The banks assessed the risks from a new international security requirements

To begin the process of evaluating banks ‘ compliance with the new standards of information security of the international system SWIFT, which was developed on the background of frequent hacker attacks on banks, only a little more than a month. As shown by the survey conducted among the heads of IT departments of large banks, some of the new requirements to perform will be extremely difficult. This involves significant organizational difficulties, and for individual categories of banks — and material costs, according to bankers interviewed.

About the imminent transition to the new standards of security bankers recently reminded the head of SWIFT in Russia, CIS and Mongolia, Matvei Gering. “On April 1 we will publish on 27 control points, including 16 mandatory and 11 recommended. Until the end of the year banks will have to conduct a self-assessment for compliance with these principles, he said. — On banks that do not meet these principles, we will inform the regulators”. It’s not only Russian players, but of all the banks working with SWIFT.

Evaluation of new safety standards system SWIFT Russian banks, given the results of the analysis of the first edition of the new standards, which were communicated to the participants of the banking market at the end of last year.

The press service of SWIFT in Russia, CIS and Mongolia did not respond to a request sent a few days ago. Listed on the website of the company landline phones didn’t answer.

SWIFT — a single international interbank system for the exchange of standardized information about payments between banks, necessary for fast and correct implementation. The system is used for domestic and cross-border payments. It is the largest interbank system of transferring financial information: composed of more than 11 thousand financial institutions in more than 200 countries. It enables you to transfer about 2 billion messages per year on payments totaling about $6 trillion.

Tightening and checking

The trigger for the tightening of security standards SWIFT was the attack on the Bangladesh Bank in February of last year: then the hackers withdrew $101 million, cracking the software that provide communication in SWIFT.

In particular, the new standard introduces additional requirements for anti-virus, works on ensuring and verifying the integrity of software and databases, staff development, and organization of its work, storage of equipment. Installed new measures are also aimed at identifying anomalous activity in a SWIFT, complicated access to the accounts of SWIFT (we are talking in particular about the introduction of two-factor authentication system) and so on. “In the past more emphasis was placed on the physical and logical isolation of the SWIFT system from other systems, the new compulsory requirements aimed at the safety of the final system host operating system and application software, and establishment of processes to detect and prevent possible attacks,” — explains the Deputy Director of Digital Compliance Andrew Haiko.

As pointed out by the representative of one of the smaller Russian banks, who wished to remain anonymous, for banks to bring their systems into compliance with the new safety standard will mean the reconfiguration of IT systems. Undue delay in implementation is fraught with stop work with SWIFT. According to sources in banks, from September 1, 2018 SWIFT will end support not updated systems.

In addition, if from April to December SWIFT will request that banks only self-assessment for compliance with the new standard, from 2018, the Association will be able to additionally request a confirmation of their claims through independent external audit. The results will be available to all participants in SWIFT, which should improve banks risk assessment of the counterparties.

Big difficulties for small banks

The lowest risks in connection with the transition to the new standards have banks are direct members (banks-principals) of international payment systems (Visa, MasterCard and others), assess the interviewed bankers. New SWIFT standards largely overlap with the existing security standards of international payment systems. But banks that are not direct, but associate membership in international payment systems (through larger players, including there directly), can face difficulties, says the Director of the IT Department of the Bank from the top 100. “For banks-associates performing safety standards of international payment systems is not required, so the demands SWIFT run virtually from scratch,” he warns, adding that it can basically go on small and regional banks.

Regional and small banks with the big share of probability will experience difficulty, I agree and Andrew gayko, often they do not pay enough attention to information security, because they believe that they are unlikely to be any incidents. According to him, the system administrators of these banks failed to comply with any practices and do not have a clear understanding of how to protect information resources, and new demands can cause them a lot of questions not even from a technical point of view, but organizational. “As practice shows, most often there are difficulties with identifying anomalous activity and security updates (one of the mandatory requirements SWIFT),” he says. In the first case, security administrators can collect event logs from all systems, but they are not always able to assess what these logs say that you are being maliciously impact. This leads to the fact that the failure to identify attacks on the system and it becomes impossible to prevent misappropriation of funds,” says Haiko.

Problematic and increase employees ‘ awareness of safety issues (mandatory requirement SWIFT). “Despite the fact that the training is a common practice, the staff is the weak link. There are cases when employees conduct training on the password policy, but in an audit it turns out that they can’t reveal the password requirements, and in their workplaces found stickers with stored passwords,” says Haiko.

Visa and MasterCard declined to provide data on the number of banks operating with them directly and having associate membership of the IPU. According to the interlocutor on the market of payment cards, “of all Russian banks (in 2016, according to the Bank, there were 623, by February, the number has decreased due to the withdrawal of licenses) direct membership in the international banking systems have roughly 100 banks that are not connected to him, about 70, respectively, 450 — associates”. Another banker, specializing in the card business, estimated the number of banks at risk is about 300. “Given the fact that in the market there are about 570 of banks number of banks-principals — somewhere in the area of 70-80, and the ratio of principals and associates may be in the range from 1/5 to 1/7, then, presumably, the number of banks-associates — 400-450,” told the first Deputy Chairman of Lanta-Bank Vyacheslav Volkov.

An important and material issue. According to one of the interlocutors in the banks, only for the installation and upgrading of modern software, ensuring the integrity of software and databases, the measures associated with identifying anomalous activity, a medium size Bank could need at least 10-15 million rubles. — for some players this amount may be sensitive. For example, from 10 banks, who is from 91 to 100-th place by assets, according to “Interfax-CEA”, the four banks for the year showed a negative total financial result, net profit of the remaining six players from dozens amounted to an average of 782 million rubles.

Risky audit

The intention of SWIFT to provide information about the unsatisfactory results of audits of the Central Bank caused market participants much less concern than the attention on informing about the real situation of their counterparties or the possible reaction of the SWIFT (what it will be if violations are found, Matthew Goering in his speech did not specify).

The Deputy chief of the main Directorate of security and information protection of the Central Bank Artem Sychev in conversation with has informed: “All depends on the individual case. For us it is not the reason for the test, but an additional factor pointing to the fact that the Bank may need to find out how he provides the remaining requirements for information security.”

The bankers do not exclude that in case of a negative opinion of the external auditor on the conformity of a Bank to new security standards of its counterparties in extreme cases can stop the operation of making payments with such players. In particular, such a risk indicates a member of the Board of Directors of the Bank Oleg Vyugin. In his opinion, this may be an additional strong incentive for more careful preparation for the introduction of standards. Banks that intend to use SWIFT, not interested in the failure of the audit, and considers the main beneficiary of the Moscow credit Bank Roman Avdeev.

As for the SWIFT response, the Director of services for the analysis and control of risks of the auditing company PwC Viktor Morozov does not exclude the possibility that SWIFT may impose fines. He draws an analogy with the security standards of Visa and MasterCard. “For their violation banks pay monthly €30 thousand in penalties, unless their systems in order. This is a very strong motivating factor,” says frost. Director of information security Department at ROSBANK Mikhail Ivanov does not exclude that in extreme cases can reach up to disconnect the Bank from SWIFT.