Swift to "Name and Shame" banks who fail to meet security standards

Interbank co-operative Swift is promising to name and shame banking members who fail to measure up to a new set of core security standards that are set to be introduced in Q2 2017.

The standards will be mandatory for all banks, who will be required to demonstrate their compliance annually against 16 mandatory controls set out in an 'assurance framework'.

Although banks are merely required to provide 'self-attestation', Swift says it will perform random spot checks, and urge counterparty banks to do likewise. 

Inspections and enforcement will begin on 1 January 2018, when banks' compliance status will be made available to their counterparts. Firm's who fail to achieve the required standards may not only find themselves locked out by their counterparts, but will also be reported to their regulators.

Swift chairman Yawar Shah says: “We recognise that this will be a long-haul, and will require industry-wide effort and investment, as well as active engagement with regulators. The growing cyber threat requires a concerted, community-wide response.”

The detailed objectives and controls will be made available to Swift customers late next month he says.

Interbank co-operative Swift is facing an uphill battle to convince its membership of the urgency of upgrading security after revealing a further spate of hacks against users of the financial messaging network.

In a private letter to clients obtained by Reuters, Swift says that new cyber-theft attempts - some of them successful - have surfaced since June.

"Customers’ environments have been compromised, and subsequent attempts (were) made to send fraudulent payment instructions," according to a copy of the letter reviewed by Reuters. "The threat is persistent, adaptive and sophisticated - and it is here to stay."

The memo discloses that banks targeted varied in size and geography and used different methods for interfacing to the network, but all demonstrated failings in local lockup procedures.

Swift has been on a crusade to persuade members of the need to enforce and maintain strict security protocols following an $81 billion cyber-heist from the Bank of Bangladesh and similar attacks on other Asian banks. 

The Brussels-based co-operative launched a major security programme in June with the aim of defining an operational and security baseline that banks must meet to protect the processing and handling of their Swift transactions. The company has engaged cyber-security specialists BAE Systems and Fox-IT and created a dedicated 'Forensics and Customer Security Intelligence Team' to help shore up its defences as it rolls out an information sharing and threat intelligence programme. 

Swift has set a November 19 deadline for installing the latest version of its software - which includes stronger authentication and password management and better hack detection tools - and has warned banks that fail to measure up that it may share future security lapses more widely with banking regulators and correspondent banking partners.