In recent years, several SWIFT member banks have been targeted by cyber fraudsters, resulting in accumulated thefts of many millions of dollars. Impacted banks in several different countries have been victimized, demonstrating that there are no borders when it comes to cybercrime and that any company can be targeted.
Interestingly, SWIFT has been in the headlines broadcasting each of these incidents, although the SWIFT network itself has not been compromised. The thefts have been successful due to security gaps in member financial institutions that were exploited. SWIFT’s response has been very proactive, but the reputational damage SWIFT has incurred (resulting from member security gaps) has been severe and undeserved.
In 2016, SWIFT launched a Customer Security Programme (CSP) to help customers strengthen cyber defense in their institutions. One of the measures SWIFT introduced is the Daily Validation Reports service, which is designed to supplement customers’ existing fraud controls. Based on SWIFT’s records of customers’ messages, the Daily Validation Reports give customers a summary of their message flows, which affords them an independent means of verifying their messaging activity and detecting any unusual patterns, thereby enhancing their ability to identify possible fraud attempts and improving their likelihood of canceling any fraudulent transfers. In addition, in April 2017, SWIFT announced a new payment controls service to bolster customers’ fraud and cybercrime controls.
SWIFT’s CSP also issued a new security controls framework in April 2017 detailing security requirements for all members; in May 2017, SWIFT issued its attestation policy that sets out in detail the annual security attestation process all SWIFT users will be required to complete. Since then, SWIFT has been offering training sessions to all its customers. Ultimately, upon request, all SWIFT customers will be able to view the attestations submitted by other SWIFT customers they exchange messages with over the network.
SWIFT’s leadership in developing the security framework was necessary because without it, these attacks will continue to be successful. Undoubtedly, many member banks need this guidance to determine how to best protect themselves from such attacks. Now the onus is on all SWIFT members to get with the program and to better secure their systems to prevent future attacks. In today’s world of cybercrime, these attacks are certain to continue as long as security gaps are not addressed.