The threat from cyber attackers "is more organized and global than ever before", according to Yawar Shah, chairman of SWIFT, the international correspondent banking network that connects 11,000 banks around the world and facilitates cross-border payments.
Speaking at the 2017 SWIFT Business Forum in London last week, Shah warned that it was "not enough" for every bank to have its own defenses anymore. "You also need to protect the infrastructure", he said on 25 April at the event in East London.
SWIFT unveiled a new payment controls service in London that is designed to bolster its customers' fraud and cyber-crime controls. "It is aimed at smaller banks initially and intended to help them detect unusual customer flows and suspect activity before a payment message instruction is sent," said Shah.
The new launch is accessible in the cloud and forms part of SWIFT's Customer Security Programme (CSP). This was launched last year after various hacking incidents involving Bangladesh Bank and, before that, Vietnam's Tien Phong Bank and Ecuador's Banco del Austro SA, which collectively threatened to undermine trust in the global banking platform.
The CSP includes educational security training for SWIFT's many end users and a self-attestation requirement that all banks meet minimum security standards by the end of this year, which will be policed and regularly checked with various risk models and test scenarios.
"The challenge arises because everything is connected in today's world and criminals are attacking entire ecosystems, necessitating a response," said Gottfried Leibbrandt, CEO of SWIFT, speaking later on at the 2017 SWIFT Business Forum, London. The imminent need to meet minimum security standards in order to maintain access to SWIFT's network was a major talking point at the event.
"Protecting individual perimeters is no longer the best cyber-security approach for a bank," added Leibbrandt. "Instead, you need to be ready to respond to multiple lines of attack with multiple lines of defense. It is the same with ecosystems, such as SWIFT's."
Jean-François Legault, global head of cyber-security operations at JP Morgan, joined Leibbrandt during a panel session in London, and shared some tips for his peers in the audience.
"Alignment is the key issue for me," he said, as he urged the risk team to work with the cyber-security team, with operations, legal and all other departments within a financial institution (FI). The need to communicate and cooperate stretches to external clients, counterparties, and infrastructures such as SWIFT.
"You need control mechanisms looking at secure end-to-end processes that are validated and integrated into your enterprise-wide operations," said Legault. "This way you can leverage intelligence into making effective decisions. For instance, if a payment has been pre-identified as a potential risk – maybe it is from a bad IP address – then you can investigate before allowing it through."
This would reduce false positives as well, helping bank operations run smoother and more efficiently, as fake alerts and customer delays would be reduced.
"Our problem is when you set a mousetrap, they build a better mouse," said JP Morgan's Legault, in reference to the escalating 'arms race' that exists between cyber attackers and defenders. "Criminals share information and co-operate online, which is why FIs must too."
According to Javier Pérez-Tasso, chief executive of the Americas & UK at SWIFT, who also took to the stage in London, dealing with the threat from cyber-criminals is a "team sport" that requires an "industry-wide response" because "there has been a 40% rise in attacks targeting FIs."
Banks, insurers and others are four times more likely to be targeted than other sectors, added Pérez-Tasso, as that is where the money is. "Getting hit is very expensive."
Cyber-security is a particularly pertinent point for SWIFT as in recent weeks it has had to deny reports that the US National Security Agency (NSA) accessed a backdoor to its network in order to plant spyware and monitor data traffic from Middle-eastern banks.
The NSA allegedly hacked into the EastNets SWIFT Service Bureau, which connects 260 banks to the messaging platform, and is popular with users in the Middle-east. The claims arose last month following a blog from Shadow Brokers, possibly a Russian-backed hacking group, which purported to show the latest nefarious activities of the NSA. Both SWIFT and Eastnets have denied the claims.
SWIFT initiated its CSP in response to an earlier 2016 attack against one of the users on its network, Bangladesh Bank. Almost $81 million dollars were wrongly transferred to an account in the Philippines during this hack attack, only a small proportion of which has been found, before the Federal Reserve Bank of New York stepped in to block 30 other transactions that wanted to transfer a further $850m.
The systemic risk to SWIFT's position at the epicenter of global finance demanded a response. The cyber-security firms BAE Systems and Fox-IT were immediately hired to help test systems, educate users and the CSP was rolled out last year.
The compliance phase of this program is now facing SWIFT's correspondent bank users with adherence to the minimum standards it enforces required by year end.
As Yawar Shah, SWIFT chair, said at the show: "We've only limited time left", he maintained SWIFT stands ready to help.
"It is more difficult when attacks are not happening on your network, but in an ecosystem that you are part of," said JP Morgan's Legault, in reference to SWIFT and the need for banks to cooperate.
"You need to understand the wider environment and anticipate attacks from known sources, countries and attack vectors," he said. "FIs must simulate scenarios and learn where there are any gaps that need closing across operations, legal, risk and all other departments."
The rising cyber-security threat demands no less and a coordinated, effective response is required.