On June 7, 2016, the Federal Financial Institutions Examination Council (FFIEC) reminded banks of the cyber risks associated with interbank messaging and wholesale payment networks. FFIEC made its announcement after hackers allegedly used the Society for Worldwide Interbank Financial Telecommunication (SWIFT) messaging system to steal millions of dollars from banks around the world, including $81 million from the Bangladesh central bank. According to FFIEC, the hackers may have used the SWIFT system to:
- bypass a bank’s wholesale payment information security controls;
- obtain operator credentials to create, approve and submit messages;
- demonstrate a sophisticated understanding of funds transfer operations;
- conceal and delay detection with customized malware to disable security logging and reporting; and
- transfer stolen funds across multiple jurisdictions quickly to avoid recovery.
To mitigate interbank messaging and wholesale payment risks, banks should update their information security procedures to address risks posed by compromised credentials. When reviewing their procedures, banks should consult the FFIEC IT Examination Handbook, specifically the Information Security, Business Continuity Planning, Outsourcing Technology Services, and the Wholesale Payment Systems booklets.
While FFIEC’s statement does not contain new regulatory expectations, the recent manipulation of the SWIFT system demonstrates the importance of regularly assessing the bank’s inherent risk profile and evaluating each of the five cybersecurity domains, particularly cybersecurity controls. FFIEC’s statement regarding the cybersecurity of interbank messaging and payment networks is available here and SWIFT’s customer communication on cybersecurity cooperation is available here.