After several significant security breaches, Swift has finally introduced a series of mandatory security requirements to supplement a set of existing guidelines. Details of the company’s new security controls were posted to its website.
The controls are a set of 16 core security standards that customers will have to state they have complied with as of the second quarter of 2017, or Swift will report them to regulators beginning January 2018. Wow, that is a long lead time for such a crucial aspect of the banking industry. Customers will have to demonstrate their compliance annually, and a randomized group each year will also have to show that their internal and external auditors agree. Using a bit of peer pressure, customers’ compliance status also will be made available to their trading partners within the Swift network.
- All customers to physically segregate Swift-related equipment in a designated zone;
- Protect access to tokens that contain Swift credentials;
- Conduct annual security training for all staff, especially those with privileged access roles;
- Have cyber incident response plans.
These seem to be pretty basic and just good common practices.
Additionally, Swift laid out 11 suggestions for customer security that are voluntary. The new standards sit on top of the company’s existing security guidelines, which are available to users in a restricted part of its network. Customers will obtain more details of the program next month, before a two-month consultation period that will conclude with Swift’s publication of final standards by the end of March 2017.
A committee of central banks is now looking to draft international guidelines covering the cybersecurity responsibilities of Swift and correspondent banks, aiming to provide a framework that doesn’t currently exist across borders.