The news that SWIFT messages have been used to steal frombanks has added to companies' cyber concerns recently. Forbusinesses that use the financial messaging network, those worriesmay make connecting to SWIFT via a service bureau, already the route formany companies, a more popular option.

“Corporates are very concerned about what's happening in thiscurrent environment,” said Matteo Monaco, vice president of paymentsolutions at FIS, the banking and payments technology company thatpurchased SunGard last year.

The bank heists that were perpetrated using SWIFT messages haveinvolved large sums. Most notably, in February cyber criminals stole $81 million from the central bank ofBangladesh's account at the New York Fed. Since then, therehave been reports of similar incidents, successful or attempted, at otheroverseas banks.

Experts emphasize that it was the banks that fell prey to cybercriminals, not SWIFT.

“SWIFT was not hacked,” said Mark Webster, a partner atconsulting firm Treasury Alliance Group. “A number of banks werehacked, and once they got into those banks, the hackers then usedSWIFT messages.” Webster noted that the cybercriminals who hackedinto the central bank of Bangladesh were using “fairlysophisticated malware.”

The cybersecurity of the banks that were robbed in some casesseems to have been substandard. For example, Bangladesh's centralbank reportedly lacked a firewall and was relying on a cheaprouter.

“You're only as strong as your weakest link,” Webster said,adding that even corporates with strong cybersecurity could haveholes, “which is why we recommend that people do a security reviewperiodically.”

SWIFT Response

In the wake of the bank hacks, SWIFT announced a customer security program to define securitystandards for organizations using its network and to enhance itsservices to bolster protections for those customers. The program itoutlined includes improving the sharing of information about cyberincidents; developing audit processes and certification standardsfor customers' cybersecurity around SWIFT messages; bolsteringtransaction pattern detection; and enhancing the support providedby third parties.

Among the enhancements of its own tools, SWIFT mentioned the useof two-factor authentication.

Ed Adshead-Grant, general director of payments and cashmanagement at Bottomline Technologies, which operates a SWIFTservice bureau and also provides access to SWIFT through itsUniversal Aggregator payments service, said he had seen “a lot moreinterest in the uptake” of two-factor authentication for SWIFTmessages in the wake of the bank hacks. “And there's been a strongcommunication campaign on that in terms of adding extra to theusers' security levels,” he said.

Earlier this week, SWIFT also announced that it was hiring twocybersecurity companies, BAE Systemsand Fox-IT, and creating acustomer security intelligence team that would investigate hacks ofthe environments of SWIFT users.

Service Bureaus vs. Alliance Lite2

The SWIFT network, which is owned by the banks,reaches more than 10,800 banks around the world.According to a recent SWIFT press release, more than 1,500corporates use SWIFT to communicate with their banks. There arethree ways that companies can connect to SWIFT: by installing theirown interface—an expensive and infrequently used option; byemploying a service bureau; or by using SWIFT's cloud solution, Alliance Lite2. A SWIFT spokesman saidthe organization does not disclose what portion of companies usethe various methods.

FIS operates a service bureau, and Monacocited corporate interest in using service bureaus as a way toaccess SWIFT. Companies that connect to SWIFT via the cloud withAlliance Lite2 have to take the responsibility for the securityaround their SWIFT messages, he said. “You need to ensure that youhave the proper processes, protection, encryption. If you cannothandle it as an organization, if you do not have the proper techexpertise, it is then best to vend that out.

“That's where I think you see the trend toward looking atservice bureaus,” said Monaco, pictured at left. “Why do I want totake the management and responsibility to protect this environmentwhen there are organizations out there that have it encapsulatedand protected, and monitor the environment for things like malwareand fraud?”

Adshead-Grant also argued that the current environment is one inwhich companies may welcome working with someone with expertise incybersecurity. “If you have an outsource partner, you can focus onyour own business instead of worrying when these things come up,”he said. “We'll make sure your particular area is secure.”

Webster said that using Alliance Lite2 requires technology savvythat some companies lack. “You need a security officer, you need togo through training,” he said. “If you're using one of the betterservice bureaus and have really done your due diligence on whetherthey've done their security stuff, my take is that you're a littlemore secure going that way.

“We've done some work with major international companies wherethey ended up, after initially saying, 'We're going to manage thewhole thing,' saying, 'Maybe we should go through a service bureaujust to leverage the knowledge base,'” Webster added.

A service bureau alsocan help companies deal with differences inthe way various banks use SWIFT messages, he said.

One of the arguments against using a service bureau is that itcosts more than Alliance Lite2. But Webster said that while thefees for a service bureau are higher than fees for AllianceLite2,companies have to consider all the costs involved in using AllianceLite2, including training and staffing.

“The majority of companies that I'm aware of are using servicebureaus at this point,” he said. “If it were way more expensive,people wouldn't be doing it that way.”

SWIFT's Technology

Enrico Camerinelli, a senior analyst at technology consultingcompany Aite Group, said the cyber heists indicate that SWIFT needsto upgrade its technology.

While the banks that were hacked may not have been taking allthe necessary precautions, “if you want to be a universal systemthat all the banks use, you have to take that into account,” hesaid.

Camerinelli suggested the incidents will push SWIFT to investmore in cybersecurity, including the use of crypto-basedalgorithms.

Given “the capabilities of people working in software today tomake systems more secure, maybe now is the time for SWIFT to startchanging the system and adopting safer software,” he said, addingthat given the technological capabilities of the hackers, “I'mafraid placing controls over controls will just make the systemheavier and more difficult to use.”

Securing Payments

Of course, companies were thinking about the security of theirpayments even before the cyber heists. Monaco noted that a recent FIS survey of finance executives at more than 170corporations worldwide found that more than half (52%) were veryconcerned about fraud stemming from payments and connectivity,while 59% cited improving controls as a key target of theirpayments projects.

Companies are tackling payment problems by centralizing processes andstandardizing controls within their divisions, he said, andthey are looking at using a payment factory or hub to give thecorporate the visibility of payments being released globally withintheir organization. “By centralizing my process, I can more easilyput security in place that can alert my organization of anysuspicious behavior and stop potentially fraudulent payments priorto being sent to my bank,” Monaco said.