SWIFT CEO Gottfried Leibbrandt delivered the keynote address at the 14th annual European Financial Services Conference in Brussels today. During the speech, Leibbrandt announced SWIFT’s five-part Customer Security Programme to reinforce the security of our shared, global financial system.
The five part-plan, includes initiatives to:
- Improve information sharing among the global financial community;
- Harden security requirements for customer-managed software to better protect their local environments, enhance our guidelines and develop security audit frameworks for customers;
- Support banks’ increased use of payment pattern controls to identify suspicious behavior; and
- Introduce certification requirements for third party providers.
The following is Leibbrandt’s speech as prepared for delivery:
Hello and thank you for having me here today.
Cyber security is serious. It’s a critical issue for the financial system – and it’s a critical issue for SWIFT. Cyber concerns are not new to us at SWIFT. Indeed, ever since I took on this job, cyber risk has been the main thing to keep me awake at night. We work very hard at improving the cyber security of our network; every day we wake up and go to sleep thinking about, and protecting against that threat. It is hard work and never done. And rightly so for SWIFT. After all, we are trusted by our clients to carry billions of high value payment messages a year. This requires a network that meets the highest standards in terms of: Confidentiality, Integrity and Availability.
Our network was designed to meet these challenges. Cyber security is part of our DNA – it is not an afterthought. Not just hardware and software, but people, processes, procedures, checks, in fact a whole organisation for whom “failure is not an option”.
So, as we’ve said a few times before these past few months, let me repeat: SWIFT, our network, software and our core messaging services have not been compromised. Ensuring that remains the case is, and always will be, SWIFT’s top priority.
But the financial industry, as a community, has to be clear that cyber risk is big; there will be more cyber attacks. And inevitably some will be successful. Acknowledging this doesn’t mean we are resigned to it. Rather, it means that we must work even harder at our collective defensive efforts.
Recent Cyber fraud events are a watershed event for the industry
Let me turn to the recent fraud at Bangladesh that has caught multiple headlines. I think it will prove to be a watershed event for the banking industry; there will be a before and an after Bangladesh. The Bangladesh fraud is not an isolated incident: we are aware of at least two, but possibly more, other cases where fraudsters used the same modus operandi, albeit without the spectacular amounts. The banks were compromised, credentials to payment generation systems were obtained to send fraudulent payments and the statements/confirmations from their counterparties were obfuscated.
So this is a big deal. And it gets to the heart of banking.
Keeping money secure is core business for banks. So these events are a problem on at least two fronts.
First it’s a problem because banks that are compromised like this can be put out of business. It’s not like retailers losing credit card details or telcos losing customer details. Telcos and retailers will take reputational hits, and may face some financial liabilities, but things will move on. When banks lose control of access to their payment channels, it’s different. In the recent cases, thieves were able to move just some of those banks’ overseas assets. As a result, for the banks concerned, the events haven’t been existential. The point is that they could have been.
Second, it’s a problem because the financial system is hugely interconnected and it operates on trust.
What about SWIFT?
At this point two questions pop up for SWIFT, at least they have in the press: 1. Isn’t SWIFT in the middle of all of this? 2. What are you going to do about it? Let me answer both in turn, since the answer to the first forms the basis of the second.
As I said above, SWIFT, our network, software and our core messaging services have not been compromised. In Bangladesh and the other cases, the thieves compromised the IT environment and worked their way to the bank systems where the SWIFT instructions are generated and the confirmations received. And while we (and other providers) give tools and software to our customers, our customers run these in their own environment and need to keep them secure. We cannot secure our customers’ environments and cannot assume responsibility for that.
At the same time, we play a crucial role in the global payments system, and the events form a direct threat for that system. We therefore very much want to be part of the solution. We think we can be and we have to be.
The need to share information
Over the past weeks and months, we have already stepped up our efforts, notably on sharing information.
The gravity of this threat is the very reason that all of us in the global financial community have to be willing to share that information. Through trusted channels, of course; but we have to share.
Banks can learn from one another about the modus operandi and put better preventative measures in place; entities like SWIFT can serve as the information sharing channel, and we can develop indicators of compromise to help those banks improve their detective capabilities. We are doing so.
But information sharing needs to get better, much better. It is critical that the global financial community works together to bolster our mutual security.
We are calling for a collective effort in our global financial community to reinforce the security of our entire, shared system.
Our security is our collective mission and can only be strengthened through a collaborative approach which includes SWIFT, third party suppliers, policymakers, regulators and our users, big and small.
And particularly the large clearing banks – many of whom I see here today – have a really important role to play; your networks of relationships means that you can have a truly global, viral effect.
And we are going to do much more. We are the global bank-owned cooperative at the heart of the global payment system, a system that is facing a persistent threat. We are stepping up to the plate as our owners and overseers expect us to.
Customer Security Programme
Indeed, we are working with our community on a five-part customer security program that we will announce later this week; five big initiatives that mutually reinforce each other. We are reaching out to customers to discuss with them in more detail and answer any questions.
First, as I just mentioned, we aim to drastically improve information sharing among the global financial community. We will demand more information of our customers, and share that back with the community. The ambition is to do on an international scale what banks in several countries are already doing domestically. We will do it in a confidential way that uses the data while protecting the identity of the institution and customers.
Second, we will harden security requirements for customer-managed software to better protect their local environments.
Third, we will enhance our guidelines and develop security audit frameworks for customers.
Fourth, we will look to see what we can do to support banks’ increased use of payment pattern controls to identify suspicious behavior.
And finally, we will introduce certification requirements for third party providers.
This requires Cooperation
This will only work if the industry works together. Banks, regulators, third-party providers and SWIFT. SWIFT is not all-powerful, we are not a regulator, and we are not a policeman; success here depends on all the stakeholders in and around the industry. The security of our network remains our key priority; the security of their own environments has to remain (and, for some, become) banks’ priority.
Let me close by returning to innovation.
The opportunities that innovation has brought banks and their customers are tremendous – technology and connectivity have introduced the sector to cyber risk. Back before mainframes, ATMs, mobile banking and PCs, it was all about men and guns. Now it is about men and hoodies hunkering over keyboards. And as we continue to connect everything to everything, things will get ever more challenging.
We are seeing some really exciting advances in innovation – and that’s great. The banking experience is immeasurably better today than it was a few years ago – inside banks as well as outside. Let’s have more of that. But these amazing technological advances open the door for increasingly complex cyber threats, the problem must become the solution – technology is essential to our cybersecurity.
Now more than ever, we need to see innovation in security – we’re seeing some, after all, the famous AES algorithm was designed less than 30 km away from here, but let’s have more.
You all know what I’m talking about – bring on the next generation of pattern recognition, monitoring, anomaly detection, authentication, biometrics—and a host of innovations we have yet to develop that will improve and preserve the security of our industry.
We need more of these incredible innovations, and just as importantly, our industry needs to use more of what’s already available to us.
The cyber challenge is huge, and demands action, and change, by all stakeholders. And change is hard. Sometimes it takes a crisis. As the saying goes: “a crisis is a terrible thing to waste”; so let’s use this crisis as an industry to come out stronger, better and even more secure.