Swift system malware used to target banks
CEO Gottfried Leibbrandt said the 11,000 banks using the Swift system need to urgently enhance security Dado Ruvic/Reuters

In the wake of a spate of hacking incidents, major financial institutions using the Swift messaging system to communicate and transfer money must bulk up cybersecurity standards or face immediate suspension, the chief executive of the Brussels-based firm has warned.

In a frank interview with The Financial Times, CEO Gottfried Leibbrandt said the 11,000 banks relying on the Swift system now need to urgently enhance online protections or be prepared to face the consequences.

"We could say that if the immediate security around Swift is not in order we could cut you off, you shouldn't be on the network," he said, adding there are clear pros and cons to such a stringent approach. "The pros are that it provides clarity that if you are on the Swift network you need minimum standards. I think the con is if you do it too heavy handed you could drive people to unsafe channels."

He added: "The days when you needed to break into a bank and carry guns and blow torches are over. You can now rob a bank from just your own PC and that does change the game completely."

Swift came under intense scrutiny in the wake of a number of successful cyberheists orchestrated against a banks using its system – which remains a main point of communication in the global financial system. In the most well-publicised incident, hackers were able to steal a massive $81m (£56M) from the Bangladesh central bank by exploiting Swift to stage fraudulent transfers.

In the aftermath of the theft, it was found the bank had little-to-no proper protections in place to curb the malicious activity, as experts disclosed the firm was using cheap routers to connect to Swift and failed to even use a proper firewall. Furthermore, as the scope of the investigation quickly grew, more banks admitted to similar hacking attempts – including victimised organisations in Vietnam and Ecuador.

Fix is 'years away'

"I think the ultimate list of actual breaches, at least to date, will turn out to be lower than 10," claimed Leibbrandt. "I don't think you can ever stop this from happening entirely. There will be more attempts and some of them will be more successful. But by managing all these layers of defence you can make it into a manageable nuisance rather than a life-threatening situation."

Now, according to the FT, Swift is in discussions with numerous financial regulators about what is needed to enforce more stringent security requirements and 'supervisory standards'. However, based on a separate interview with Reuters, Leibbrandt indicated he will also be scaling back some of Swift's operations to pay for new security initiatives.

"Hindsight is always a wonderful thing. You can always say 'should they have done it before?', but sometimes it takes these types of events," he said.

However, he admitted that a fix remains a distant goal. "We don't think this is going to be solved overnight, so we'll be looking for a number of quick wins to improve things in the near term," he said. "The full rollout, and the full shore up, will be a matter of years."

According to David Kennerley, director of threat research at cybersecurity firm Webroot, the need for minimum standards across the industry will be welcomed, but warned "the risk of driving people to unsafe channels is real."

He said: "Swift need to help educate organisations and support them to meet the minimum network standards. The fact is, cybercriminals only need to find one hole in the defence, while as security professionals we have to secure all."

Despite the negative press and plans to enforce enhanced standards, it should be noted that Swift officials maintain its core infrastructure has never been compromised by the hackers.

"First and foremost we would like to reassure you again that the Swift network, core messaging services and software have not been compromised," it said in a recent statement. "The attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks – knowledge that may have been gained from malicious insiders or cyberattacks, or a combination of both."