As the global financial system grows in disparate ways so does the threat landscape of financial crimes. Financial institutions need to move from a reactive state of addressing financial crimes to a proactive state of monitoring, identifying and thwarting financial crimes.
New technologies are developed often to increase revenue and decrease costs. A key metric of success of a bank’s spend on technology is many times, viewed as a ratio of the total cost of ownership of a system or application as compared to how much revenue is generated and how much cost is saved. It’s only recently when financial crimes have caused significant damage to banks’ reputation, thereby forcing financial institutions to invest heavily in the marketing and implementation of tools and controls as a reaction to address the client concerns and the banks’ reputation of security – both the client’s data security and monetary security.
The reactionary point of view comes about very quickly as a financial breach or information breach is shared through the media. Case in point – SWIFT’s Customer Security Controls Framework requirement of all its member organizations to conduct an annual attestation to ensure mandatory controls are adhered to in order to remain as a member of SWIFT.
SWIFT (Society for Worldwide Interbank Financial Telecommunications) reported a cyber-attack in March of 2016, originating from the Central Bank of Bangladesh for an amount of $81MM. Additional attempted attacks were originated from Vietnam, Ecuador and the Philippines. This resulted in SWIFT clamping issuing a Customer Security Controls Framework Attestation annually for each of its 11,000 plus member institutions. The framework requires members to focus on three main objectives:
1. Secure you environment
• Restrict Internet access
• Protect Critical Systems from General IT Environment
• Reduce Attack Surface and Vulnerabilities
• Physically Secure the Environment
2. Know and limit access
• Prevent Compromise of Credentials
• Manage Identities and Segregate Privileges
3. Detect and respond
• Detect Anomalous Activity to Systems or Transaction Records
• Plan for Incident Response and Information Sharing
Each of the objectives are given a certain set of ‘mandatory’ controls needing to be attested to by the member bank’s CISO or above before the end of each calendar year. The number of controls are slowly increasing year by year, either by the requirements in the control or by addition of new controls. This helps standardize the security rigor each member business/bank must go through to maintain a good standing to operate within SWIFT’s credible network. Very shortly similar assessments of other prevalent payment systems will begin. Payment systems such as ACH, EFT, EMT and Cheques; as more payments related regulations change.
Financial Institutions need to shift quickly to a more proactive method of monitoring and thwarting cyber-attacks, physical attacks and fraud. Although there are many vendors who provide FinTech solutions to problems, the key is to design policies and controls to be assessed on a cadenced basis along with ethical hacks/attacks to ensure security gaps are uncovered and addressed before maliciously accessed.
Contributed by: Faisal Ali, Skyward Technologies