Protecting your financial assets in the era of SWIFT attacks

The recent USD 81 million Bangladesh attack on the SWIFT system again brings up the vulnerabilities in the banking system, this time, the wholesale payments business. SWIFT heists and ACH attacks are not new, but the scale and audacity of these attacks is growing. To defend against them you need a good incident response process but also a strong cybersecurity defense. In the last two years, incident response took center stage within businesses, but today defense is becoming cool again as management realizes it cannot afford to respond to increasing numbers of breaches.

To build a defensive strategy, you need a security framework. These range from prescriptive, such as PCI DSS (now in release 3.2) to those based on risk and continuous improvement. The latter include ISO 27001 and US NIST Cyber Security Framework (CSF). Prescriptive frameworks can be difficult to effectively apply to diverse organizations and systems. Risk based approaches leave too many important details to the financial organization itself. Few of us are really good at analytical risk assessments.

Last summer, the US FFIEC introduced their CAT (Cybersecurity Assessment Tool). The CAT contains some novel approaches that will help organizations build successful security programs. If you are governed by US banking law, you need to comply with the CAT’s baseline standard. If not, you can still use it as a best practice for building your own program. I have successfully used it to assess cybersecurity at financial organizations and help them plan remediation.

The CAT is organized around three steps. First figure out your organization’s inherent risk. This is done using a business oriented approach, where you describe the extent and complexity of your operations. You need to determine the risk level for each of 39 different activities, grouped into five categories. The CAT provides language to make this straightforward. Next, you need to assess your organization’s cybersecurity maturity. Again, the CAT provides specific language so you can determine your maturity level in each of the five domains. There are five levels of maturity, ranging from Baseline to Innovative. If you need to meet US FFIEC audit requirements, you will need to meet baseline requirements.

The CAT’s novel approach combines the prescriptive with risk based and is business aligned. The description of inherent risk includes questions like: how many ATM machines do you have and do you have a mobile presence. The maturity levels include specific controls that you must use to meet that level. For example, to achieve an ‘innovative’ level for risk assessment, you need to update the results in real time. For baseline, you need to adopt more traditional assessment techniques, which are spelled out by the CAT. Moving your security program up the maturity ladder will help maintain its effectiveness. The CAT tells you what to do, you need to put this into the context of your business, regulatory and financial environment.

About Frederick Scholl

Frederick Scholl is a highly accomplished Global Senior Information Security Risk Manager qualified by 20+ years of experience in multiple industries. Dr. Scholl earned a Ph.D. in Electrical Engineering and a Bachelor of Science in Electrical Engineering from Cornell University. He also completed an Internet Law Program at Harvard University, and holds CISM, CISSP, PCIP, ITIL and CHP security certifications.

About Monarch Information Networks

Monarch Information Networks is a services company specializing in the field of Information Security for trusted businesses. They have been in business for 18 years and have a client base consisting mainly of Fortune 500 companies and leading companies that depend on information to run their business.