On February 15, 2019, the Society for Worldwide Interbank Financial Telecommunication (“SWIFT”) published guidelines for assessing cybersecurity counterparty risk for financial institutions (the “Guidelines”). The Guidelines are important because the SWIFT banking and payments network is a key target for malicious actors. Financial services institutions thus have strong incentive to view ensure the Guidelines are implemented globally in order to minimize cybersecurity risk.
The Guidelines are non-binding and SWIFT has limited enforcement powers against member institutions. Nevertheless, they are legally significant. Compliance with cybersecurity best practices and industry standards is a common term in cyberinsurance contracts. An organization’s ability to claim under a cyberinsurance policy in the event of a cyber incident may thus be impacted by implementation of the Guidelines. Furthermore, information about cybersecurity compliance (or noncompliance) is also likely to be sought by litigants in the event an organization’s data is lost or compromised. It is important to work with counsel to ensure an appropriate privilege strategy is in place to protect this information.
Implementation of the Guidelines is also a business imperative. No member of the SWIFT network wants to transact with a party who does not employ cybersecurity best practices. Full compliance with the Guidelines as well as domestic regulatory requirements is vital to ensuring financial institutions are able to maintain the benefits of the SWIFT network.
The first major recommendation contained in the Guidelines is the establishment of a cybersecurity governance model to systematize oversight of cyber risk management processes. For example, cybersecurity governance could be structured according to the 3 lines of the defence model. Frontline risk decisions relating to internal controls and operations can be taken by the first line. Escalations can be brought to the second line, as long as they have some degree of operational independence from the first line. The third line of defence is the independent auditing and assurance of first and second line behaviour.
A cybersecurity governance structure should incorporate cross-disciplinary expertise including stakeholders from the line of business, payments operations, IT, information security, risk management, compliance and audit. The Guidelines also suggest giving oversight of the cybersecurity governance framework to a senior executive in order to ensure accountability and facilitate information flow to the Board of Directors.
Cybersecurity Risk Management
In addition to having an effective governance model, organizations should also establish a cybersecurity risk management framework for dealing with counterparties. First, organizations should gather necessary data on counterparties and their cybersecurity practices. This includes region of operation, degree of regulatory oversight, size and ownership structure, history of the counterparty relationship, known cyber incidents, and information on transaction type, value and frequency.
After gathering this data, organizations should then analyze the level of risk posed against their own risk appetites. Risks should be scored based upon the organization’s rules for counterparty transactions, the organization’s risk models, and expert judgement. Once the risk is scored, an organization can implement appropriate measures to “treat” the risks.
The Guidelines suggest using risk mitigation countermeasures based on both the business relationship an organization has with the counterparty as well as the nature of the transaction. For example, an institution can request counterparties provide additional controls, fraud detection systems, or independent assessments to substantiate information. Transactions should be flagged for review based on their type, value, currency, and ultimate destination of the funds. Higher risk transactions should be reviewed by a second set of eyes and subject to additional verification procedures by the counterparty. These mitigation approaches can be tailored based on the counterparty’s risk profile and the organization’s own regulatory requirements and risk tolerance.
Often direct outreach to senior management may be the best method of communicating. Strengthening these relationships not only can be useful in providing reassurance, but is also important in the event of a cyber incident. The Guidelines encourage organizations to periodically review counterparty risk profiles and adjust their communication and mitigation approaches accordingly.
Cybersecurity counterparty risk is very real. The well-documented 2016 incident of fraudulent transfer requests from the Bangladesh Bank to the Federal Reserve Bank of New York resulted in US$81 million going missing. Organizations should consequently take the Guidelines very seriously and work with counsel to ensure that they have appropriate cybersecurity governance, risk management, and risk mitigation processes in place.