The under fire Swift banking messaging network took its eye off the ball in failing to prioritize cybersecurity over the past decade, especially when it came to its smaller members, according to a former CEO.
The organization – which has come in for some harsh criticism this year after an $81 million cyber heist from the Bangladesh Bank and copycat raids on other members – coordinates the messaging platform which enables inter-bank transfers.
Former employees have claimed that only now Swift, which is technically a co-op owned by the banks themselves, has begun to backtrack and take the threat from cyberspace seriously.
In the wake of the Bangladesh Bank raid, Swift launched a “dedicated customer security program” including a new set of guidelines designed to improve baseline security for members.
But Leonard Schrank, CEO from 1992 to 2007, argued that for many years the board paid little heed to the security of its members, failing to adequately appreciate or manage risk.
“They were focusing on other things, and not about the fundamental, sacred role of Swift, which is the security and reliability of the system," he told Reuters, accepting partial responsibility.
Former board member Arthur Cousins added that the organization thought security was the responsibility of the regulators rather than Swift.
Other directors claimed that the attitude among the major western banks which dominate the group was that their cybersecurity was sufficient so there were no problems – paying little heed to the fact that for many smaller members the opposite was true.
“The difficulty is always to keep the security system very effective when you deal with little banks and emerging countries," said former board member, Alessandro Lanteri. "There, it is very difficult to be sure that all the procedures of security are managed in the correct way."
Some told the newswire that directors weren’t informed of previous security incidents involving attempts to steal funds via Swift, while Schrank added that some board members simply weren’t up to the job.
"Generally the SWIFT board, with very few exceptions, are back-office payments people, middle to senior management," he claimed.
Swift responded in a statement that its board has “decades of experience in operations, management, IT, risk assessment, and various other disciplines” and that the organization has “always maintained an uncompromising focus on security.”
Yet, according to Reuters, there has been only one mention of Swift helping its banking members to improve cybersecurity in any of its annual reports and strategy documents over the past 17 years.
The Swift statement continued:
"Swift and its board have prioritized security, continually monitoring the landscape and responding by adapting the specific security focuses as threats have evolved. Today's security threats are not the same threats the industry faced five or ten years ago – or even a year ago – and like any other responsible organization we adapt as the threat changes."