Swift has unveiled the next phase of its customer security programme (CSP), established to support customers in the struggle against cyber-attacks. The controls will be mandatory by the start of 2018.
This follows a spate of high-profile attacks at three of Swift’s customers earlier in the year. All of the cases started with Swift customers’ local environments being compromised, which is why it is now putting a lot of focus on the measures surrounding customers’ local security.
Speaking at last week’s Sibos opening plenary, Swift chair Yawar Shah reminded the audience that cyber-crime is a rapidly evolving threat. “Our community is under attack,” he said.
His thoughts were echoed by Swift CEO Gottfried Leibbrandt in the same session: he said it was no coincidence that the threat to cyber-security is happening just as the industry is starting to innovate.
Swift’s CSP was launched at the end of May and incorporates five initiatives, from facilitating better information sharing to creating assurance frameworks.
At Sibos, Swift took the initiative a step further by publishing a set of core security standards and details of an associated assurance framework that all customers must meet to secure their local Swift-related infrastructure.
“These both build on and complement the existing security guidance,” Stephen Gilderdale, Swift’s head of the CSP told GTR on the sidelines of the conference.
He said that the standards will be mandatory for all customers, who will be required to demonstrate their compliance annually against the specified controls set out in the assurance framework.
According to a Swift factsheet, detailed security controls (16 mandatory and 11 advisory) which support three overarching security objectives and eight core principles will be published and fully validated with customers by the end of the year, coming into force at the end of Q1 2017.
Swift will require customers to provide detailed self-attestation against the mandatory controls from Q2 2017. Enforcement, which will include internal and external audits, will start from January 2018. Any non-compliant customers will be reported to their regulators.
While banks today face constant threats from hackers (who attempt intrusions as often as every 22 seconds, if not more frequently, GTR understands), it is a scenario that is only going to escalate as new and emerging technologies gain traction: whether it’s the internet of things (IoT), the cloud or artificial intelligence. The IoT has created a “breeding ground” for cyber-threats, Leibbrandt told the audience during the opening plenary.
“We’re never going to solve the cybersecurity threat – it’s going to be cat and mouse for ever. When something new comes along, someone works out how to subvert it,” a global transaction banker who preferred not to be named told GTR at the event. “If you’re going to be in the business, it’s the price of entry. And we all need to go into it eyes wide open.”
With this in mind, the CSP’s standards and controls will evolve over time in line with the cyber threat landscape, Gilderdale explained.
Within trade specifically, it is generally believed that cyber-security issues are secondary to more fundamental fraud threats because the industry has not been particularly successful at the digitisation of trade finance. “In trade finance, we are far from a cyber-security problem: we have a paper problem and I think the issues are fundamentally different right now. That doesn’t mean that we don’t need to think about them as we digitise trade,” Michael Vrontamitis, Standard Chartered’s head of trade and product management, told GTR.
None of the trade finance heads that GTR spoke with at Sibos had heard of Swift’s CSP, with some finding it odd that the company has taken 40 years to introduce this initiative, and others mooting that cyber-criminals may have a “window of opportunity” between now and the start of 2018, when the mandatory requirements are enforced.