Are you one of the 11,000 banks that are a member of SWIFT, the international correspondent banking network? In 2016, a cyberattack successfully stole $81 million from the Bangladesh central bank by exploiting vulnerabilities to obtain legitimate SWIFT credentials. During the cyberattack, other banks sent and processed SWIFT fund transfer requests, because the requests were from a trusted source; however, the reality was that the cyberattackers controlled the accounts.
What is SWIFT?
Behind most international money and security transfers is the SWIFT system, a vast messaging network used by banks and other financial institutions to quickly, accurately, and securely send and receive information such as money transfer instructions. Every day, SWIFT member institutions send nearly 30 million messages on the network. Read more about SWIFT here.
The Customer Security Programme (CSP)
As a result of this cyberattack and others that occurred previously, SWIFT launched the Customer Security Programme (CSP). SWIFT created the program to address the risk and exposure of the trusted network between member banks. As part of the program, all SWIFT member banks are now required to meet minimum-security standards and self-attest to the KYC Registry Security Attestation Application (KYA-SA) by December 31, 2017.
Per the SWIFT website, all controls that are included in the CSP “are articulated around three overarching objectives: 'Secure your Environment', 'Know and Limit Access', and 'Detect and Respond'.” The controls have been developed based on SWIFT's analysis of cyber threat intelligence and in conjunction with industry experts and user feedback.
The three objectives are comprised of eight principles, 16 mandatory controls and 11 advisory controls. The member banks are required to self-attest to the 16 mandatory controls; however, the remaining 11 advisory controls may be required later. All SWIFT users must log in to the KYC-SA and submit self-attestations for each of their live BIC8s by the end of December 2017.
The 16 mandatory controls prescribed by the SWIFT CSP are as follows:
Mandatory Security Controls
1. Restrict Internet Access and Protect Critical Systems from General IT Environment
1.1 SWIFT Environment Protection
Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment.
1.2 Operating System Privileged Account Control
Restrict and control the allocation and usage of administrator-level operating system accounts.
2. Reduce Attack Surface and Vulnerabilities
2.1 Internal Data Flow Security
Ensure the confidentiality, integrity, and authenticity of data flows between local SWIFT-related applications and their link to the operator PC.
2.2 Security Updates
Minimize the occurrence of known technical vulnerabilities within the local SWIFT infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk.
2.3 System Hardening
Reduce the cyberattack surface of SWIFT-related components by performing system hardening.
3. Physically Secure the Environment
3.1 Physical Security
Prevent unauthorized physical access to sensitive equipment, workplace environments, hosting sites, and storage.
4. Prevent Compromise of Credentials
4.1 Password Policy
Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy.
4.2 Multi-factor Authentication
Prevent that a compromise of a single authentication factor allows access into SWIFT systems, by implementing multi-factor authentication.
5. Manage Identities and Segregate Privileges
5.1 Logical Access Control
Enforce the security principles of need-to-know access, least privilege, and segregation of duties for operator accounts.
5.2 Token Management
Ensure the proper management, tracking, and use of connected hardware authentication tokens (if tokens are used).
6. Detect Anomalous Activity to Systems or Transaction Records
6.1 Malware Protection
Ensure that local SWIFT infrastructure is protected against malware.
6.2 Software Integrity
Ensure the software integrity of the SWIFT-related applications.
6.3 Database Integrity
Ensure the integrity of the database records for the SWIFT messaging interface.
6.4 Logging and Monitoring
Record security events and detect anomalous actions and operations within the local SWIFT environment.
7. Plan for Incident Response and Information Sharing
7.1 Cyber Incident Response Planning
Ensure a consistent and effective approach for the management of cyber incidents.
7.2 Security Training and Awareness
Ensure all staff are aware of and fulfil their security responsibilities by performing regular security training and awareness activities.
Are you prepared to review the mandatory and advisory controls and submit your self-attestation by year-end? The SWIFT website is a recommended starting point to assess your status and begin outlining how the controls apply to your infrastructure. Contact Weaver’s IT Advisory Services team with questions on the program or completion of the KYC Registry Security Attestation.