You'd think, with the amount of money the SWIFT inter-bank payment system transfers every day, that the group would be strong on security. Not so, says a former head of the organization.
The SWIFT organization has been trying to up its security game after a string of high-profile hacking attacks that siphoned off millions from the system. But Leonard Schrank, CEO of SWIFT from 1992 to 2007, admitted that the organization has been snoozing on security for too long.
"The board took their eye off the ball," Schrank told Reuters. "They were focusing on other things, and not about the fundamental, sacred role of SWIFT, which is the security and reliability of the system."
Schrank said that he was "partially responsible" for the situation, as he and other board members hadn't considered the security implications of smaller banks joining the network and not taking proper precautions to lock down the payment system.
Large Western banks are the heaviest users of SWIFT, but the number of smaller banks joining the network has grown, and these often don't have the budget to protect the system. Martin Ullman, a SWIFT consultant based in Prague, said that he had been in contact with an admin at the Central Bank of Solomon Islands who couldn't afford the cost of upgrading the SWIFT messaging system.
"The difficulty is always to keep the security system very effective when you deal with little banks and emerging countries," said former SWIFT board member Alessandro Lanteri. "There, it is very difficult to be sure that all the procedures of security are managed in the correct way."
Another former SWIFT board member, Arthur Cousins, claimed that part of the problem is that the organization didn't believe it was responsible for the security of people using its systems – it felt that was a job for banking regulators.
"SWIFT and its Board have prioritized security, continually monitoring the landscape and responding by adapting the specific security focuses as threats have evolved," SWIFT said in a statement.
"Today's security threats are not the same threats the industry faced five or ten years ago – or even a year ago – and like any other responsible organization, we adapt as the threat changes." ®