In February 2016, the world witnessed a sophisticated cyberheist in which the computer terminals of Bangladesh Bank, which interfaced with the communication system of the Society for Worldwide Interbank Financial Telecommunication (SWIFT), were compromised through spear phishing emails. SWIFT is a global member-owned cooperative that provides secure messaging services for financial transactions and a suite of related products and services.1 One employee at Bangladesh Bank fell for the phishing email, by a fictitious job seeker, inviting users to download his resume and a cover letter from a website. The employee downloaded the documents and the malware.2 This malware helped the attackers navigate through the internal network for months and garner information about the network, operations and user passwords. The attackers had been operating in stealth mode for nearly a year before they took action in February 2016 and sent fraudulently authenticated SWIFT messages directing the Federal Reserve Bank of New York to transfer funds from Bangladesh to accounts in other Asian countries.3 Luckily, the attackers, who originally targeted nearly US$1 billion, ended up siphoning only US$81 million. To date, the majority of this money has not been recovered.4
Although SWIFT secures its own network, it relies on a shared responsibility model in which many critical security controls must be maintained by customers and users, in addition to addressing weak links such as human factors. This heist got everyone’s attention, and organizations were amazed at the pace and sophistication of the attack. It caused many enterprises to immediately begin questioning the cybersecurity controls within their own environments.
In the aftermath of this heist, SWIFT’s systems were scrutinized for potential security weaknesses. However, SWIFT claimed that its systems had not been compromised as part of this attack; instead, the user environment had been breached. SWIFT met with representatives of the Federal Reserve Bank of New York and Bangladesh Bank in May 2016, and they released a joint statement agreeing to pursue certain common goals: to recover the entire proceeds of the fraud, bring the perpetrators to justice and protect the global financial system from these types of attacks.5
In line with these common goals, SWIFT introduced a community-driven compliance program that encouraged users to secure their environments and develop a sense of shared responsibility for the wider financial services community and society in general. Key features of this program can be utilized to develop similar programs by other sectors, sectoral communities/regulators or governments to monitor the level of security controls.
By starting small and revising the model each year, SWIFT has been able to address the evolving cyberthreat landscape and the diversity of user environments across technologies and SWIFT’s own products and services.
SWIFT’s Customer Security Program
SWIFT’s Customer Security Programme (CSP) helps customers and users ensure that their mitigation efforts against cyberattacks are up to date and effective. Users compare the security measures they have implemented with those detailed in SWIFT’s Customer Security Controls Framework (CSCF), and they submit the results of their compliance reviews to SWIFT annually.6
The CSCF is composed of mandatory and advisory security controls for SWIFT users. The mandatory controls establish a security baseline for the entire community. All users must implement these controls on their local SWIFT infrastructure. The advisory controls are based on practices that SWIFT recommends for all users, but they are not required. The CSCF has evolved every year, and advisory controls are often converted into mandatory controls in subsequent versions of the framework.7 The mandatory and advisory controls provide detailed guidance on how to implement a control to achieve a particular objective and how to address the associated risk factors. These controls are mapped to industry standards such as International Organization for Standardization (ISO) ISO 27001. As shown in figure 1, the 2021 version of the SWIFT CSCF comprises three overarching objectives that are linked to eight principles and complemented by 31 controls (22 mandatory and nine advisory).8
 |
Figure 2 outlines the objectives and principles of the SWIFT CSCF.9
Lessons for the Cybersecurity Community
There are five key lessons that the cybersecurity community can draw on to build similar community-led programs.
Lesson 1: Start Small and Evolve
SWIFT’s CSCF was introduced in 2016, and users were required to comply by the end of 2017. The first version of the CSCF introduced 16 mandatory and 11 advisory controls. The number of controls and related guidance have been modified each year since then, and as of 2021, there are 22 mandatory and nine advisory controls.10 By starting small and revising the model each year, SWIFT has been able to address the evolving cyberthreat landscape and the diversity of user environments across technologies and SWIFT’s own products and services.
For any program to be successful, buy-in from stakeholders is critical. This can be obtained by starting small and demonstrating positive results and quick wins for the stakeholder community. Based on these initial results, additional support can be secured to address larger objectives and scale the initiative.
Lesson 2: Develop a Sense of Shared Responsibility
After the Bangladesh Bank attack, it became clear that it was not a question of if a cyberattack would occur but when. It was also clear that the ownership of security cannot be outsourced to service providers or outsourcing partners. It is the organization’s responsibility to secure the confidentiality, integrity and availability of the systems and environment owned by them, end to end, including every asset on the estate.
Through the CSCF, SWIFT educates its users about how to secure their environments and of what key risk factors to be aware. This is complemented by having users report their compliance to SWIFT. The act of reporting compliance to SWIFT creates a sense of obligation to secure the environment and of shared responsibility to secure the ecosystem among all users and customers. This approach enables all parties to do their part to secure the environments within their control and help build a secure end-to-end system.
Lesson 3: Share Information
SWIFT’s CSP and its Information Sharing and Analysis Centre (ISAC), have enabled users to exchange lessons learned from cyberattacks. Through a dedicated security intelligence team that shares the latest anonymous information on indicators of compromise and the modus operandi used in known attacks, SWIFT’s users and customers can stay apprised of evolving cyberthreats. Further, SWIFT has mandated that its customers and users share cyberthreat information in the case of a breach. By establishing avenues for the exchange of threat information that is focused and of immediate relevance, SWIFT has empowered users to proactively identify, detect and respond to attacks in a continually changing cyberthreat landscape.
Through one initiative, SWIFT has brought users, counterparties, regulators and supervisors onto a common platform and provides the same set of data to verify compliance with a common set of controls.
Lesson 4: Adopt a Flexible Approach
Since the inception of the CSP in 2016–2017 and until 2020, SWIFT allowed users to conduct self-assessments of their compliance with controls and submit the results to SWIFT. However, beginning in 2021, these assessments must be conducted by independent parties.11This gave users and customers ample time to implement controls and obtain historical data points to demonstrate the maturity and success of those controls. By trusting users to secure their own environments, perform self-assessment exercises and submit the results, SWIFT permitted them to participate in the program and comply on their own, rather than taking an approach that involved external scrutiny. By providing this kind of flexibility to users, compliance programs can demonstrate better outcomes and wider participation to achieve the common objective of building a secure ecosystem.
Lesson 5: Bring All Stakeholders Together
The compliance results submitted by users are shared with regulatory agencies and supervisors of the respective sectors within each country. These compliance results are also visible to the counterparties with whom financial messages are exchanged. Thus, through one initiative, SWIFT has brought users, counterparties, regulators and supervisors onto a common platform and provides the same set of data to verify compliance with a common set of controls. This ensures transparency and a sense of responsibility toward one another, thereby facilitating a coordinated response and joint ownership of a shared goal.
Conclusion
At the inception of the CSP in 2016–2017, only 77 percent of users submitted their compliance reviews to SWIFT. This rate has gradually increased, and as of July 2020, it stood at 96 percent. These numbers may not mean much, but the effort has certainly strengthened the cyberdefenses of the financial services sector. Prior to the introduction of the framework, the majority of the funds from the Bangladesh Bank heist have not been recovered, this trend has recently been reversed, and the recovery of stolen funds in other SWIFT-based cyberattacks is now possible through a coordinated response. Further, the amount of funds subject to attack has been drastically reduced by a factor of three since the inception of CSP, as is evident from SWIFT’s measurement and monitoring practices.12 This demonstrates that a coordinated response against cyberattacks is the key to success. All the efforts that SWIFT and its user community had targeted to achieve in 2016 (i.e., to recover the entire proceeds of the fraud, bring the perpetrators to justice and protect the global financial system from these types of attacks) are now being achieved.
Although the cyberthreat landscape is always evolving, a community’s preparedness to detect and respond to such threats is what matters. For governments and industry forums looking to build their own compliance programs, SWIFT’s CSP is a good model that can be replicated to achieve similar objectives. The principles of the program can act as a foundation to build programs that foster a coordinated response. As long as enterprises continue to follow this path, their defenses will get stronger, and the impact of cyberattacks will be reduced.
Endnotes
1 SWIFT, SWIFT: The Global Financial Messaging Provider, Belgium, May 2016, http://www.swift.com/
2 White, G.; Lee, J. H.; “The Lazarus Heist: How North Korea Almost Pulled Off a Billion-Dollar Hack,” BBC, 21 June 2021, http://www.bbc.com/news/stories-57520169
3 US Department of Justice, “North Korean Regime–Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions,” 6 September 2018,
http://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and
4 Amin, N.; S. Hossain; “Not Much Progress Recovering Bangladesh Bank’s Stolen Money,” The Business Standard, 4 February 2020, http://www.tbsnews.net/economy/banking/not-much-progress-recovering-bangladesh-banks-stolen-money-41711
5 SWIFT, “Joint Statement: Federal Reserve Bank of New York, Bangladesh Bank and SWIFT,” 10 May 2016, http://www.swift.com/news-events/pressreleases/joint-statement-federal-reserve-bank-newyork-bangladesh-bank-and-swift-0
6 SWIFT, “Customer Security Programme (CSP),” http://www.swift.com/myswift/customer-security-programme-csp
7 SWIFT, “SWIFT Customer Security Controls Framework,” http://www.swift.com/myswift/customer-security-programme-csp/security-controls
8 Ibid.
9 Ibid.
10 KPMG, “The 2020 SWIFT CSP Update and Its Impact,” http://home.kpmg/be/en/home/insights/2020/04/ta-the-2020-swift-csp-update-and-its-impact.html
11 Op cit SWIFT
12 SWIFT, “Customer Security Programme: CSP Evolution and Effectiveness,” http://www.swift.com/swift-at-sibos/customer-security-programme-evolution-and-effectiveness
Ninad Dhavase, CISA
Is currently employed by a big four consulting enterprise in Singapore and has 12 years of experience in cybersecurity, with a focus on the financial services sector, including banking, capital markets, insurance and payments domains. His previous experience includes working with India’s largest stock exchange and clearing enterprise, leading the cybersecurity governance, risk and compliance management areas. He volunteers as an ISACA® Journal article reviewer and has been a presenter at public forums and training sessions.