Addressing the Third Party Threat: Five Financial Industry Takeaways from the SWIFT Hack

By Special Guest
Joe Fantuzzi, CEO of Riskvision.
October 12, 2016

It has now been several months since more than a dozen financial institutions associated with the Society for a Worldwide Interbank Financial Telecommunication (SWIFT) banking network were first pummeled by a series of malicious hacks. But the unprecedented series of attacks are far from a distant memory. Among other things, the attacks underscored that even the highly regulated banking industry isn’t immune to attack, especially if security infrastructure belonging to its partners, business associates or industry counterparts isn’t up to par. The overarching message? Your security is only as good as the security of your partners’ and connected third parties’ security.

Hackers Target Extended SWIFT Network

The now notorious SWIFT global payments hack occurred when attackers leveraged SWIFT credentials stolen from a Bangladesh bank to compromise and transfer money from the institution, walking away with an estimated $81 million in what became known as the biggest cyber heist in history.

Equipped with the necessary credentials, the attackers were then able to infiltrate other banks connected over the SWIFT network, gaining access to at least a dozen financial institutions, including banks in the Philippines, New Zealand and others located in Southeast Asia. Among other things, the attack indicated a far-reaching, well-funded and meticulously organized campaign targeting the global banking system. And while it’s still uncertain if the perpetrators took anything in the multiple breaches following the Bangladesh hack, it became abundantly clear that this type of attack would likely happen again on extended third party networks often replete with blind spots to security and risk posture.

That said, the SWIFT hack doesn’t embody the classic definition of third party vendor risk –  SWIFT is a network of connected banks that provided what was believed to be a secure, reliable and predictable conduit through which financial institutions around the world can send and receive information.

So how was SWIFT responsible for the relentless series of attacks against a dozen banks all over the globe? While the SWIFT network itself was secured, the banking authority failed to ensure that all the banks connected over its network were properly secure. Because SWIFT was the vehicle through which information traveled from bank to bank, it was also the same vehicle that the hackers used to access partnering banks and distribute malware. One successful exploit gave the perpetrators unfettered access to a broad range of other targets. As a result, all of the other banks on the network could be considered the vulnerable “third parties.”

And while SWIFT is now considering axing any banks on its network with substandard security, the risk around its vulnerable partners could likely have a long and far-reaching impact that include damaged brand and reputation and increased regulatory scrutiny.

Financial Organizations Can Beat the Odds of Attack

Following the attacks, investigations determined that the SWIFT systems have appeared to be secure and compliant. But it didn’t matter because the attack also underscored that an organization’s security is only as good as the weakest and most vulnerable party in the entire network. If third party partners are vulnerable, then – depending on their level of access to your networks and critical data – it’s likely you’re vulnerable too.

However, there are a few precautions that financial organizations can take to ensure that they don’t end up as the next highly publicized data breach victim.

Be Aware of Potentially Hidden Risks Associated with Third Parties, Transfer Authorities and Other Extended Networks

 When contracting with third party vendors and other partners, it pays to conduct a thorough assessment of their security posture. Determine compliance requirements. Study previous audits. Assess their security solutions.  Then consider their level of access to your network or critical data. Almost all organizations leverage third parties on a regular basis, which increases risk and expands their overall potential attack surface. While most financial organizations are subject to stringent compliance regulations, many of their partners are not beholden to the same standards. Taking the time thoroughly perform proper due diligence and screening, while ensuring that the security measures of partnering third parties are up to par goes a long way to mitigate risk down the road.   

Educate Yourself About the Current Threat Landscape

In light of evolving and rapidly accelerating attacks targeting the financial services industry, security teams need to increasingly rely on colleagues and not be averse to sharing threat intelligence with their peers. Attending financial and cybersecurity events enables threat information to travel across the industry that can boost everyone’s defenses and improves risk posture. In fact, fellow security professionals will likely be your greatest ally in combatting cyberattacks.

Proactively Meet with Auditors Who Can Assess Risk Environment

From Financial Industry Regulatory Authority (FINRA) mandates to regulations around the Consumer Financial Protection Bureau (CFPB) and even the US Patriot Act, the federal government has no shortage of ways to hold financial institutions accountable for securing customers money and sensitive financial information. To put the odds more in their favor, financial organizations should take steps to proactively meet with auditors who can assess compliance and risk posture and make suggestions before it really counts. It never hurts to get ahead of the auditors, and banks that take steps to close security gaps and avoid unnecessary compliance risk will have a few more balls in their court come audit time.

Stay on Top of New and Updated Compliance Regulations

Financial institutions have to adhere to a slew of compliance mandates – even when they abruptly change without notification. Not paying attention to a compliance regulation that requires a new technology or new data to protect (e.g. data accessible by third parties) could result in costly fines and other penalties as well as increased scrutiny from auditors. With an organization’s bottom line at stake – not to mention brand and reputation -- it pays to stay ahead of the curve and remain apprised of the latest compliance updates.

Implement a Comprehensive Third Party Risk Reduction Solution

Operational risk teams these days are being stretched ever thinner to deal with the proliferation of vulnerabilities, cyber threats and compliance issues that comprise today’s risk environment – making it all the more imperative for them to invest in a comprehensive third party risk solution. Once screened, third parties must be risk assessed by function (Legal, HR, IT, etc) before being contractually on-boarded. Companies also must ensure they have clear risk oversight and control functions implemented to ensure their risk appetite and posture is strategically aligned to business objectives. Finally, a continuous monitoring of things like negative news, service level agreement violations and other aspects of third party performance must also be in place. Modern third party risk solutions offer significant workflow automation to these steps, and provide new and enhanced insights into the risk environment of contractors and partners with access to sensitive financial data, reducing threat vectors, surprises from compliance auditors and the chances of damaging breaches.

Joe Fantuzzi  is CEO of RiskVision and drives the company's overall business direction, strategy, and execution. He is an expert in creating high-growth, venture-backed businesses in emerging technology markets, and has helped building over $3 billion in market valuation as an executive for industry leading companies throughout his career.




Edited by Stefania Viscusi
SHARE THIS ARTICLE
Related Articles

Verizon, Oh Verizon, Where Are You Going?

By: Doug Mohney    2/23/2017

Last June, Verizon closed a $4.4 billion deal to buy AOL. Executives said the acquisition would enable the company to layer AOL's advertising strength…

Read More

AMD: The Time For Ryzen Has Arrived

By: Rob Enderle    2/23/2017

The Ryzen part is a powerful alternative to Intel's offering, which will result in several new, more powerful, and affordable systems for those that g…

Read More

Voice 2017 - Best of Times, Worst of Times

By: Doug Mohney    2/21/2017

Voice is in a unique position these days, judging from the conversations I've had over the past six weeks during CES and ITEXPO. Available quality is …

Read More

Needed: Better Location Tech for RideShare Services

By: Doug Mohney    2/21/2017

Uber, Lyft, and other ride services have pushed the bounds of location tech to the point of frustration for end-users, both drivers and customers alik…

Read More

Human Carrying Drones May Arrive in 2017

By: Rob Enderle    2/21/2017

There are a couple really big problems that will likely make human carrying drones more of a tourist attraction than a real solution for some time, bu…

Read More