Is SWIFT now playing good cop/bad cop?
SWIFT – formally known as the Society for Worldwide Interbank Financial Telecommunication – is a nonprofit cooperative owned by 3,000 banks that bills itself as “the world’s leading provider of secure financial messaging services.” Its network and software daily processes 25 million communications that collectively account for billions of dollars’ worth of transfers.
SWIFT CEO Gottfried Leibbrandt initially said that his organization wouldn’t impose data security standards on any of its 11,000 members.
“The system is only as secure as the weakest link.”
“SWIFT is not all-powerful, we are not a regulator, and we are not a policeman; success here depends on all the stakeholders in and around the industry,” Leibbrandt said in a May 24 speech in Brussels, during which he called on the banking sector to help banks better secure themselves.
But Leibbrandt appears to have changed tack, saying on June 1 that his organization is now weighing suspending banks found to have poor security practices. “We could say that if the immediate security around SWIFT is not in order we could cut you off, you shouldn’t be on the network”.
What comes next?
Seeing SWIFT raise the possibility of launching security audits for its participating banks and adjusting financial sector regulations speaks to the multiple regulators and legislators demanding to know how the financial services industry plans to lock down related weaknesses, and what risks SWIFT-using banks currently face (see Fraudulent SWIFT Transfers: Congress Queries New York Fed).
It’s clear that the industry has to do something. We have helped financial institutions by starting with a Compromise Assessment to determine if they have already been hacked, or have unauthorized access or applications in their networks. Once any initial remediation has been completed, we can also assist with ongoing testing and monitoring to maintain cybersecurity.