Second SWIFT Attack: Still on the fence about insider risk?


page image

SWIFT warns of ‘malicious insiders’

News broke late last week of a second successful cyber-attack involving the SWIFT network—this time at a commercial bank in Vietnam (as of yet unnamed). Like the attack on the Bangladesh Central Bank, this heist very likely included cooperation or carelessness from someone inside the bank. Both SWIFT and independent industry experts warn that these types of brazen attacks will likely accelerate.

Certainly every bank must revisit its SWIFT-related cyber-security measures—but banks need also to reassess internal threats posed by employees who use SWIFT credentials and have knowledge and access to bank processes and IT systems.

The New York Times reported last Thursday on a notice shared by SWIFT with its members. The Times quotes the SWIFT notice as warning that “the attackers clearly exhibit a deep and sophisticated knowledge of specific operation controls within the targeted banks — knowledge that may have been gained from malicious insiders or cyberattacks, or a combination of both.”

SWIFT’s warnings of the level of the sophistication of the attacks is part of what is fueling intense concern. In the Bangladesh heist, some in the industry initially downgraded the magnitude of the larger threat by attributing the heist in part to inadequate tech and security measures in Bangladesh. But analysts cited in the Times report describe how the banks’ attackers tailored their approach to specific procedures used in each bank—for example, disabling a printer in Bangladesh but installing malware in a PDF application in Vietnam. The level of knowledge—of each bank’s SWIFT messaging credentials, connection systems to the SWIFT network, and day-to-day operations—are alarming, especially given the extraordinary amount of bank money that can be stolen without even walking into a bank.

In its letter, SWIFT begged banks to reevaluate their security measures: “As a matter of urgency, we remind all customers again to urgently review controls in their payments environments.”

Employee and Vendor Risk Management

AML Partners CEO Frank Cummings said he expects banks to heed that call—but more so with their cyber security than with their human personnel: “In my experience, it’s easier to tackle tech threats than personnel ones,” Cummings said. “ There are endless variables with people and it’s not comfortable to dig into people’s performances and past—there are disgruntled employees, financially-stressed ones, people susceptible to blackmail due to illegal or immoral behavior. And sometimes it’s just carelessness—like opening phishing emails or innocently downloading a corrupted restaurant menu or befriending the wrong person. The point is this: Financial institutions need to put a lot of thought into their ongoing due-diligence as it relates to the human factor.”

Cummings said AML Partners fields a lot of questions now regarding risk mitigation for vendors and human resources. He suggests a risk-based approach that is specific to people, and he urges customers to conduct systematic ongoing due diligence with personnel and vendors.

“We are proponents of tracking risk specific to your own organization, and we do that through InDuro, which is a digital blank slate where you can create your unique risk-mitigation workflow for vendors and employees,” Cummings said. “With InDuro, you can quickly and easily configure your unique HR on-boarding system as a stand-alone or as a part of a larger set of system workflows.”

He noted, for example, that an HR specialist could work with division managers to identify and predict risk and then create a workflow for onboarding and ongoing due diligence that included customized data collection, automated negative-news screening, document uploads that verify licensure or identification, document certifications and date-specific expiration/renewal requirements, ongoing records of censure or performance, email alerts for actions needed, and so on.

A good risk-aware foundation regarding personnel, according to Cummings, lies in evaluating your specific risk, knowing the signs and behaviors that accompany that risk, and being deliberate both in onboarding and ongoing due diligence so that you recognize those signs when they appear.


Software Solutions for Risk-Based Approaches

To learn more about our fully configurable software solutions to support your risk-based approaches, contact us today. We offer SURETY Eco, an amazing AML Compliance Ecosystem. And for vendor and employee risk, we off InDuro, our ‘Everything App’ that provides a digital canvas on which you create, manage, and assess your enterprise’s workflows, processes, and risk.