In February 2016, the world witnessed a sophisticated cyberheist in which the computer terminals of Bangladesh Bank, which interfaced with the Society for Worldwide Interbank Financial Telecommunication’s (SWIFT) communication system, were compromised.
SWIFT provides secure messaging services for financial transactions across a range of products and services offered by financial institutions around the world. It is a leader in message exchange platforms, and the financial world relies on the shared benefit and community-driven trustworthiness that SWIFT provides with its transactions.
In the Bangladesh Bank heist, SWIFT’s own platform was not compromised. Instead, the bank’s environment was compromised, which led to a hijack of user credentials, subsequently providing the attackers access to the SWIFT platform, which the attackers were able to use to pass fraudulent transaction messages, ultimately siphoning money out of the bank’s accounts.
This heist woke up the financial world.
In the aftermath, Bangladesh Bank’s Governor was asked to resign, and a range of investigations were initiated to understand and learn from the incident. It proved to be a watershed moment in the cyber world as the lessons learned have had a long-lasting impact for the financial services industry and other critical sectors around the world.
As a step toward building better defense controls and enhancing and improving the cybersecurity controls in a user’s environment, SWIFT introduced a community-driven compliance program that encouraged users to secure their environment and develop a sense of shared responsibility for the wider community within financial services and society in general.
The program was developed with the following objectives in mind:
- Securing and protecting the environment
- Preventing and detecting attacks
- Sharing and preparing
The program comprises eight principles and 31 mandatory and advisory controls (as of 2021). The program has evolved continuously over the years to prepare financial institutions to strengthen their defenses and be better prepared to tackle any attacks.
The principles of this program can be used as a reference guide for communities to build similar, community-driven compliance programs. Some of the key lessons that communities can draw from this example when building their own programs include:
- Start small and evolve.
- Share responsibility.
- Share information.
- Be flexible.
- Work together.
Although the cyberthreat landscape is ever evolving, a community’s preparedness to detect and to respond to such threats is what matters. For governments and industry forums looking to build their own compliance programs, SWIFT’s compliance program is a good case for reference that they can replicate to achieve similar objectives.
Editor’s note: For further insights on this topic, read Ninad Dhavase’s recent Journal article, “SWIFT’s Customer Security Program: Lessons for the Cybersecurity Community,” ISACA Journal, volume 1, 2022.
ISACA Journal turns 50 this year! Celebrate with us—and do not forget you can still receive the print copy by visiting your preference center and opting in!