Swift issues plea to collaborate in fight against cybercrime
It is vital that the Swift community learns from cyber attacks and strengthens cooperation, delegates were told yesterday. Chief technology officer (CTO) of Swift, Craig Young, said such attacks were increasing in number and sophistication across all industries.
Marco Gercke, director of the Cybercrime Research Institute, said: “The financial industry is lacking co-operation. I know privacy is important to you but you can share information such as ‘we were attacked on Monday and this is the method they used’. You should because you could be next.”
Cheri McGuire, chief information security officer at Standard Chartered agreed, commenting that “cyber is a ‘team sport’ and we need to work together – it’s not a competitive differentiator.”
Rob Wainwright, director of the Europol law enforcement agency, was more optimistic, although he did mention a lack of adequate data hygiene as a concern at banks. “We see better co-operation now than we did in the past,” he said. “But it’s only what the criminals are doing themselves. They trade and talk on the dark web all the time.”
Europol has stopped numerous distributed denial of service (DDOS) and other attacks, “but incidents have increased five-fold this year”, he said, warning the industry not to rest on its laurels or stall its co-operation efforts.
McGuire pointed to the Cyber Defence Alliance that her bank, Santander, Deutsche and Barclays have initiated, “with other banks joining us”, as a good example of collaboration and the Swift Customer Security Programme. This was launched after the Bangladesh Bank heist and is striving to improve education and cyber security best practice among Swift’s partner banks.
Swift has also hired BAE Systems and Fox-IT to help its internal cyber security team to investigate any weaknesses in its procedures, and more importantly, to help strengthen the connectivity, education and software and security arrangements of its partner banks when accessing its network. Swift maintains its core is secure, but any lessening of trust in its network is a grave systemic threat to its existence, which relies on trust. This is why cyber has been such a crucial topic in Geneva.
Any network is only as strong as its weakest member. Swift’s chief executive, Gottfried Leibbrandt, warned in June that banks with inadequate cyber defences could find themselves excluded from the organisation’s payment network if they didn’t have adequate cyber security.
Young stressed the need for practical and strategic planning, while Gercke urged banks to accept they cannot protect the perimeter and networks all the time and to focus instead on data protection and a “recovery strategy”.
McGuire referred to data as the “crown jewels” and recommended banks concentrate on that and protect the classic “three legs of the stool” – namely, people, process and technology, “otherwise the stool will fall over.”
Chandan Sinha, executive director, Reserve Bank of India (RBI), shared his country’s efforts in this field with the Sibos audience, which includes a formal co-operation procedure introduced in 2010 to fight cyber crime. “It was voluntary to start with, but is now mandatory,” he said. “RBI also issued new cyber security best practice guidelines in June 2016 on information sharing, data hygiene and so forth. Banks can benchmark against this and by 2018 all banks will have to pass a [cyber security] examination.”
A clear warning there that cyber security is becoming a ‘licence to play’ issue for banks and that they need to invest and collaborate in the battle against fraudsters, politically motived hackers and others. The Carbanak gang that stole $1 billion from 100 banks across 30 countries is another recent example of the severity of the threat.
Meanwhile, Swift yesterday announced a new set of core security standards and an associated assurance framework for its customers. The standards will be mandatory for all customers, who will be required to demonstrate their compliance annually against the specified controls set out in the assurance framework.
Under the assurance framework, customers will be required to provide self-attestation against 16 mandatory controls on an annual basis. Self-attestation will start in the second quarter of 2017 when standards will be made applicable to all customers connected to Swift including those connected via service bureaus.
By Neil Ainger, Daily News at Sibos reporter