Swift strikes back over three hack attacks
Swift has unveiled a five-part plan to reinforce security across its network after three hacking incidents.
At the 14th annual European Financial Services Conference in Brussels, Swift CEO Gottfried Leibbrandt outlined its “Customer Security Programme”:
- Improve information sharing among the global financial community;
- Harden security requirements for customer-managed software;
- Enhance guidelines and develop security audit frameworks for customers;
- Support banks’ increased use of payment pattern controls to identify suspicious behaviour;
- Introduce certification requirements for third party providers.
In his speech, Leibbrandt says: “Cyber concerns are not new to us at Swift. Indeed, ever since I took on this job, cyber risk has been the main thing to keep me awake at night.
“We work very hard at improving the cyber security of our network; every day we wake up and go to sleep thinking about, and protecting against that threat. It is hard work and never done. And rightly so for Swift.”
Leibbrandt says the Swift network, software and its core messaging services “have not been compromised”.
But he calls on the financial industry, as a “community”, to be aware of the risks and warns that some attacks will be “successful”.
During the speech, Leibbrandt made specific reference to the Bangladesh bamboozle.
He says: “Let me turn to the recent fraud at Bangladesh that has caught multiple headlines. I think it will prove to be a watershed event for the banking industry; there will be a before and an after Bangladesh.
“The Bangladesh fraud is not an isolated incident: we are aware of at least two, but possibly more, other cases where fraudsters used the same modus operandi, albeit without the spectacular amounts.
“The banks were compromised, credentials to payment generation systems were obtained to send fraudulent payments and the statements/confirmations from their counterparties were obfuscated.
“So this is a big deal. And it gets to the heart of banking.”
Leibbrandt believes these events are a problem on “at least two fronts” – namely banks could be put out of business; and because the financial system is “hugely interconnected and it operates on trust”.
Interview of the self
In the speech, Leibbrandt made reference to the media coverage and set himself two questions to answer: “Isn’t Swift in the middle of all of this? What are you going to do about it?”
He says: “In Bangladesh and the other cases, the thieves compromised the IT environment and worked their way to the bank systems where the Swift instructions are generated and the confirmations received.
“And while we (and other providers) give tools and software to our customers, our customers run these in their own environment and need to keep them secure. We cannot secure our customers’ environments and cannot assume responsibility for that.”
However, Leibbrandt wants Swift to be part of the solution and it can do this by sharing information.
He says: “Information sharing needs to get better, much better. It is critical that the global financial community works together to bolster our mutual security.”
Leibbrandt adds: “We are the global bank-owned co-operative at the heart of the global payment system, a system that is facing a persistent threat. We are stepping up to the plate as our owners and overseers expect us to.”
He says Swift’s Customer Security Programme will “only work if the industry works together”.
Leibbrandt says: “Swift is not all-powerful, we are not a regulator, and we are not a policeman; success here depends on all the stakeholders in and around the industry.”
“The cyber challenge is huge, and demands action, and change, by all stakeholders. And change is hard. Sometimes it takes a crisis. As the saying goes: ‘a crisis is a terrible thing to waste’; so let’s use this crisis as an industry to come out stronger, better and even more secure.”