global business data“I returned, and saw under the sun, that the race is not to the swift…”
-Ecclesiastes 9:11
King James Version

With apologies, it appears there is a race to the SWIFT underway, as cybercriminals target the global financial messaging system. Brussels based SWIFT (Society for Worldwide Interbank Financial Telecommunication), a member owned cooperative, operates a network used by financial organizations to process transactions. Its messaging platform is used by 11,000 banks and other institutions around the world, processes billions of dollars of transactions daily, and is a critical part of the global financial system.
SWIFT has been beset with security breaches. In a widely publicized sequence, theft of $12 million from Ecuador’s Banco del Austro in 2015 was followed by the theft of $81 million from the Bangladesh Central Bank in February 2016. But that may have been the tip of the iceberg. It appears several other attacks have occurred, and the targeting of SWIFT continues.

Reuters just reported that SWIFT sent a private letter to clients that “disclosed new hacking attacks on its member banks as it pressured them to comply with security procedures instituted after February’s high-profile $81 million heist at Bangladesh Bank.”  The letter suggests the attacks were of an advanced nature, targeted to vulnerabilities in obsolete systems at local client premises, and said the attacks are expected to continue. SWIFT imposed a deadline of Nov. 19 for compliance with new security requirements for its members, and, interestingly, threatened to report non-complying firms to regulators if they fail to adopt the required security features.

The biggest concern associated with the attacks on SWIFT is the danger they pose to the stability of the global financial system. SWIFT’s threat to publicly shame firms that do not comply with its enhanced security requirements makes clear how seriously SWIFT takes this problem. It behooves all of us to pay attention to the next chapter in this story.

By Tom Davis, SDI Cyber Risk Practice
September 6, 2016