As the financial world becomes ever-more technologically advanced and interconnected, the risk of a cyber attack posing a systemic threat increases. Taking it upon themselves to ensure the safety of one of the world’s largest financial networks has been payment services provider Swift. In 2016, Bangladesh Bank witnessed the biggest cyber attack yet against a central bank. The result was millions of dollars being transferred through the Swift network to accounts in the Philippines, a significant proportion of which is yet to be recovered. It was a watershed moment for the community.
Though Swift’s network was itself not compromised, Swift had to be proactive and act quickly to preserve its reputation. It also had to send a message to its clients that weaknesses in their own systems would no longer be tolerated. The result was the introduction of the Customer Security Program (CSP).
The cornerstone of the initiative is the customer security control framework – a mix of mandatory and advisory cyber security criteria that Swift revises annually. The controls establish a security baseline for all 11,000 institutions connected to Swift and must be implemented within each customer’s local Swift infrastructure. By the end of December 2018, 94% of customers had attested to their level of compliance with the mandatory controls.
As part of the initiative, Swift has also created an information-sharing system, recognising the crucial importance of information sharing in the fight against cyber crime. A newly developed customer security intelligence (CSI) team is now in operation and investigates cyber incidents experienced by Swift customers. The CSI identifies new attack patterns, techniques and tactics that can help customers protect themselves against future cyber attacks. Information from investigations is anonymised and made available in an information-sharing portal.
The newest element of the CSP has been the introduction of payment controls – a solution to help combat fraudulent payments through strengthening banks’ existing security measures. The controls were developed in conjunction with the Swift community and use real-time monitoring to alert users and block suspicious payments. “This gives banks’ internal systems the unique ability to define and control their screening parameters according to their own risk and compliance policies,” says chief executive Javier Pérez‑Tasso.
Payment controls reporting also provides an independent record of inbound and outbound payment activity, enabling banks to validate whether their in-house payment system’s record of activity is correct – which is critical if customer environments are compromised.
Worldwide, central banks are adopting Swift’s new CSP as attackers prove increasingly determined, patient and cunning, breaching systems that once appeared impenetrable. Swift has forced global institutions to step up to the growing threat and its programme is delivering tangible results.