SWIFT Knew About Security Issues, Did Little about Them
SWIFT, a Belgium-based, bank-owned co-op and provider of financial messaging services, has been aware of flaws in the way smaller banks used SWIFT’s messaging terminals, thus compromising the security of the system, but the organization did little to address the matter. Those are the assertions of more than a dozen current and former high-ranking Swift officials, according to a Reuters report on Aug. 17. SWIFT’s messaging services, which transmit billions of dollars around the world, are used by more than 11,000 financial institutions in more than 200 countries and territories.
Former SWIFT managers and directors were quoted by Reuters saying that the organization didn’t monitor the “extent of sloppy security practices” and that SWIFT perceived smaller banks as potential, but not immediate, threats to network security. What’s more, SWIFT never acted because it believed bank regulators were responsible for ensuring smaller banks’ security procedures were up to snuff, according to former board member Arthur Cousins. It wasn’t until February when cyberthieves tried to steal $1 billion by hacking Bangladesh’s central bank’s messaging system that SWIFT viewed the security of customer terminals as a priority, Reuters said. Although that attempt was thwarted, criminals ended up taking money from Bangladesh’s account at the New York Federal Reserve and diverting $81 million to banks in the Philippines.
“The board took their eye off the ball. They were focusing on other things and not about the fundamental, sacred role of SWIFT, which is the security and reliability of the system,” Leonard Schrank, who was SWIFT CEO from 1992 to 2007, was quoted as saying in the Reuters story. He added that he was aware that users’ terminals were a weak link in SWIFT’s security, but did little about it. ”So I am partially responsible,” he said.
A SWIFT spokesperson said that security is a priority for SWIFT and “today’s security threats are not the same threats the industry faced five or 10 years ago—or even a year ago—and like any other responsible organization, we adapt as the threat changes.”
Gottfried Leibbrandt, SWIFT CEO since 2012, outlined the company’s multipronged approach to further secure the global financial system during a financial services conference in Brussels in May. Swift’s security plan includes: better information sharing among financial institutions; stronger security requirements for customer-managed software; and certification requirements for third-party providers and increased use of tools and methods to identify suspicious behavior.
Also, in the wake of the Bangladesh bank theft, The Federal Financial Institutions Examination Council, which promotes uniformity in the supervision of financial institutions, urged banks to manage and mitigate risks associated with interbank messaging and wholesale payment network functions, and U.S. Rep. Lamar Smith (R-Texas) demanded New York Federal Reserve officials to turn over documents related to the Bangladesh bank incident, including information related to the SWIFT system and its cybersecurity.
In related news, Reuters reported on Aug. 16 that the Bangladesh central bank has reconsidered suing the Fed and SWIFT and, instead, will seek their help in recovering the stolen $81 million.