Tech

SWIFT Customer Security Programme – what’s in it for the banking community?

In recent years, cases of cybersecurity breaches have grown in both frequency and sophistication. Of all the affected industries, the financial sector remains particularly vulnerable. According to a report by the Boston Consulting Group, banking and non-banking financial firms are 300 times more likely than other institutions to experience cyberattacks.

As cybersecurity breaches continue to grow in both frequency and sophistication for all industries, and the financial sector remains particularly vulnerable. Banking and Non-Banking Financial firms are 300 times more likely than other institutions to experience them, according to a report by the Boston Consulting Group.

Also with the banks being interconnected through payment networks like SWIFT, the threat of loss is greater. A report published by the Federal Reserve Bank of New York in January 2020, stated that the interconnectivity of banks brings about a massive spillover effect of cyberattacks within the banking network. The report mentions that a cyberattack on any of the five most active U.S. banks could affect 38% of the network and that cyberattacks on six small banks with less than $10 billion in assets could threaten the solvency of one of the top five U.S. banks.

The SWIFT network, for several decades, has been working towards making transactions secure by providing a secure network to more than 10,000 financial institutions in 212 different countries to send and receive transaction information among each other. Despite all the measures taken by SWIFT to make transactions in the network secure, several cases of cyberattacks have been reported in the network.

A timeline of cyberattacks on financial institutions in the SWIFT network

Date

Financial Institution

Method of Cyber Attack

Value of Theft

May 2018

Banco de Chile

Destructive software as cover for a fraudulent SWIFT transfer

$10 million

March 2018

Malaysian Central Bank

Attempted use of fraudulent SWIFT transactions

$390 million

February 2018

City Union Bank, India

A SWIFT transfer to a Chinese institution

$1 million

January 2018

Bancomext, Mexico

Fraudulent SWIFT transactions

$110 million

October 2017

Far Eastern International Bank, Taiwan

Malware planted in the company’s systems to access a SWIFT terminal and make fraudulent transactions

$14 million

July 2016

Union Bank of India

Attempted use of fraudulent SWIFT transactions

$170 million

July 2016

Nigerian Bank

Attempted use of fraudulent SWIFT transactions

$100 million

February 2016

Bangladesh Central Bank

Fraudulent SWIFT transfer requests to the Federal Reserve Bank of New York

$1 billion

Early 2015

Ecuadorian Banco del Austro, Ecuador

Compromised payments systems to make SWIFT transfers to 23 Hong Kong-registered companies

$12 million

Source: carnegieendowment.org

In 2019 and 2020, cyberattacks on SWIFT users continued at a similar rate as in previous years. SWIFT does not foresee the rate of the cyberattacks slowing down!

As an initiative to combat such cyberattacks and breaches in the global banking system, SWIFT established the Customer Security Programme (CSP) in 2016. The program is planned such that it improves information sharing in the community, enhances SWIFT-related tools and strengthens end-point security to combat cyber fraud.

So, how will this work?

SWIFT has defined 22 mandatory controls and 10 advisory controls applicable to all SWIFT users.

Mandatory Controls

1.SWIFT Environment Protection
2.Operating System Privileged Account Control
3.Virtualisation Platform Protection
4.Restriction of Internet Access
5.Internal Data Flow Security
6.Security Updates
7.System Hardening
8.Operator Session Confidentiality and Integrity
9.Vulnerability Scanning
10.Application Hardening
11.Physical Security
12.Password Policy
13.Multi-Factor Authentication
14.Logical Access Control
15.Token Management
16.Physical and Logical Password Storage
17.Malware Protection
18.Software Integrity
19.Database Integrity
20.Logging and Monitoring
21.Cyber Incident Response Planning
22.Security Training and Awareness

.

Advisory Controls

23.Back-Office Data Flow Security
24.External Transmission Data Protection
25.Vulnerability Scanning
26.Critical Activity Outsourcing
27.Transaction Business Controls
28.RMA BusinessControls
29.Personnel Vetting Process
30.Intrusion Detection
31.Penetration Testing
32.Scenario Risk Assessment

.

As a SWIFT user, your role is simple. All you’d need to do is reinforce control in three ways.

1.   Protection and secure your local environment

2.   Prevent and detect fraud in your commercial relationships

3.   Prepare the community to defend against future cyber threats by sharing information

If you are a banking or a non-banking financial institution in the SWIFT community, here’s what you need to do.

1.   Submit an annual Security Attestation

Attest your controls before the expiry date of the current version of controls, confirming full compliance with the mandatory security controls by 31st December every year, and re-attest at least annually thereafter.

2.      Manage and monitor counterparty risk

Form commercial relationships with other SWIFT users, with whom you can exchange business messages. To minimise risk and manage these relationships efficiently, be sure to establish and maintain cybersecurity processes for your organisation.

3.      Enhance the accuracy of your attestation

Verify that your security attestation corresponds with your actual level of security control implementation. Also, perform a Community Standard Assessment to further enhance the accuracy of your attestations. Starting from 2021, you will also need to submit an Independent Assessment done by an internal or external CSP assessment provider.

4.      Share and view counterparty attestations

You can send access requests to your counterparties to view their attestation contents via the KYC-Security Attestation application (KYC-SA). They can accept or reject those requests. Your counterparties can also send you access requests to view your attestation contents via the KYC-Security Attestation application (KYC-SA). You can accept or reject those requests.

Can you get external help? Yes.

SWIFT has published a list of CSP assessment providers who can assist you in addressing cybersecurity within your own organisation to ensure you meet the mandatory controls.

Such assessment providers, like Birchford, hold SWIFT certification and ISO 27001 LA certification. They will analyse your SWIFT infrastructure under both mandatory and advisory controls. The scope of their assessment could be in the following areas:

Readiness assessment – A Gap assessment of the cybersecurity controls against the CSCF requirements and other frameworks (NIST, FFIEC, COBIT).
Remediation plan – Recommendations as remediation actions for missing controls.
Program management – Design a governance framework and transformation program to implement required changes.
Subsequent annual external assessments requirement – Assist in the implementation of changes and perform the required self-assessment and self-attestation.

Thereafter you are ready to announce your compliance. You can then submit the results of the analysis on the SWIFT online portal, and your results could be visible to everyone.

We spoke to Baran Ozer, Director of sales at Birchford, who said

“The expanding threat landscape of cyberattacks has never been more pressing. Numerous payment fraud instances in local bank environments demonstrate the necessity for industry-wide collaboration to fight back and our certified SWIFT and security professionals can give business leaders a helping hand during this campaign. Our combined know-how of SWIFT and security already produced some innovative and instrumental solutions for banks and financial institutions to comply with some mandatory controls.”

Birchford houses a team of SWIFT certified consultants. Their combined expertise of SWIFT and security can help you comply with and cover all aspects of the Customer Security Programme, from assessment to complete implementation. Reach them on birchford.com.

.

.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button