Tick, Tock: New SWIFT Security Regs Take Hold Jan. 1



Dan Gunderman
12/20/2017

SWIFT, a widely used global banking platform, will be implementing a new cyber security framework that is poised to pad protection for 11,000 institutions across more than 200 countries.

Come January 1, 2018, the financial institutions that use SWIFT will be subject to the platform’s new Customer Security Controls Framework, which is being described as a “baseline” of security for both enterprises large and small. It could potentially prove difficult for smaller institutions or those in developing nations, whose security posture is far from optimal.

The framework comes just one year removed from a pervasive heist in the financial sector that saw the Bangladesh Bank hemorrhage $81 million. The framework is a regulatory structure born in the fallout of this event.

The SWIFT Controls Framework will call for incident response, security awareness training, multifactor authentication and anomalous behavior detection, according to Forbes.

The framework is comprised of 16 mandatory controls and 11 advisory controls – some of which could transition to mandatory based on functionality over time, according to Bay Dynamics VP of Strategy, Steven Grossman, who spoke about the SWIFT framework with CSHub.

Through self-attestation and overall transparency, there is a chance the framework sets a new mark for security posture within the financial industry. Still, it should be acknowledged – especially at the enterprise level – that despite the caution and controls, hackers can typically circumvent systems and carry out their attacks. Awareness, then, remains a top concern for practicing enterprise professionals.

See Related: State Of The Union: Layer Security Or Prep For Legal Battles

Nevertheless, the SWIFT Controls Framework will invoke a new standard upon a highly sensitive industry. Just what will its measures provide?

“The overall framework is oriented toward protecting the network. While you have GDPR protecting privacy in the EU, and other frameworks…this control framework is focused on protecting and segmenting infrastructure connecting to the SWIFT network,” Grossman said.

Following the damaging Bangladeshi incident, Grossman said, “SWIFT must have felt the need to put together a standard, for an added level of protection, a standard baseline for both global banks and smaller banks. It’s not just the big six banks, it’s everybody.”

For these aforementioned big banks, Grossman believes that compliance with the new framework will probably not be an increased burden. These are institutions that typically have robust security measures in place.

Yet, for smaller institutions which boast fewer resources or are located in lesser-developed countries, the framework could prove difficult. Grossman said it is about “drilling down” to enforce certain restrictions, improve authentication and detect anomalous behavior – monitored for both the cyber side and transactional side.

Monitoring potentially harmful behavior could prove difficult for the lesser-developed enterprises, Grossman said. These are institutions that might not have the appropriate logging or telemetry infrastructure to gather the right information.

For some worldwide enterprises, the SWIFT Controls Framework could prove daunting. But, Grossman said, “It is specific and actionable, but keep in mind it’s still a framework. If you make it too detailed, it could be too specific to apply to some situations.”

See Related: Substantial NIST Revisions Eye Supply Chain, Analytics Security

Transparency is being described as a pillar of this framework. Grossman said that because of SWIFT’s peer-to-peer attestation process, every institution is visible on the network. He said compliant companies could then hesitate transacting with those institutions that may be lagging. The framework provides SWIFT users the “ability for everybody to see at a pretty granular level,” Grossman said.

The top-down, peer-to-peer structure also provides a sort of “peer pressure” on other institutions, Grossman added, which could encourage companies to be in compliance. SWIFT also reserves the right to report any institution that is not compliant.

Where the framework could hold weight, then, is in this “peer-to-peer fear” and potentially being shunned. The perception of being unsecure could have a heavy impact on business, the Bay Dynamics VP of Strategy added.

Moving forward – and after implementation – Grossman said the framework would likely continue to evolve as new attack vectors emerge.

SWIFT CEO Gottfried Leibbrandt told Forbes that the measure will support customers and help drive both awareness and improvements in security. “We will do this by maintaining a dynamic assurance approach, evolving the framework in line with the changing threat landscape, and making sure it complements emerging regulatory guidance,” Leibbrandt said.

SWIFT’s Chairman Yawar Shah said that while compliance could prove difficult, “the growing cyber threat requires a concerted, community-wide response.” Shah said that’s why the SWIFT board unanimously approved the framework.

Institutions on the SWIFT network are required to have their attestations submitted this month, as the framework takes hold Jan. 1, 2018. The measure was announced earlier in 2017, but SWIFT provided companies a lead-in time to become compliant.