SWIFT Breach Lessons For Financial Services Firms
Cybersecurity Awareness – By Ron Frechette
It’s been a year since the SWIFT Breach shocked the entire global financial services community. The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a global financial payment network used to communicate and transfer large sums of money between thousands of financial institutions across the world.
Cyber criminals installed malware that infected several bank systems, causing the illegal transfer over $80mm from the Bangladesh Central Bank to fictitious bank accounts across the world. It appears the effort required some internal resources who shared information regarding security weaknesses within the bank and SWIFT systems.
The perpetrators infiltrated the bank’s networks, observed exactly how transactions were performed, and ultimately gained access to payment transfer credentials. Armed with that information, they requested several payment transfers from the Bangladesh Central Bank account, which happened to be within the Federal Reserve Bank of New York.
Being that New York is the financial capital of the world, this very well may have been a catalyst for the rapid implementation of the NYDFS Cybersecurity Requirements for Financial Services Companies (the Rules). The proposed rules, which went into effect as of March 1, 2017, require banks, insurance companies and other financial services institutions to have a cybersecurity program with the focus of protecting consumers. The first seven rules are listed below and serve as a great starting point for all types of financial service organizations to begin the process of building a sound cybersecurity program:
- Cybersecurity Program. Develop and maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s information systems.
- Cybersecurity Policy and Incident Response Plan. Develop and maintain a written cybersecurity policy and incident response plan.
- CISO. Designate a qualified individual for overseeing and implementing the cybersecurity program and enforcing cybersecurity policy. The person does not need a CISO title, and a third party can be used.
- Continuously Trained Cybersecurity Personnel. Use qualified personnel (including third party service providers) that maintain sufficient current knowledge and training to manage changing cybersecurity threats and countermeasures.
- Limit Access Privileges. Companies are expected to limit user access privileges, and to periodically review those privileges.
- Notice of Cybersecurity Events Beginning August 28, 2017, Covered Entities must start notifying the NYDFS no later than 72 hours after it determines an act or attempt, successful or unsuccessful, was made to gain unauthorized access to, disrupt or misuse an “Information System”
- Risk Assessment. Covered Entities would be well advised at a minimum to conduct a limited risk assessment as it relates to the development and implementation of a cybersecurity program.
A key revelation from the SWIFT/Bangladesh Bank Breach was that cyber criminals find it much more lucrative to target financial services institution’s entire networks rather than individual bank accounts. As a result, bank breaches have increased dramatically in 2017 and the state of NY did not waste any time in responding.
GoldSky Security applauds the state of NY for taking SWIFT action and putting controls in place to protect consumer’s personal financial information. These rules will be the first in the US and are expected to be a model for other states to follow in the very near future. We encourage all of our small-midsize financial services clients to contact us with any questions on how we can assist in implementing these controls and help you and your clients stay safe in cyber.