Moving Ahead with the Attestation Framework: People Risks in Cyber Security
Insider threats have been a major risk to governments and organisations around the world for many years - ENISA Threat Landscape Report 2017
We were pleased to report the significant number of SWIFT customers who had attested their level of compliance with the mandatory security controls by the 31 December 2017 deadline. While the near total level of completed attestations demonstrates the seriousness with which the financial industry is taking the cybersecurity threat, and its willingness to provide transparency on cybersecurity, this is just a first step.
All SWIFT customers should now be working both to absorb this information from their counterparts and build it into their risk assessments, as well as to address any gaps in their own compliance with the mandatory controls. All customers will have to re-attest against the controls by the end of this year, confirming their compliance with all mandatory controls.
Compliance is not a silver bullet in ensuring you are cyber resilient. Customers need to consider detection and response in addition to securing and protecting their environment. These best practices should be applied not only to the SWIFT infrastructure but the full end-to-end transaction eco-system within their firms, including payments, securities trade and treasury.
SWIFT continues to share insights on Modus Operandi and Indicators of Compromise, but we also continue to see the same basic patterns. Firstly the customer’s local environment is compromised, and second valid operator credentials are obtained and used. In protecting against these critical first two steps, customers must consider both insider as well as outsider threats – the attacks will not necessarily be perpetrated by remote outsiders, malicious insiders present just as much risk.
The Controls help address this risk: a lack of user privilege segregation (Control 1.2); missing transaction business controls (Control 2.9A); poor password policies (Control 4.1); inadequate logical access controls based on need-to-know, least privilege, and segregation of duties (Control 5.1); or shortcomings in personnel vetting (Control 5.3A). These controls should apply throughout organisations, ensuring that no access permissions or privileges are unintentionally granted to persons or business areas.
Once they have obtained valid credentials, attackers (or insiders) can then submit fraudulent messages and subsequently attempt to hide the evidence. Here users need to implement measures for prevention and detection. This includes transaction business controls (Control 2.9A) like RMA and reconciliations which could leverage Daily Validation Reports (DVR) and the Payment Control Services which will launch later this year. Ensuring you have implemented appropriate back office data flow security (Control 2.4A) and that you have integrated with your back office core banking system, treasury system or the like are also key to prevention and detection.
Finally, and as indicated above, users should be incorporating their counterparties’ attestation data into their risk management and business decision-making processes – alongside other risk considerations such as KYC, sanctions and AML. Use of the KYC Registry Security Attestation Application (KYC-SA) creates an opportunity for organisations to be transparent about their attestation status, which should increase the trust and confidence for their counterparts. The transparency provided by this counterparty data exchange system is driving attestation and compliance with the controls, as institutions seek to demonstrate their cybersecurity to their counterparties.