28 February 2014

SWIFT CEO Gottfried Leibbrandt speaks at European Commission High Level Conference on Cyber-Security

Speech by Gottfried Leibbrandt at the High Level Conference on EU Cyber Security Strategy - Brussels, 28 February 2014

Good morning, and thank you for the privilege to address this distinguished audience in the context of Cyber security. I have a simple message; we are a global infrastructure and cyber security is a topic of crucial importance to us. We therefore applaud and enthusiastically support the Commission's Cyber Security Strategy and its Digital Agenda. As a global player we also have a few things we'd like to see to make Europe's efforts more effective in a global context.

OK, so what is SWIFT?

When discussing SWIFT with a general audience, the typical reaction I get is: “ah yes, the SWIFT-code that I use in international money transfers. You mean it is an actual company?” Yes, thank you, it is. We are about 2,000 people, half of those based here in Belgium, where we have our Headquarters, a few miles outside Brussels in La Hulpe.

Forty years ago, some 200 US and European Banks set up SWIFT as an industry co-operative to replace the telex with a truly digital, automated electronic network for transmitting payment messages; for those of you that remember that age – this was a daunting and bold ambition. Digital, then, was hardly a word.

Today, our highly secure, resilient, reliable and standardised “plumbing” connects over 10,000 institutions globally; that includes almost every bank you have ever heard of, central banks, the IMF, World Bank and European Investment Bank; over 1,000 corporates and over 170 Financial Market Infrastructures. SWIFT’s secure financial automated messaging services lie at the very heart of the modern global digital economy. We are Belgian, European – and global; we have offices in 23 countries around the world and connect institutions in more than 200 countries and territories. We are a Digital European Champion par excellence with global remit and activities.

So what’s our perspective on Cyber security?

Well, it is a bad, scary world out there, and it is getting worse. The cyber threat is very real and persistent. I’ll leave it to other speakers to give you the grim details, but if you are not paranoid yet, you should become so. Cyber-attacks are getting ever more sophisticated, and the landscape is getting more complex. While cyber criminals are getting ever better organised and funded, we now also have state actors, focussing not just on snooping, but on disruption.

And infrastructures should be a point of concern, because any disruption will have a significant impact on society. Electricity networks, water treatment and distribution, transportation systems, health care, communication systems, and indeed banks and financial infrastructures. If these things stop working for longer than a short while, people die. Europe is right to worry about it.

Now, for us cyber concerns are not new. We are trusted by our clients to process billions of high value payments messages a year. This requires a network that meets the highest standards in terms of:

  • Confidentiality: we carry sensitive financial information, which should not be accessible in any unauthorised way.
  • Integrity: meaning messages cannot be tampered with, and come from an authentic source.
  • Availability: we aim for “5 9’s” or 99.999% availability, which translates into a downtime of less than 5 minutes per year.

Our network was designed to meet these challenges. Data protection is core to what we do and cyber security is part of our DNA – it is not an afterthought. Not just hardware and software, but people, processes, procedures, checks, in fact a whole organisation for whom “failure is not an option”.

I like to think we are pretty good at cyber security, but I am also paranoid. The cyber threat that is so much spoken about today is not new to us – nor is it occasional: it is continual and it is growing, and we work very hard at continuously improving our cyber security. Every day we wake up and go to sleep thinking about, and protecting against that threat. It is hard work and never done. When we don’t sleep, it is because of cyber risks.

So, yes we fully support the EU Cyber Security Strategy. As we understand it, is designed to: improve Europe’s cyber resilience and defence policies; reduce cybercrime in Europe; promote European cyber security capabilities and help establish a coherent international cyber framework. We couldn’t agree more, and we applaud the Commissioner for her leadership in seeking to set out a framework and vision for European cyber security. Europe already has a strong Data Protection framework, which is good; it must be complemented by a strong cyber framework.

So what more can we ask for?

Actually, as a global infrastructure working out of Europe, we’d like to see three things:

First, international coordination. The Commission is focused on Cyber risks – and so too are other national and regional governments around the world. And rightly so. But, and there is a big but, we need internationally compatible regulations here – not fragmented national or regional ones.

As a European company with global activities we have to comply with the law everywhere. These laws and regulations are not always aligned and are at times contradictory; we are at the forefront of the most significant jurisdictional, cross border and extra territorial challenges that there are. Such challenges can hamper the activities of global infrastructures like ours with effects that go way beyond us; these challenges can cause disruption to the real world – to the real economy, to end users, to imports and exports. To GDP and employment.

Directly conflicting regulation is a critical challenge, and we would urge this Directorate, and indeed all legislators and regulators, to ensure that rules and regulations do nothing to limit digital companies’ abilities to operate across borders. We need legal certainty; we can’t be caught in the middle.

We agree that an EU cyber security framework is needed and that the bar must be set high. But the framework must work internationally, and the bar must be accepted internationally. If the Commission can achieve this, it will be able to ensure that Europe’s citizens are protected the way they should be, –that European players like SWIFT can operate globally and that competition inside and outside Europe flourishes. Subjecting digital operators to a patchwork of rules and or to conflicting demands will neither protect citizens, nor will it foster EU champions nor will it allow for a competitive marketplace.

Second, standards. It would be useful to have internationally agreed personnel vetting standards, supplier certification standards, readiness level standards and penetration testing standards; it would also be useful to have best practice definitions. Developing and agreeing standards will be a challenge internationally, and we will need to change and adapt the standards to keep up with technological developments and rising threat levels – but we should be bold and set out to do this. Sooner rather than later.

This will also make it much easier to reach agreement on oversight of global infrastructures like ourselves, making it for example easier for others to rely on ‘home-country cyber supervision’ both within Europe and globally.

So we support the Commission’s further promulgation of high standards for digital operators – but these standards must not result in barriers, in the disintegration or fragmentation of the digital economy – they must reinforce it. They must be globally accepted standards.

Third, we’d also like to see a robust, vibrant European ecosystem of experts and providers, as the Directorate proposes:

  • European players that can advise, design and test cyber readiness - we need technologies;
  • Good cyber security practices throughout the value chain; the creation of favourable market conditions for the development and adoption of secure ICT solutions in Europe;
  • Robust R&D, for example in cryptographic technologies. After all, the famous AES algorithm was designed less than 30 km away from here.

So, in summary, the cyber challenge is very real and urgent. And to the EU efforts and initiatives we say: “yes, please do and soon!” But as a global infrastructure, based in Europe, we’d like to urge you to make sure the efforts are coordinated internationally.

As the Commissioner has said, national fortresses and market barriers make it harder for Europe to lead in digital, harder for Europe to become the natural home of secure services. Data protection cannot mean data protectionism. A secure cyber environment in Europe must not mean an isolated Europe.

SWIFT, like Europe, was built on ambition; we share the Commissioner’s ambitions for a secure digital Europe.

Thank you.