A major report from Reuters uncovered that many directors and managers at SWIFT have long been fearful about the messaging system’s lack of security. Over the past year, the vulnerabilities have continued to rear their head, with multiple high-profile attacks leading to millions in losses. The biggest hack came in February when criminals tried to steal $1 billion USD from Bangladesh Bank in Dhaka, laying bare the frightening potential for bandits to infiltrate the system and make off with a fortune.
In that incident, SWIFT was lucky to only see $81 million USD pilfered away, but the news organization’s investigation highlights the general lack of action paid to security issues, even while many were concerned about the severity of the risks.
“The board took their eye off the ball,” Leonard Schrank, chief executive of SWIFT from 1992 to 2007, told Reuters. “They were focusing on other things, and not about the fundamental, sacred role of SWIFT, which is the security and reliability of the system.”
To his credit, Schrank took responsibility for his role in not bolstering the system’s defenses during his tenure, although the sophistication of cyberthieves has naturally evolved greatly since he was overseeing the organization. But due to not prioritizing the issue — then and more recently — SWIFT’s inability to stay ahead on security and general lack of risk management are now calling into question the make up of its board.
One significant issue has been the rapid uptake in users from smaller countries. In the early 2000s, per Reuters, some 90% of the messaging revenue came from banks in 25 countries. The transaction volume remains dominated by banks in the world largest, most-developed economies, although to a lesser degree. But small banks in emerging markets are increasingly using SWIFT, with it now operating in 212 nations and jurisdictions, according to Reuters. This is up from just 126 in the 1994, and new banks continue to join the network all the time.
The Bangladesh incident — just like the $12 million taken from Ecuador’s Banco del Austro and an attempted theft stopped by Tien Phong Bank in Vietnam — showed how banks in emerging markets may be more vulnerable. Alessandro Lanteri, who served on SWIFT’s board in the 1990s and formerly worked at Italian bank Unicredit, told Reuters that there was always a disconnect between the established, familiar places and the new kids on the block. “When I was on the board, I had no direct contact with the little countries,” Lanteri told Reuters.
For its part, SWIFT maintains that it is — and has always been — focused on security. It’s failures have been due to limited, and often local, issues in which certain exploits could not be prevented. In some cases, SWIFT was not even made aware of the crime by the affected banks until months later.
Regardless of whether a large part of the problem has been caused by lax standards at the affected financial institutions, the organization is realizing it must improve both its literal and figurative messaging. Last week, it championed the launch of a new security campaign aimed at helping partner financial companies better safeguard themselves. These enhancements to its Customer Security Program center on “raising awareness” for its existing “Relationship Management Application” and “2-Factor Authentication” protocols.
“We are focussed not only on encouraging customers to secure their environments – which is the most important defense against cyberattacks — but also on further enhancing security features in SWIFT products and on promoting community adoption of our existing tools and controls,” said Stephen Gilderdale, head of the security program. “Through this awareness campaign we aim to make sure our users make the most of SWIFT’s existing security tools and controls.”
To address the still-unresolved Bangladesh incident, SWIFT recently released a joint statement with the New York Fed and Bangladesh Bank. “The participants remain concerned about this event and recommitted to working together to recover the entire proceeds of the fraud as expeditiously as possible, bring the perpetrators to justice in cooperation with law enforcement from other jurisdictions, and lend support to multilateral international efforts to further protect the global financial system from these types of attacks in the future,” said SWIFT in a statement.
Whatever the exact nature of the issues, there certainly seem to be some. And now, as more and more attacks come to light, SWIFT seems fully aware that it needs to start worrying about the risk to its reputation along with its many security challenges.