SWIFT wants to improve security for its banking partners and said it will require baseline security controls, but...
a lack of details in the plan has left experts worried about the effectiveness of implementing the policy.
The SWIFT interbank messaging system has been under fire after high-profile fraud attacks attempted to steal $1 billion, but a string of announcements regarding security improvements has created more questions than answers. The latest plan to improve SWIFT security will mandate baseline security controls, with inspections and enforcement beginning Jan. 1, 2018.
However, SWIFT hasn't released the details of the required security controls. Preliminary details will be released in October and undergo a two-month vetting process, with the finalized policy being published by the end of March 2017. This would leave banking partners nine months to implement the SWIFT security-control requirements.
Avivah Litan, vice president and distinguished analyst at Gartner, said she didn't put much faith in these being hard deadlines.
"It's just a line in the sand. It gets the system going -- although, surely, the regulators won't all of a sudden, in January 2018, start inspecting for implementation of the standards that have yet to be publicly released," Litan told SearchSecurity. "Also, the repercussions for a member not self-attesting that it meets the standards are weak, at best. It's not clear anyone will stop doing business with a SWIFT member who has not self-attested -- and, in fact, it's highly doubtful."
Dick Bussiere, APAC technical director for Tenable Network Security, based in Columbia, Md., was impressed with the transparency built into the plan.
"One interesting aspect is that, after Jan. 1, 2018, all member banks will be forced to make their compliance status available to their peers," Bussiere said. "What's good about this is that banks may choose who they do business with, and banks with weak compliance status may find that other banks do not want to do transactions with them. This creates incentive to comply, even if local regulators are weak."
SWIFT Chairman Yawar Shah admitted "this will be a long haul, and [it] will require industrywide effort and investment, as well as active engagement with regulators."
"The growing cyberthreat requires a concerted, communitywide response," Shah wrote in the announcement. "This is also why the SWIFT board unanimously approved the framework and remains fully engaged in overseeing and driving the further development of SWIFT's Customer Security Programme."
Enforcement of the new security-control mandate has also been questioned. SWIFT said customers "will be required to demonstrate their compliance annually against the specified controls set out in the assurance framework." But SWIFT distanced itself from the enforcement by saying, "the status of any noncompliant customers to their regulators."
Litan questioned the efficacy of this type of policy.
"I think it's the best SWIFT can do right now -- although, it is doubtful it will be very effective, especially in emerging markets where regulator enforcement of cybersecurity standards is weak, at best," Litan said. "[Neither] SWIFT, nor the banking system is staffed for this type of enforcement. SWIFT would need considerable funding to staff itself for these types of global cybersecurity audits and enforcement efforts."
Bussiere said leaving enforcement to regulators undermines the point of security-control standards.
"There is an incredible amount of variability in the quality of banking regulatory bodies from country to country. Some regulatory bodies may take strong measures against noncompliant banks, while others may do little to nothing," Bussiere told SearchSecurity. "SWIFT itself should enforce the security regimen and implement strict consequences for noncompliance. This would ensure consistency in both quality of implementation and enforcement."
Tom Kellermann, CEO of Strategic Cyber Ventures, based in Washington, D.C., said it was ridiculous for SWIFT to allow "the cybercriminal community to burrow in for another 15 months."
"I think that SWIFT needs to impose forward-leading cybersecurity mandates upon her ecosystem," Kellermann told SearchSecurity. "Failure to comply should result in penalties, if not banishments. As a lack of diligence, cybersecurity will result in systemic risk in the payment system."
Separately, SWIFT announced the completion of the first phase of its global payments innovation (GPI) initiative pilot to improve cross-border payments. SWIFT said the intent is to increase "the speed, transparency and end-to-end tracking of cross-border payments."
"The GPI initiative will deliver another major innovation with the provision of end-to-end payments tracking," SWIFT wrote. "The payments-tracking service will be hosted in the cloud, based on a global tracking database hosted by SWIFT."
Experts had varying degrees of praise for the improvements in end-to-end payment tracking. Litan was cautious.
"It's a start -- it generates security awareness amongst SWIFT member banks, and that's a good thing," Litan said. "Over time, assuming the hacks against SWIFT messaging continue -- and I assume they will -- SWIFT will have to figure out a more effective security-enforcement system."
Bussiere was more optimistic this change would help improve SWIFT security.
"The logging of transactions on both sides is a great step in improving security," Bussiere said. "In effect, it's a monitoring solution that will greatly increase the chances of detecting fraudulent transactions before they close. This was not possible with the Bangladesh attack."
Learn more about the dedicated cyberintelligence team created to improve SWIFT security.