article banner
Article

How SWIFT’s security evolution is changing business

Paul Olukoya Paul Olukoya

SWIFT has changed the way financial messaging is done over the past few decades and introduced a range of advantages for firms, but also has clear security risks. Paul Olukoya and Anthony Lulu look at the common security challenges associated with the payment service and how to tackle them.

11,000 institutions across over 200 countries use SWIFT to send and receive financial messages in a standardised, secure, and efficient manner. On an average day, approximately 45 million messages with a combined value of USD $5 trillion are sent over the network.

One ongoing challenge with SWIFT is commonly overlooked security challenges – now addressed in its customer security programme. These guiding lights helps firms ensure they have appropriate measures in place to safeguard their payment environments, mitigate potential security risks, and meet increasing demanding regulatory requirements.

SWIFT Security Challenges

Due to the scale of its reach, its ubiquity, and the huge amounts of money being transferred, SWIFT has proved to be an attractive target for cyber criminals. In recent years, multiple cyber-attacks have been reported with many confirmed as state sponsored or linked to organized crime. As such, attacks have been increasing in number and complexity.

One of the most notable cases of a SWIFT based hack occurred in 2016, when hackers took advantage of vulnerabilities in the network at the Bank of Bangladesh to gain access to their payment systems. In what has since commonly become known as ‘the Bangladesh Bank cyber heist’, the hackers issued thirty-five fraudulent SWIFT payment instructions to illegally transfer $951 million from the Federal Reserve Bank of New York account belonging to Bangladesh Bank. The FED detected and blocked thirty of the fraudulent transactions due to suspicions raised by a misspelled instruction however five instructions were processed and transferred $101 million to accounts in Sri Lanka and the Philippines. Some of this money has since been recovered, however $81 million was laundered through Southeast Asian casinos and remains lost.

Cybersecurity experts believe that there are multiple global hacking collectives targeting SWIFT and that most attacks may go unreported in public. This highlights a call to action for firms to take the necessary steps to protect themselves against these types of attacks. As recommended by SWIFT, all customers should undertake regular reviews of their systems, processes, and procedures, ensure that the right security tools and controls are in place, and most importantly continuously train staff to recognise cyber risks and steps to mitigate against cyber hacks.

Addressing the risk

The core SWIFT network is considered highly secure and to date there have been no successful hacks into the SWIFT system itself. Since its introduction in 1973, the SWIFT messaging platform has provided member firms with a range of services relating to the execution of financial transactions and payments between banks worldwide. However, SWIFT recognizes that a failure at any of its member organizations represented a threat to confidence in the SWIFT network as a whole. In response, SWIFT introduced its Customer Security Controls Framework (CSCF) to help financial institutions bolster their defenses against cyber-attacks and therefore protect the integrity of the wider financial network.

The framework provides guidance on how to secure payment environments, understand and limit access to internal systems, and detect and respond to potential threats. It lays out guidelines on security controls that all SWIFT member institutions must implement to establish a security baseline across the whole SWIFT network. SWIFT members must annually attest their compliance with the controls with firms who fail to do so at risk of being reported to their regulators by SWIFT.

Independent review

As of 2021, SWIFT mandated that attestations of compliance must be assessed by an independent party before being submitted to further enhance their accuracy. SWIFT dictates the certifications and experience necessary to be considered a qualified assessor and also maintains an online directory of firms capable of performing assessments. It is recommend that firms carry out regular reviews of their systems and have strong oversight to ensure they have the correct risk mitigation measures in place.

Having strong oversight of your systems will ensure that the appropriate measures are in place to safeguard payment services. Firms should ensure that they are regularly checking on their current systems and taking the correct measures to minimise their security risks, which in turn will help form a strong understanding of SWIFT across the business and ensure that best practice is met.

Grant Thornton UK LLP has a bench of industry proven security assessors and we are listed in the SWIFT CSCF assessor online directory. In the past 12 months the team has conducted a large number of assessments for clients in sectors across banking, insurance, retail, and government departments. For leading expertise on how to protect your SWIFT systems and enhance payment security, please contact Paul Olukoya.

Article
Making payments safe – a key priority for the FCA What's next for the sector?
Article

Implementing ISO 20022: What do firms need to do now?

Uncover the key challenges