It has now been several months since more than a dozen financial institutions associated with the Society for a Worldwide Interbank Financial Telecommunication (SWIFT) banking network were first pummeled by a series of malicious hacks. But the unprecedented series of attacks are far from a distant memory. Among other things, the attacks underscored that even the highly regulated banking industry isn’t immune to attack, especially if security infrastructure belonging to its partners, business associates or industry counterparts isn’t up to par. The overarching message? Your security is only as good as the security of your partners’ and connected third parties’ security.
Hackers Target (News - Alert) Extended SWIFT Network
The now notorious SWIFT global payments hack occurred when attackers leveraged SWIFT credentials stolen from a Bangladesh bank to compromise and transfer money from the institution, walking away with an estimated $81 million in what became known as the biggest cyber heist in history.
Equipped with the necessary credentials, the attackers were then able to infiltrate other banks connected over the SWIFT network, gaining access to at least a dozen financial institutions, including banks in the Philippines, New Zealand and others located in Southeast Asia. Among other things, the attack indicated a far-reaching, well-funded and meticulously organized campaign targeting the global banking system. And while it’s still uncertain if the perpetrators took anything in the multiple breaches following the Bangladesh hack, it became abundantly clear that this type of attack would likely happen again on extended third party networks often replete with blind spots to security and risk posture.
That said, the SWIFT hack doesn’t embody the classic definition of third party vendor risk – SWIFT is a network of connected banks that provided what was believed to be a secure, reliable and predictable conduit through which financial institutions around the world can send and receive information.
So how was SWIFT responsible for the relentless series of attacks against a dozen banks all over the globe? While the SWIFT network itself was secured, the banking authority failed to ensure that all the banks connected over its network were properly secure. Because SWIFT was the vehicle through which information traveled from bank to bank, it was also the same vehicle that the hackers used to access partnering banks and distribute malware. One successful exploit gave the perpetrators unfettered access to a broad range of other targets. As a result, all of the other banks on the network could be considered the vulnerable “third parties.”
And while SWIFT is now considering axing any banks on its network with substandard security, the risk around its vulnerable partners could likely have a long and far-reaching impact that include damaged brand and reputation and increased regulatory scrutiny.
Financial Organizations Can Beat the Odds of Attack
Following the attacks, investigations determined that the SWIFT systems have appeared to be secure and compliant. But it didn’t matter because the attack also underscored that an organization’s security is only as good as the weakest and most vulnerable party in the entire network. If third party partners are vulnerable, then – depending on their level of access to your networks and critical data – it’s likely you’re vulnerable too.
However, there are a few precautions that financial organizations can take to ensure that they don’t end up as the next highly publicized data breach victim.
Be Aware (News - Alert) of Potentially Hidden Risks Associated with Third Parties, Transfer Authorities and Other Extended Networks
When contracting with third party vendors and other partners, it pays to conduct a thorough assessment of their security posture. Determine compliance requirements. Study previous audits. Assess their security solutions. Then consider their level of access to your network or critical data. Almost all organizations leverage third parties on a regular basis, which increases risk and expands their overall potential attack surface. While most financial organizations are subject to stringent compliance regulations, many of their partners are not beholden to the same standards. Taking the time thoroughly perform proper due diligence and screening, while ensuring that the security measures of partnering third parties are up to par goes a long way to mitigate risk down the road.
Educate Yourself About the Current Threat Landscape
In light of evolving and rapidly accelerating attacks targeting the financial services industry, security teams need to increasingly rely on colleagues and not be averse to sharing threat intelligence with their peers. Attending financial and cybersecurity events enables threat information to travel across the industry that can boost everyone’s defenses and improves risk posture. In fact, fellow security professionals will likely be your greatest ally in combatting cyberattacks.
Proactively Meet with Auditors Who Can Assess Risk Environment
From Financial Industry Regulatory Authority (FINRA) mandates to regulations around the Consumer Financial Protection Bureau (CFPB) and even the US Patriot (News - Alert) Act, the federal government has no shortage of ways to hold financial institutions accountable for securing customers money and sensitive financial information. To put the odds more in their favor, financial organizations should take steps to proactively meet with auditors who can assess compliance and risk posture and make suggestions before it really counts. It never hurts to get ahead of the auditors, and banks that take steps to close security gaps and avoid unnecessary compliance risk will have a few more balls in their court come audit time.
Stay on Top of New and Updated Compliance Regulations
Financial institutions have to adhere to a slew of compliance mandates – even when they abruptly change without notification. Not paying attention to a compliance regulation that requires a new technology or new data to protect (e.g. data accessible by third parties) could result in costly fines and other penalties as well as increased scrutiny from auditors. With an organization’s bottom line at stake – not to mention brand and reputation -- it pays to stay ahead of the curve and remain apprised of the latest compliance updates.
Implement a Comprehensive Third Party Risk Reduction Solution
Operational risk teams these days are being stretched ever thinner to deal with the proliferation of vulnerabilities, cyber threats and compliance issues that comprise today’s risk environment – making it all the more imperative for them to invest in a comprehensive third party risk solution. Once screened, third parties must be risk assessed by function (Legal, HR, IT, etc) before being contractually on-boarded. Companies also must ensure they have clear risk oversight and control functions implemented to ensure their risk appetite and posture is strategically aligned to business objectives. Finally, a continuous monitoring of things like negative news, service level agreement violations and other aspects of third party performance must also be in place. Modern third party risk solutions offer significant workflow automation to these steps, and provide new and enhanced insights into the risk environment of contractors and partners with access to sensitive financial data, reducing threat vectors, surprises from compliance auditors and the chances of damaging breaches.
Joe Fantuzzi is CEO of RiskVision and drives the company's overall business direction, strategy, and execution. He is an expert in creating high-growth, venture-backed businesses in emerging technology markets, and has helped building over $3 billion in market valuation as an executive for industry leading companies throughout his career.