A $100M cyber heist spooked banks, yet many dawdle on defenses

Register now

(Bloomberg) -- Two years after Swift, the interbank messaging system, became embroiled in one of the largest cyber heists in history, it’s still cajoling more than 1,000 of its members to show they’re setting up necessary defenses.

The global network’s 12,000 members were supposed to attest by the end of December that they’re enacting a list of basic security measures -- such as improving passwords and adopting multistep authentication. About 90 percent of firms were able to do it, according to two people familiar with the results. Yet, that also shows many others might still be vulnerable to hackers.

Swift’s push was prompted by a string of attacks, most famously when criminals initially siphoned off more than $100 million from the central bank of Bangladesh in 2016 (a portion was later recovered). While the cases involved breaches at firms -- not the network itself -- Swift set out to ensure members were taking necessary steps to protect confidence in a global system that moves roughly $5 trillion daily.

“The Bangladesh attack was a wake-up call for Swift and its members,” said Franklin Van Weezendonk, executive vice president at Axletree Solutions, which provides connectivity and technology services to the network’s users. “Some hesitated to implement all the new security protocols when Swift announced them, but most are realizing they will be the ones vulnerable in the future if they don’t.”

Alerting Regulators

Swift -- short for the Society for Worldwide Interbank Financial Telecommunication -- serves as a sort of air-traffic control system for money flowing around the globe. Messages sent on the network include wire-transfer orders that shift funds between financial companies, often across borders. Most members are banks or securities firms, but some are corporations looking to interact directly with their financial-services providers. The security campaign aims to ensure hackers can’t infiltrate a member to siphon off its money via the network.

The December deadline wasn’t even for full compliance, which is scheduled for the end of 2018. Instead, firms were supposed to show their progress. Yet many clammed up.

Swift has threatened to report non-compliant members to their regulators at both stages. That can increase pressure on regulated financial firms that comprise most of the network.

It’s also relying on peer pressure. The messaging network has expanded members’ use of a know-your-counterparty database, detailing what measures other firms have adopted.

Ejecting Laggards

Some members expect Swift won’t start alerting regulators until the final deadline at the end of this year. While Swift hasn’t threatened to kick laggards out, some members said it should do so to protect confidence in the system.

So far, the network is refraining from that approach, according to Pat Antonacci, managing director at Swift who’s leading customer engagement with the security program.

“Disconnecting a customer would shift the risk to another channel,” he said. “Instead we’re providing the transparency to the risks. A non-compliant member might be perceived as a high-risk counterparty, and others might be hesitant to transact with them.”

In February 2016, hackers exploited weaknesses at the central bank of Bangladesh to move funds from its account at the Federal Reserve Bank of New York via Swift. Similar attacks hit institutions in other countries. Swift initially said members were responsible for their own security. But it soon pivoted, launching a broad effort to help them bolster defenses.

Voluntary Steps

Axletree has advised its roughly 100 clients to implement not just the mandatory measures that Swift announced last year but also steps it suggested, such as personnel vetting and vulnerability scanning. All of his clients signed up for an analysis of both sets of controls, indicating they will probably make many of the voluntary improvements. But not all Swift members have done the same, and some have ignored the optional set all together, according to some members.

Commercial International Bank, Egypt’s largest publicly traded bank, focused first on self-assessment and is now implementing both the mandatory and suggested controls, according to its chief security officer, Shattsy Hassan. The rules made sense after the Bangladesh central bank heist, which already had prompted Commercial International to begin work on similar reforms, Hassan said.

Some banks in the region have been slow to comply because they don’t consider Swift a crucial component of their business, said Mohamed Sultan, CIB’s chief operating officer. The lender might refuse to do transactions with banks that don’t meet the standards, he said.

“We will assess the risk and see if the counterparty’s vulnerability could also expose us when we transact,” said Sultan. “I’m not as worried about them getting hacked, but if it opens me up to being hacked, then I won’t do business with that counterparty.”

‘Keep on Evolving’

Swift also rolled out new services to help members spot intrusions. One will “red flag” payment messages that appear anomalous or risky. It will provide real-time alerts and allow customers to put a hold on unusual messages. Another service, set to start in the third quarter, will watch for off-hour and higher-than-usual transactions. Swift also launched a system to post information on attacks and attempted intrusions so fellow members can take precautions.

Axletree’s Van Weezendonk suspects Swift will eventually turn suggested steps into requirements. Antonacci wouldn’t rule out that possibility for at least some measures.

“It’s going to keep on evolving, just as the threats keep on evolving,” he said.

Bloomberg News