With authorities now looking into data breaches at as many as 12 banks linked to the SWIFT network, corporate treasurers are undoubtedly concerned over the security of their own SWIFT connections.
Over the past several weeks, SWIFT Service Bureaus (SSBs) have been receiving calls from their corporate clients, asking whether their connection to the network is secure. Given that at least one such SSB was named in the Vietnamese bank case, corporate treasury departments that use similar vendors are understandably concerned.
Mohan Murali, president and CEO of Axletree Solutions, a provider of SWIFT connectivity and treasury services, told AFP that he has been fielding calls from corporate clients since the Vietnamese bank story broke, and has had to assure them that not only is the SWIFT network secure but also their connections through Axletree are secure. The reason for this, he explained, is that Axletree has obtained the Premier Operating Practices Label, which is the highest form of accreditation awarded to SSBs by SWIFT.
While there are over 100 service bureaus worldwide, only few of them have achieved this particular certification, Murali explained. “To get this certification requires a physical onsite audit by SWIFT auditors,” he said. “They have minimum requirements that a service bureau should meet, which include security, resiliency and customer service.”
As for SSBs that do not carry any type of certification, that doesn’t necessarily mean that they are not secure. Murali does not see this incident as an indication of weakness in the SSB model. “Just because one service bureau got hacked, doesn’t mean that all service bureaus are bad,” he said. “But there have been failures on service bureaus’ part to maintain certain minimum competency levels, hence the reason SWIFT started this certification process in 2010.”
Corporate treasurers have choices when it comes to SWIFT connectivity; they can go through a service bureau or connecting directly through Alliance Lite2. Either method is secure as long as certain protocols are followed, however, if the connection is not hosted by a treasury management system provider that manages the messages as they come through, then treasury itself will have to monitor the security of that connection on its own.
Of course, no system is impenetrable. Even if you’re using a service bureau for your SWIFT connection that has gone through SWIFT’s rigorous vetting process, it’s still worth checking in with that vendor periodically and making sure it is doing everything it’s supposed to be doing. Conversely, while there’s nothing to suggest that Alliance Lite2 has any security issues, it’s nevertheless important that you make sure you have all the latest updates.
After all, if banks—who are typically targeted by cybercriminals much more often than companies—could allow this type of incident to occur, then corporates are even more vulnerable than they realize. The SWIFT network is secure—it is important to note that in each of the reported incidents, the actual network was not breached—but criminals have achieved success by targeting other, weaker access points. Hence the reason maintaining separate systems is so important.
FireEye, the security firm which was hired by Bangladesh Bank to investigate its $81 million heist, has been contacted by multiple banks connected to the SWIFT network about breaches. The banks are primarily in Southeast Asia and New Zealand, with no reported cases in Western Europe or the United States. It is unknown whether any money was actually stolen. Bloomberg noted that the expansion of the investigation in the four months following the Bangladesh breach suggests “a broad and serious campaign to breach the international financial system.”
Symantec said last week that it had uncovered evidence that a Philippine bank was hit by the same hackers that hit Bangladesh. The security firm came to that conclusion after reviewing the tools used in both incidents. The tools also suggest a link to the 2014 hack on Sony Pictures.
Last week, SWIFT CEO Gottfried Leibbrandt announced a five-part plan to reinforce the security of the SWIFT network. The plan includes initiatives to:
- Improve information sharing among the global financial community
- Harden security requirements for customer-managed software to better protect local environments
- Enhance SWIFT’s guidelines and develop security audit frameworks for its customers
- Support banks’ increased use of payment pattern controls to identify suspicious behavior
- Introduce certification requirements for third-party providers.
“This will only work if the industry works together—banks, regulators, third-party providers and SWIFT,” Leibbrandt said during a keynote address at the European Financial Services Conference in Brussels. “SWIFT is not all-powerful, we are not a regulator, and we are not a policeman; success here depends on all the stakeholders in and around the industry. The security of our network remains our key priority; the security of their own environments has to remain (and, for some, become) banks’ priority.”