Bankers Push Cybersecurity
BY KATY BURNE
A committee of central bankers is looking to draft international guidelines covering cybersecurity responsibilities for banks and fund transfer providers, aiming to make the global payments system safer, said people familiar with the plans.
The group plans to devise a framework that will divvy up cybersecurity responsibilities between sending and receiving banks, as well as at payment infrastructure providers, the people said.
The guidelines are being put together by the Committee on Payments and Market Infrastructures, which was convened by the Bank for International Settlements to analyze cross-border payment and settlement networks in an effort to protect the banking system.
The effort comes as the financial messaging system Swift and some of its member banks have attracted scrutiny in the wake of recent cyberattacks at customer sites. In February, cyberthieves made off with $81 million from the Bangladesh central bank’s account at the Federal Reserve Bank of New York.
The committee aims to set out a global framework for cybersecurity standards where one doesn’t exist. Its challenge is that guidelines from such international groups tend to have limited enforceability by law, because each jurisdiction involved can choose what policies to adopt.
Rep. Barry Loudermilk (R., Ga.)—chairman of the subcommittee on oversight for the U.S. House Science, Space and Technology Committee, which is reviewing the Bangladesh Bank incident—said Federal Reserve explanations of how recent cyberattacks occurred “raise additional questions.”
“It is troubling to me that bad actors were able to successfully extract millions of dollars from the Federal Reserve banking system,” he said. “My subcommittee is working to find out how this happened and how to prevent it from happening again.”
Workers at the New York Fed don’t manually screen most central-bank payment orders as they come in, and instead rely heavily on authentication by Swift, known formally as the Society for Worldwide Interbank Financial Telecommunication.
This summer, Swift became subject to a new set of cyber rules also developed by the payments committee and the International Organization of Securities Commissions. Those rules, once implemented, will require Swift and financial market-infrastructure providers to prove they can resume operations within two hours of a disruption.
A Swift spokeswoman had no immediate comment. A spokesman for the National Bank of Belgium, which is the lead overseer of Swift, declined to comment on its specific oversight actions on the company. Benoît Coeuré, chairman of the Committee on Payments and Market Infrastructures, wasn’t immediately available to comment.