance survey conducted by AlixPartners speaks to that point. According to that survey, 63 percent of 361 respondents from financial institutions said they’ve experienced de-risking in their operations in one form or another. Financial institutions have sought to—and continue to—reduce perceived risk by eliminating portfolios, counterparties, or entire lines of business.
For its part, SWIFT has introduced a new module, Correspondent Monitoring, to help banks address money-laundering risk within correspondent banking networks. Correspondent Monitoring allows banks to analyze their SWIFT message traffic to uncover unusual activity patterns and risk exposures within their correspondent banking networks. For example, a user can find out whether it was in receipt of transactions originating in a country considered high risk or subject to sanctions via correspondents operating in a low-risk jurisdiction.
Also related to correspondent banking due diligence, the Wolfsberg Group, a non-governmental association of thirteen global banks, recently announced significant revisions to its correspondent banking due diligence questionnaire (DDQ) in response to evolving regulatory expectations and industry practice, which will be released in February 2018.
Concurrently, SWIFT announced that it would be aligning its KYC Registry with the new Wolfsberg DDQ for correspondent banks. KYC Registry members can now answer every Wolfsberg DDQ question directly on the KYC Registry platform, increasing transparency and streamlining due diligence processes.
Aside from cyber-security processes and KYC diligence, information-sharing between banks is another vital part of fending off a cyber-attack. Thus, SWIFT is urging banks that are targeted or breached to share all relevant information and alert SWIFT as soon as possible, so that it can share anonymized information on indicators of compromise in the SWIFT environment to limit further damage.