Cybersecurity: challenges and trends in the cyber world XXI ACSDA’s General Assembly

1. Cybersecurity: challenges and trends in the cyber world XXI ACSDA’s General Assembly Miguel Suarez, Head of Business Development, Latin America & Caribbean, SWIFT

2. Cyber threats facing your business Source: 2018 The Evolving Advanced Cyber Threat to Financial Markets – BAE Systems & SWIFT

3. The Big Picture - World Economic Forum ranks ‘cyberattacks’ as a top global risk 1 National governance failure 2 Unemployment 3 Social instability Cyberattacks With APTs, virtually anybody could be a target and with ubiquitous IoT ‘smart’ devices could be used as a DDoS weapon … Threat landscape Source: 2018 WEF survey spanning 684 respondents which assessed [likelihood] and [impact] of each risk on a scale of 1 to 5 [very unlikely / minimal impact] to [very likely / catastrophic]

4. The cyber threat landscape is always shifting and the attack surface is always changing Ab(use) of New Technology Cyber Threat Landscape Evolving Attack Vectors The Weakest Link New Regulation Geo Political Tensions Bad Guys

5. Threat actors are sophisticated and patient - can invest months on a targeted APT attack Attack types Minutes Hours Days Weeks Months Years Unknown Source: Verizon 2009 Data Breach Investigations Report

6. Almost like a perfect storm, we also see market initiatives that will change the attack surface … • Ability to track the payment from originator to beneficiary through the correspondent banking chain • Uses a unique end-to-end transaction reference (UETR) • ‘Stop & Recall’ can stop a payment in case of fraud SWIFT gpi • Real-time retail payment systems (RT-RPS) allows instantaneous transfer of funds • SWIFT launches SWIFTNet Instant messaging by end 2018 • RT-RPS makes it more difficult for LEAs to trace and recall fraudulent payments, which increases the attack surface • With PSD2 (Jan 18) EU banks are obligated to allow third-party providers (TTPs) access to data and payment services through APIs • TTPs include account aggregators, challenger banks and Fintech startups • Increases the possible attack surface open to cyber criminals • Potential fraudulent transactions could be transported via SWIFT Impact of Market Initiatives APIs with Open Banking Real Time Payments Endless battle between ‘convenience’ vs ‘security’ Shortened Settlement Cycles • Driven by capital optimisation, numerous securities markets have reduced their settlement cycle times, typically from T+3 to T+2 • Reduction of settlement time makes it more difficult for law-enforcement to trace and recall fraudulent transactions, which increases the possible attack surface open to criminals Tech

7. CSP | An Overview Customer Security Programme (CSP)Launched in May 2016, the CSP supports all customer segments in reinforcing the security of their local SWIFT-related infrastructure You Secure and Protect SWIFT Tools Security Controls Framework Your Community Share and Prepare Intelligence Sharing SWIFT ISAC Portal Your Counterparts Prevent and Detect Transaction Pattern Detection – RMA, DVR and ‘In Flight’ Sender Payment Controls

8. CSP | A case study

9. CSP | Secure and Protect – Customer Security Controls Framework v2019 Security Controls 3 Objectives 8 Principles • 19 controls are now mandatory – 3 Advisory promoted to Mandatory: • 2.6 ASecure Operator sessions • 2.7 A Yearly vulnerability scanning • 5.4 A Physical and Logical Password Storage • 10 controls are now advisory - 2 additions: • 1.3 A Virtualisation Platform Protection • 2.10 A Application Hardening M M 29Controls (previously 27) M

10. CSP | Counterparty Consultation of Attestation - Assessing Counterparty Risk Establish a governance model for cybersecurity risk management Adopt cybersecurity risk mitigating countermeasures 1 3 2 4 Establish a cybersecurity risk management framework Incorporate cybersecurity attestation data from SWIFT counterparties Guideline is primarily intended for use by small and medium sized organisations with relatively few counterparties, and correspondent banks that act as intermediaries between originating payers and end beneficiaries

11. Module 1 Reporting Daily Validation Reports Activity and Risk reporting Inbound and Outbound Group and/or Entity reporting Module 2 Alerting Real-time alerting/blocking Outbound Subscriber-controlled rules

12. Module 2 Rule types Business Calendars Profiling/ Learning Identify & protect against payment behaviour that is uncharacteristic, based upon past learned behaviour Identify payments that are sent on non-business days or outside normal business hours Identify & protect against payment behaviour that is uncharacteristic, based upon past learned behaviour Threshold Badly Formed Messages Protect against individual and aggregated payment behaviour that is a potential fraud risk or falls outside of business policy Identify and stop messages where preceded by repetitive NACKs to the same recipient Suspicious Accounts New Institutions Verify end customer account numbers against an institution black list of account numbers believed to be high risk Identify payments involving individual institutional participants or chains that have not been seen previously, based upon historical message flows

13. CSP Detection Tools | Payment Control Service (PCS) - Features and Rules Message Copy & Alert • PCS performs ‘in-flight’ transaction monitoring on ‘sent’ payment instructions and identifies activity that is out-of-policy or indicative of fraud • PCS works in one of two real-time operating modes using policy rules defined by the subscriber: • Message Copy and Alert, or • Message Hold and Alert • Provides a zero-footprint payment safety-net against payment risks • SWIFT launched PCS in Oct 18 supporting MT103, MT202 and MT202 COV messages 1 1 Receiver a) Message Hold & Alert Sender 2 2 b) If Released b) If Aborted 1 2 SWIFT Payments Controls • PCS Policy Rules • Business Calendars:non-business days and normal business hours • Currency whitelist / blacklists, single and aggregate payment limits • Country whitelist / blacklists, single and aggregate payment limits • Thresholds for country, currency, single entity or group combinations • New Institutions: Identify payments with new participants or chains, based upon historical message flows • Profiling / Learning: Identify & protect against payment behavior that is uncharacteristic, based upon past learned behavior • Badly Formed Messages:Identify and stop messages where preceded by repetitive NAKs to the same recipient • Suspicious Accounts:Verify end customer account numbers against an institution black list of account numbers believed to be high risk

14. Your Community SWIFT has deepened its cyber security forensics capabilities, providing unique intelligence on customer security-related events. This information is disseminated to the community in an anonymised manner. You Secure and Protect SWIFT Tools Customer Security Controls Framework Your Counterparts Prevent and Detect Transaction Pattern Detection – RMA, DVR and Payment Controls Your Community Share and Prepare Intelligence Sharing SWIFT ISAC Portal

15. CSP | From Customer Incident Handling to Information Sharing User fixes its environment SWIFT undertakes forensic analysis, with User User identifies suspicious activity User informs SWIFT or SWIFT receives an auto-alert SWIFT publishes anonymised threat intelligence to community SWIFT Community ISACs / CERTs LEAs / Regulators

16. CSP | SWIFT ISAC Portal • A 2nd release of SWIFT ISAC global information sharing portal was issued in February • This will enable the automated exchange of cyber-threat information using industry standard formats (STIX/TAXII) and allow access for non-SWIFT customers • The SWIFT ISAC continues to share threat intelligence with the community, including, indicators of compromise such as file hashes and details about malware samples observed. When possible, Modus Operandi used by attackers is described and machine-digestible files are provided (YARA rules, OpenIOC, etc.)

17. Questions?