On June 7, 2016, the Federal Financial Institutions Examination Council (FFIEC) reminded banks of the cyber risks associated with interbank messaging and wholesale payment networks. FFIEC made its announcement after hackers allegedly used the Society for Worldwide Interbank Financial Telecommunication (SWIFT) messaging system to steal millions of dollars from banks around the world, including $81 million from the Bangladesh central bank. According to FFIEC, the hackers may have used the SWIFT system to:
- bypass a bank’s wholesale payment information security controls;
- obtain operator credentials to create, approve and submit messages;
- demonstrate a sophisticated understanding of funds transfer operations;
- conceal and delay detection with customized malware to disable security logging and reporting; and
- quickly transfer stolen funds across multiple jurisdictions quickly to avoid recovery.
To mitigate interbank messaging and wholesale payment risks, banks should update their information security procedures to address risks posed by compromised credentials. When reviewing their procedures, banks should consult the FFIEC IT Examination Handbook, specifically the Information Security, Business Continuity Planning, Outsourcing Technology Services, and the Wholesale Payment Systems booklets.
Consistent with federal banking agency regulations and FFIEC guidance, financial institutions should take the following steps to improve cybersecurity controls:
- conduct ongoing information security risk assessments and ensure that third party service providers also perform effective risk management and implement cybersecurity controls;
- perform security monitoring, prevention and risk mitigation by confirming protection and detection systems, such as intrusion detection systems and antivirus protection, are up-to-date and firewall rules are configured properly and reviewed periodically;
- protect against unauthorized access by limiting the number of credentials with elevated privileges across the institution, especially administrator accounts, with the ability to assign elevated privileges to access critical systems;
- implement and test controls around critical systems by adopting cybersecurity controls, such as access control, segregation of duties, audit, and fraud detection and monitoring systems;
- manage business continuity risk by validating existing policies and procedures that support the bank’s ability to recover and maintain payment processing operations;
- enhance information security awareness and training programs by conducting regular, mandatory education and employee training across the enterprise, including how to identify and prevent phishing attempts; and
- participate in industry information-sharing forums including the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the U.S. Computer Emergency Readiness Team (U.S.-CERT).
While FFIEC’s statement does not contain new regulatory expectations, the recent manipulation of the SWIFT system demonstrates the importance of regularly assessing the bank’s inherent risk profile and evaluating each of the five cybersecurity domains, particularly cybersecurity controls. FFIEC’s statement regarding the cybersecurity of interbank messaging and payment networks is available here and SWIFT’s customer communication on cybersecurity cooperation is available here.