SWIFT to review security strategy following cyber attacks – with the ultimate on the table for banks with poor security
SWIFT, the global inter-bank payments system, will threaten members with expulsion over poor cyber security in a shake-up in the organisation’s security strategy.
That is the message of SWIFT CEO Gottfried Leibbrandt following a string of sophisticated cyber attacks at a number of banks, which seem to have been conducted by experienced attackers with knowledge of both SWIFT and banks’ international payments procedures.
Responding to claims that SWIFT itself had been lackadaisical over the potential risks that cyber security lapses posed to its proprietary payments network, Leibbrandt admitted that the recent attacks had “changed the game completely”.
Speaking to the Financial Times, Leibbrandt added: “We could say that if the immediate security around Swift is not in order we could cut you off, you shouldn’t be on the network,” he told the paper. “There are pros and cons to that. The pros are that it provides clarity that if you are on the Swift network you need minimum standards. I think the con is if you do it too heavy handed you could drive people to unsafe channels.”
Faith in the integrity of the SWIFT system has been shaken by the cyber attacks, with one bank, Ecuador’s Banco del Austro, suing HSBC and HangSeng Bank, the beneficiary banks that, it claims, held accounts in Hong Kong used by the thieves.
Leibbrandt was talking the Financial Times just days after SWIFT unveiled plans for improving security. These include tougher security and operational baselines, alongside tougher audit standards and certification processes. These would be policed by both SWIFT, as well as national and international regulators.
SWIFT has been on the back foot for the past month as more and more information has emerged, and more banks have been identified as targets of the cyber thieves – even though two of the four known attacks so far were foiled.
In the biggest attack, cyber thieves set-up a series of payments totalling $951m from Bangladesh Bank, the central bank of Bangladesh, from its account with the New York Federal Reserve. However, an overt spelling mistake in the name of one of the beneficiaries alerted a clerk at one of the correspondent banks routing the transactions, enabling most of them to be stopped.
At the end of May, it was claimed by security specialists Symantec that an analysis of the code pointed to a gang believed to be run from North Korea. That had followed earlier claims by BAE Systems linking the Bangladesh Bank attack specifically to the same group behind the attack on Sony Pictures Entertainment, which the US authorities had pinned on North Korea.