SWIFT, the global inter-bank payments system, will threaten members with expulsion over poor cyber security in a shake-up in the organisation's security strategy.
That is the message of SWIFT CEO Gottfried Leibbrandt following a string of sophisticated cyber attacks at a number of banks, which seem to have been conducted by experienced attackers with knowledge of both SWIFT and banks' international payments procedures.
Responding to claims that SWIFT itself had been lackadaisical over the potential risks that cyber security lapses posed to its proprietary payments network, Leibbrandt admitted that the recent attacks had "changed the game completely".
Speaking to the Financial Times, Leibbrandt added: "We could say that if the immediate security around SWIFT is not in order we could cut you off, you shouldn't be on the network," he told the paper. "There are pros and cons to that. The pros are that it provides clarity that if you are on the SWIFT network you need minimum standards. I think the con is if you do it too heavy handed you could drive people to unsafe channels."
Faith in the integrity of the SWIFT system has been shaken by the cyber attacks, with one bank, Ecuador's Banco del Austro, suing HSBC and HangSeng Bank, the beneficiary banks that, it claims, held accounts in Hong Kong used by the thieves.
Leibbrandt was talking the Financial Times just days after SWIFT unveiled plans for improving security. These include tougher security and operational baselines, alongside tougher audit standards and certification processes. These would be policed by both SWIFT, as well as national and international regulators.
SWIFT has been on the back foot for the past month as more and more information has emerged, and more banks have been identified as targets of the cyber thieves - even though two of the four known attacks so far were foiled.
In the biggest attack, cyber thieves set-up a series of payments totalling $951m from Bangladesh Bank, the central bank of Bangladesh, from its account with the New York Federal Reserve. However, an overt spelling mistake in the name of one of the beneficiaries alerted a clerk at one of the correspondent banks routing the transactions, enabling most of them to be stopped.
At the end of May, it was claimed by security specialists Symantec that an analysis of the code pointed to a gang believed to be run from North Korea. That had followed earlier claims by BAE Systems linking the Bangladesh Bank attack specifically to the same group behind the attack on Sony Pictures Entertainment, which the US authorities had pinned on North Korea.
Budget carrier confesses to hack in January 2020, and has informed the Information Commissioner's Office
The Travelex ransomware raises the question, once again, of whether organisations should be obliged to provide more information
No zero-days patched in the latest release
Attack, which came as firm was preparing for Covid measures, was a 'perfect storm' CEO says
Make passwords at least 13 characters long and protect email with a strong passphrase, police advise
With Covid-19 related fraud through the roof it's time to review password policy, says South East Regional Organised Crime Unit