United in the fight against cyber attacks

From the plenary room and main conference sessions to Innotribe, the SWIFT Institute, the SWIFT Auditorium and the exhibition hall, cybersecurity issues had a higher profile at Sibos 2016 than ever before.

Even before the conference officially opened, the SWIFT board and opening plenary of the chairpersons’ meeting had discussed both cybersecurity more widely, and SWIFT’s Customer Security Programme (CSP) in particular.

The high priority accorded cyber-security at Sibos was also reflected in the record number of chief information security officers (CISOs) from leading banks attending the conference, as well as in the many forensic and other security experts from around the industry. Throughout the week, the many and varied panel discussions, workshops, debates and presentations on cybersecurity topics were extremely well-attended, while many delegates took the opportunity to find out more about the CSP at dedicated sessions held at the SWIFT Auditorium.

SWIFT Chairman Yawar Shah has often opened Sibos by providing the community with an overall update on SWIFT’s activities. Not so this year where he set the tone for the week. “Today will be a little different,” he warned at Monday’s opening plenary. “I want to get straight to the point, to the main issue occupying all of us at SWIFT: cybersecurity. Our community is under attack. We need to address this together.”

Shah was referring to the series of recent incidents in which attackers have identified and exploited vulnerabilities in customers’ local security. This enabled them to compromise customers’ local environments and input fraudulent messages that have eventually been carried over the SWIFT network. Shah reconfirmed that neither SWIFT’s core network nor its messaging services have been compromised, but warned: “This is an inflection point for SWIFT and our community. Cyber criminals are well-organised, well-funded, extremely sophisticated, and getting smarter. And as expected, they have evolved. They used to go after retail by attacking consumers’ e-banking applications – but now, they are attacking banks and going after their SWIFT credentials.”

“Securing your local environment is the most important thing you can do”, SWIFT CEO Gottfried Leibbrandt told the plenary, continuing the discussion. “Securing the physical set-up of your local SWIFT-related infrastructure and putting in place the right people, policies and practices are critical to avoiding cyber-related fraud.”

Many of the necessary tasks are the equivalent of basic hygiene: securing credentials, multi-factor authentication, firewalls and anti-virus technologies, applying security patches and latest updates to software. “Like medical hygiene this is both easy and hard,” said Leibbrandt. “My medical friends tell me that it is possible to drastically reduce deadly hospital infections if doctors wash their hands for two minutes before operating. And yet only half of them do. These are doctors, they know the facts, real people are dying, and still they don’t comply.”

Common standards

In Tuesday’s big issue debate, ‘Cybersecurity – Catching the bad guys’, Cheri McGuire, group chief information security officer at Standard Chartered Bank, took up Leibbrandt’s theme, urging the further development of – and adherence to – best practices and common standards.

“Studies have shown that about 85% of cyber-breaches can be prevented through basic hygiene practices like data encryption, utilising modern security software, staff training and multi-factor authentication access to sensitive data and servers,” she said. “If an organisation is breached, having robust response and recovery plans in place and exercised can help minimise the impacts. Cybersecurity is a board level and senior management issue, and organisations need to have a culture of best practices when it comes to addressing cyber issues.”

Adherence to a common set of core security standards for all users is at the heart of SWIFT’s CSP, explained Shah. “Through the CSP, SWIFT is helping you to take action,” he said, explaining how just a few days earlier the SWIFT board had unanimously endorsed the next stage of the CSP – the introduction of mandatory customer security requirements and an associated assurance framework; three objectives, eight principles and 27 controls.

Speaking later that day in a dedicated SWIFT Auditorium session, Stephen Gilderdale, SWIFT’s head of the CSP, provided more details on how the controls in the new assurance framework would work. “The core security requirements are based on three overarching objectives which address major areas of attention for customers’ SWIFT-related environments. Under the framework, customers will be required to provide self-attestation against 16 mandatory controls on an annual basis. Self-attestation will start in the second quarter of 2017 when the requirements will be made applicable to all customers connected to SWIFT, including those connected through service bureaus. In effect, we will set a level of security requirements that must be met by every SWIFT customer,” he said.

Under the new framework, SWIFT will also ask randomly selected customers to back up their self-attestations through internal or external audits. In addition, SWIFT will make the compliance status of each customer available to its counterparties. “Your correspondents will be able to check whether you washed your hands before dinner, so to speak,” said Leibbrandt.

Systemic risk

So varied and prevalent are the sources of security threats that many banks and market infrastructures have already experienced some form of cyber attack, even though smaller breaches are rarely admitted. But acknowledging that client data has been compromised is a particularly difficult task for financial institutions, because of the importance of trust to client relations and the highly sensitive nature of the information involved. Nevertheless, experts insist that information-sharing on the types of attacks is critical to reducing cyber-risks.

Speaking in Tuesday’s big issue debate, Marco Gercke, director at the Cybercrime Research Institute, warned that cybersecurity threats are becoming more severe. “The entire financial industry is dependent on computer technology and attacks are becoming ever more sophisticated. Increasingly, cyber-criminals are not simply shutting down servers, but threatening to manipulate data unless ransoms are paid. Others are extracting data from organisations and making copies. This is a huge challenge because the entire industry is based on trust and confidentiality of client data,” said Gercke.

The systemic risk from cyber-threats is regularly identified by financial institutions as a primary concern, often cited ahead of the macro-economic challenges, as evidenced in an April 2016 market survey by the Depository Trust & Clearing Corporation (DTCC). Even three years ago, almost half of exchange operators had experienced some form of cyber attack, according to the World Federation of Exchanges (WFE).

Moreover, as SWIFT’s Leibbrandt observed, all financial institutions are part of a broader ecosystem. Even with strong security measures in place, attackers are very sophisticated and firms need to assume that the worst may happen. That’s why it is also vital to manage security risk in interactions and relationships with counterparties.

“As with epidemics, hygiene is required for cyber-prevention – but is by no means sufficient,” continued Leibbrandt. “Your environment may still get breached, so you need to put strong detection measures in place. This is why we recently announced the Daily Validation Reports for our customers, as a secondary back-up check on transactions to detect and prevent fraud.”

Firms with high cyber-security standards may still be at risk if a counterparty’s defences have been breached, resulting in suspicious traffic being sent over SWIFT. This risk can be countered via SWIFT’s Relationship Management Application (RMA), as well as additional controls on incoming instructions, and clear mechanisms to stop suspicious payments. “Using the RMA, we can all choose who we do business with over the SWIFT network. Equally, once you cease doing business with an RMA counterpart, you can terminate that RMA relationship. And you should,” said Shah.

Market practice also has an important role to play in handling counterparty relationships, he added, which is why SWIFT is now also facilitating discussions to develop a common understanding between sending and receiving parties of the warning signs that should lead to payments being investigated, and of how suspicious payments should be stopped.

Changing attitudes

Cultural attitudes need to change from top to bottom if financial institutions are to be successful in staving off cyber-breaches, panellists suggested on Thursday in ‘The spectre of cyber threats – How can the industry fight back?’ “An organisation can do everything right on cyber-security and still be an unfortunate victim. A typical response from a company following a breach is to fire the chief security officer. Mistakes will happen, but organisations need to take a longer-term approach around retaining senior security personnel,” said James Lyne, global head of security research at Sophos.

This willingness to blame personnel following cyber-attacks is accompanied by a broadly unsympathetic attitude toward cyber victims. Both should change, according to Steve Briscoe, global head of technology and operations at clearing house operator LCH. Clearnet. “Cyber-theft should be regarded in the same way as physical theft. The methods may be different but the impact is the same. It is important to recognise that there is criminal intent in both cases, and we should adjust our attitudes accordingly,” he said.

The fact that the intent to attack has so many sources is challenging for those charged with building cyber defence strategies, as is the ability of many skilled perpetrators to maintain anonymity. Hackers may include criminals or disenchanted employees, the latter becoming an increasingly common phenomenon, in the opinion of Bruce Schneier, CTO at Resilient, an IBM company specialising in cybersecurity solutions. “Criminals are agile and will frequently make use of technology more quickly than governments. However, the latter are more powerful, so the battle becomes one between the quick and the strong,” said Schneier, speaking at Wednesday’s Innotribe session. ‘Innovation in cyber-security: Innovative defences to innovative attacks’.

Timely detection

Attacks perpetrated by highly-resourced and skilled state-backed organisations are often too powerful even for the most sophisticated market infrastructures or financial institutions, regardless of the size of their budgets. But such attacks are extremely rare. And when they do occur, large or small, timely detection can help minimise impact. As the recently revealed breach at Yahoo illustrates, many cyber-attacks are not discovered until it is too late. While prevention is crucial, it is important that companies have systems to detect live breaches, stated Charles Blauner, global head of information security at Citi. “There is a lot of technology focused on detection. It is becoming even more important that organisations have processes in place to ensure breaches do not go unnoticed,” he told delegates.

Regulators too are paying closer attention to cybersecurity, panellists observed, having recognised its potential impact on the ability of market participants to function. The US Treasury Department’s Office of the Comptroller of the Currency (OCC) is drafting recommendations on interbank messaging and wholesale payment systems. The US Securities and Exchange Commission is subjecting broker-dealers and asset managers to heightened oversight and examinations to confirm the strength of their cybersecurity defences.

While central banks and regulatory authorities across the world are demanding higher standards on cyber-security from financial institutions, Gerke insisted that engagement with law enforcement authorities is just as important. “Cooperation with law enforcement is important and this is something we advise banks on. If there is a cyber incident, it is important organisations have clearly defined rules and procedures for engaging with law enforcement,” he said.

As well as requirements from regulators, best practice guidelines are being formulated at the industry level. The Committee on Payments and Market Infrastructures (CPMI) and International Organisation of Securities Commissions (IOSCO) have published cyber resilience guidelines, for example, to help financial market infrastructures detect and recover from cyber threats. Recommendations included sound cyber governance and board-level understanding; procedures to resume operations quickly after an attack; and strong cultural awareness about cyber-risks based on collective engagement

Share and prepare

With the involvement of so many parties in the fight against cyber-security threats, the circulation of information is fundamental to the success of the industry’s collective defence strategy. “What happens to one company in one location can easily happen to another elsewhere,” said SWIFT’s Shah. “That’s why we need our customers to ‘share and prepare’. Share the details if you are compromised and prepare by learning, for example through the threat intelligence and Indicators of Compromise (IoCs) that SWIFT publishes.”

If the worst happens, he added, it is vital to ‘share’ by letting SWIFT know there is a problem and to share relevant information. This will help SWIFT’s dedicated Customer Security Intelligence team to limit the community impact by sharing anonymous IoCs and by detailing the modus operandi used in known attacks.

SWIFT is providing regular updates of this nature through its Security Notification Service to which all customers can subscribe. SWIFT can also provide compromised customers with diagnostic support, and advice on how to restore systems to get up and running again. In cases of suspected customer fraud, it is important to act fast and take decisions in real time.

The second community principle – ‘prepare’ – is just as important, as Gilderdale explained in the SWIFT Auditorium. “SWIFT will do everything possible to inform you of relevant cyber-intelligence, and we will continue to expand our information-sharing platforms to do so. We are also engaging with vendors and third parties to secure the wider ecosystem – but we also expect customers to prepare by acting on the information and security updates we provide, and ensuring that they meet mandatory security requirements for their SWIFT-related infrastructure, which we will enforce closely.”

During the session, Gilderdale was joined on stage by Adrian Nish, head of cyber threat intelligence at BAE Systems, and Todd Inskeep, principal at Booz Allen Hamilton. Nish outlined the threat landscape, while Inskeep gave insights into the development of the core security standards, which take into account the latest intelligence on known cyber threats and incidents, and which have been reviewed by external industry experts and assessed against industry standard frameworks and best practices.

Constant communication

Across all Sibos 2016 sessions in which cyber-security was discussed, there were two very consistent messages: the threat is real and growing, and industry collaboration is essential. Addressing the challenges of cyber-security by communicating about the issues with peers is an effective mechanism to mitigate the risks, many speakers agreed. “There has been a significant shift in mindset over the last few years with recognition that cyber defence and cyber-security is something the industry needs to work on together. Standard Chartered is a founding member of the Cyber Defence Alliance and works closely with government counterparts and SWIFT on promoting information sharing,” said McGuire.

Another key point made by several different speakers was that cyber threats are evolving and will continue to change, driven in part by the unrelenting speed and scale of technology innovation. When grasping the opportunities afforded by disruptive technologies to improve process efficiency and enhance customer value, banks and other institutions must also be mindful that they could be opening themselves up to new cybersecurity risks. All firms looking to leverage blockchain, for example, should also be aware of the potential security implications, following the manipulation of smart contracts on a platform based on the Ethereum blockchain.

As Bart Preneel, professor at the University of Leuven and president of Leaders in Security, neatly summed up during Innotribe’s ‘DLT and cyber-security: Sibos week wrap-up’ on Thursday afternoon, “The attack surface for cyber criminals has grown exponentially as there are more points of penetration.”