After a bevy of cyber-heists in 2017 – one at Bangladesh Bank that raked in US$ 80 million (£59 million) for the modern day bankrobber, the SWIFT Customer Security Controls Framework went into effect 1 January, 2018 requiring all 11,000 SWIFT member banks in more than 200 countries to comply or face regulatory and economic consequences.
While organisations often drag their feet in adopting new cyber-requirements, playing the odds that either they won't be breached or found out by regulators, a bank's compliance with the SWIFT framework is transparent to other members of the global messaging platform.
“Everybody [on the SWIFT network] has visibility into it,” said Bay Dynamics vice president of strategy Steven Grossman, who noted those not in compliance would risk being ostracised by other banks who have adopted the framework.
The wave of cyber-attacks that leveraged the SWIFT messaging system showed that “banks [were] still behind the times” and had “mastered physical security with big vaults and armed guards,” but not cyber-heists, Yorgen Edholm, CEO of Accellion, told SC Media at the time. “However, Jesse James and Patty Hearst aren't the bank robbers society has to worry about any more. What's even more frustrating is the fact that hackers are employing the same methods time and time again – and are still successful. We need change now! Until SWIFT and their customers figure out together a way to prevent these hacks, they will continue and faith in the global banking system will continue to suffer.”
SWIFT jumped on the issue, though, and developed the newly implemented framework, which required members to implement 16 mandatory controls - including multifactor authentication, and continuous monitoring – that Grossman said “are not burdensome or novel,” before the 1 January deadline
Another 11 advisory, or optional, controls, such as vulnerability scanning, could become mandatory down the line as the framework – and threats to member institutions – evolve. “The first steps [in the framework's evolution] would be making optional controls mandatory,” said Grossman, who noted, “I don't think we'll ever be done” because bad actors never rest and new threats spring up with regularity.
He cautioned that the SWIFT requirements not be viewed as an overall cyber-security framework for financial institutions. SWIFT didn't intend for it to be “the be all, end all,” said Grossman. The controls are “focused on protecting the SWIFT network.”