February’s high profile US$81 million heist on Bangladesh Bank revealed that weak security measures made it easier to hack into computers that were subsequently used to send messages requesting large money transfers. Bangladesh police confirmed that the central bank had lacked any kind of firewall, and that it had used second-hand, US$10 electronic switches to network those computers. Since then, the global financial messaging system that authenticated those transfers has tried in vain to encourage its member banks to comply with new security procedures, due in part to its lack of any regulatory authority over members. But such institutions are not giving due consideration to the reputational consequences of their actions and decisions.
Brussels-based member-owned cooperative SWIFT has disclosed that cyber thieves have escalated their attempts, since February, to target banks with weak security procedures for SWIFT-enabled transfers, according to Reuters.
In a private letter to clients, SWIFT said: “Customers’ environments have been compromised, and subsequent attempts (were) made to send fraudulent payment instructions. The threat is persistent, adaptive and sophisticated – and it is here to stay.”
Although a spokeswoman for SWIFT declined to provide details of recent cyberattacks, or their victims, it is understood that all of those targeted had weaknesses in local security that enabled thieves to compromise local networks and send fraudulent messages requesting money transfers.
SWIFT rolled out a number of new security measures following February’s Bangladesh Bank heist, including more robust authentication systems software updates for sending and receiving messages. But it has been unable to persuade many member banks to take action, and has even resorted to issuing threats of reporting them to regulators and banking partners if they failed to install new software.
This raises the question of whether such institutions, if unconcerned by any immediate financial consequences of inaction, should be giving greater consideration to the potential damage to their reputations. It is unlikely, for example, that bank customers who lose money in cyberattacks will care greatly whether such security measures are obligatory or just simply the right thing to do.
Companies are held responsible not only for their own integrity and ethics but also for acts of their third parties. Suppliers, distributors, resellers and other third parties can pose significant integrity and compliance risks that need to be managed by every company to avoid significant fines and reputational damage. In order to manage these risks and safeguard against reputational damage, companies need to focus on business value and not just regulatory compliance.
International law firm Eversheds recently surveyed 500 executives across 12 jurisdictions spanning multiple industry sectors for its ‘Beneath the Surface’ anti-graft report. Of those surveyed, only nine percent cited legal consequences as the main motivation for preventing bribery and corruption. The majority of those consulted – 61 percent – cited the potential damage to commercial success and reputation as the main reason why an organisation should try and prevent bribery and corruption.
The same holds true for data breaches and SWIFT member banks would do well to take note.