In 2018, all banks using the SWIFT messaging platform will be required to comply with a new cybersecurity framework that aims to establish a baseline for security.
SWIFT stands for the Society for Worldwide Interbank Financial Telecommunication. Banks use the closed network to communicate among themselves, sending approximately 25 million messages per day.
The requirements are in light of the string of cybercrimes against SWIFT member banks, most notably the Bangladesh bank which lost $81 million. Members will now be required to implement features such as multi-factor authentication, continuous monitoring and anomalous behavior detection, security awareness training, and incident response plans.
Altogether there are 16 mandatory controls and 11 advisory controls (voluntary best practices which may become mandatory in the future) banks using SWIFT must now follow.
Steven Grossman, VP of strategy at security risk management firm Bay Dynamics, said new SWIFT requirements also include baseline security controls such as network segmentation, vulnerability and patch management and mandates the segregation of access privileges to prevent any one person or user account from having too much independent power without the participation of at least one other person, thereby limiting the risk presented by malicious and non-malicious insiders, as well as stolen credentials.
SEE: IT leader's guide to reducing insider security threats (Tech Pro Research)
Grossman said one requirement that stands out is the ability to "detect anomalous activity to systems or transaction records," which SWIFT uniquely applies to monitoring many different aspects of a bank's processing including transactions and system activity. This concept is familiar to many banks due to their anti-money laundering programs.
Though it does not mandate specific tools for usage, user and entity behavior analytics technology is typically applied for this capability to detect both malicious and non-malicious offenders as well as cyber breaches. Complying with this control requires significant logging and analytics capabilities along with the expertise required to administer such features.
"For some banks this will be an incremental change, while those without the right telemetry infrastructure will have to do some heavy lifting in a short period of time," said Grossman.
The SWIFT framework also contains a detailed and transparent model for compliance reporting. Banks will have to sign onto SWIFT's portal and attest to their compliance with the controls framework. Respondents can indicate that they comply with the requirement as stated (and provide a future date for compliance if needed), attest that they will comply with the requirement in a different way, will comply by a future date, will not comply, or the requirement is not applicable to them.
This establishes a unique level of transparency. If a compliant bank sees that another bank is not in compliance with the framework it may choose not to do business, or limit its business, with that bank. This level of granularity and transparency adds a peer enforcement element in addition to the threat of supervisory action.
"None of the framework's mandates are terribly unusual or overly burdensome, but that does not mean that compliance will be easy," Grossman said.
SEE: Launching your cybersecurity career: 10 jobs to consider (free PDF) (TechRepublic)
He said that larger banks should have many of the requirements already in place, but also have a lot of complexity and legacy systems or processes to overcome. Smaller banks with fewer resources, especially those in less developed countries, may face challenges implementing them on time.
"Like any compliance effort, the first step is an assessment and gap analysis to understand where your risks lie, then executing a plan to achieve a level of security that a minimum level achieves compliance. If you are not there yet, put compensating controls in place as a stop gap, then work the plan towards more automated, efficient and effective controls," Grossman stated.
Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.