Following a series of thefts from international banks utilizing the Society for World Interbank Financial Telecommunication (SWIFT) communication system, the Chief Executive Officer of SWIFT announced a sweeping five part plan to “reinforce the security of our shared global financial system.” The five part plan includes:
- Improve information sharing among the global financial community;
- Harden security requirements for customer-managed software to better protect their local environments, enhance our guidelines and develop security audit frameworks for customers;
- Support banks’ increased use of payment pattern controls to identify suspicious behavior; and
- Introduce certification requirements for third party providers.”
In his May 24 speech to the 14th Annual European Financial Services Conference, Mr. Leibbrandt stated that cyber risk has been the main thing keeping him awake at night. He stated that the financial industry must work harder at collective defensive efforts and that the fraud at the Bank of Bangladesh and two other banks will prove to be a watershed event for the banking industry. Mr. Leibbrandt further stated that “banks that are compromised like this can be put out of business. It’s not like retailers losing credit card details or telcos losing customer details. Telcos and retailers will take reputational hits, and may face some financial liabilities, but things will move on. When banks lose control of access to their payment channels, it’s different. In the recent cases, thieves were able to move just some of those banks’ overseas assets. As a result, for the banks concerned, the events haven’t been existential. The point is that they could have been.” (emphasis added)
Banks are under ever increasing regulatory and industry requirements relating to information security. How the new SWIFT plan will work with Cybersecurity Framework for Critical Infrastructure, the new FFIEC Assessment Tool and revised Handbook, the announced, but as yet unissued, cybersecurity regulations from the New York Department of Financial Services, and similar programs from the UK Financial Authority and the Monetary Authority of Singapore, among others, remains to be seen. Harmonization of the requirements on bank cybersecurity does not appear likely in the near future.