In the wake of countless high-profile data breaches, SWIFT, the provider of a transaction messaging system used by 11,000 banks across more than 200 countries, has taken a significant step to reduce cyberrisk across its member community. Several of SWIFT’s member banks have faced cyber heists in recent years, most notably when $81 million was stolen from the Bangladesh Bank in 2016.
To help strengthen security across the entire network, SWIFT unveiled its Customer Security Controls Framework in early 2017, which became mandatory for all member banks on Jan. 1, 2018. The framework focuses on strengthening the SWIFT network against cybertheft and fraud by improving the security posture of the banks connecting to it, compelling participants to segment, secure and monitor their infrastructure, communications and users.
From a security perspective, the framework is not significantly different from other regulatory requirements, especially in the financial services industry. That is not to say compliance will be easy for many banks, however, especially smaller banks in less-developed countries. The framework includes requirements around identity and access management, vulnerability and patch management, and other fundamental security processes that should already be priorities across every institution.
It also mandates segregation of access privileges, which is a technical extension of the typical segregation of duties process, but may pose a challenge to achieve in some smaller environments. The objective is to prevent any one person or user account from having too much independent power without the participation of at least one other person, thereby mitigating the risk presented by by insiders or by malicious actors using stolen credentials. Network segmentation is another requirement, and it is a critical foundation of security, especially when trying to protect an industry-shared network like SWIFT from the vagaries of each participant’s general corporate network environment.
Banks may find that the biggest compliance challenges in the SWIFT Controls Framework are those focused on changing and monitoring people’s behavior. To that end, SWIFT requires banks to ensure all staff are aware of their security responsibilities and perform regular security training and awareness activities.
In general, effective security training has become at once both easier and more difficult to implement. Traditional compliance training can be a mind-numbing, check-the-box exercise that may make regulators feel better, but it does not usually achieve its desired goals. What has proven effective at changing behavior is short, targeted training that is timely and engaging. Behavioral analytics are increasingly being used to analyze a user’s actions and enable more personalized training for repeat offenders who continue to behave carelessly. Targeting the training based on actual behavior at the time of the violation drives user engagement and can improve results.
User and entity behavioral analytics also play a role in identifying and stopping malicious and fraudulent activities that often do not trigger any system alarms. SWIFT requires the monitoring of such activity in Control #6, “Detect Anomalous Activity to Systems or Transaction Records.” Unless the thief trips a system alarm, identifying unusual behavior is the only way to catch and stop an attacker. SWIFT calls for monitoring both transactions (which is a process already familiar to many banks due to their anti-money laundering programs) and system activity, where behavioral technology is now being applied to detect both malicious and non-malicious offenders, as well as cyberbreaches. Complying with this control requires significant logging and analytics capabilities, as well as subject-matter expertise. This will be an incremental change for some banks, while those without the right telemetry infrastructure will have to do some heavy lifting in a short period of time.
Much of the SWIFT Controls Framework is well-tread ground from a security perspective, but more interesting and novel is the method it uses for compliance reporting and enforcement. Banks have to sign onto SWIFT’s “Know Your Customer” portal and attest to their compliance with the controls framework. SWIFT is not the first to require a confirmation of compliance, but it is the first to implement such granularity and transparency in reporting. The attestation is not a blanket comply/not comply sign-off, but instead drills down to specific controls. Respondents can check off that they comply with the requirement as stated, comply with the requirement in a different way, will comply by a future date, will not comply, or that the requirement is not applicable to them. Additionally, each bank’s attestations will be available to the other banks on the network.
In addition to the threat of supervisory action, this level of granularity and transparency adds a peer enforcement that creates a sort of herd immunity. It is not just about a potential audit from a regulator at some point in time, but a daily enforcement mechanism that enables banks to manage their risk exposure from non-compliant banks and motivates those non-compliers to raise the bar.