The SWIFT customer security controls framework includes both mandatory and advisory security controls, SWIFT said.
Mandatory controls include taking steps to protect the SWIFT infrastructure from internet access and the general IT environment internet access, and reducing the vulnerability of SWIFT–related applications by improving internal data flow security, ensuring security updates are applied, and "hardening" systems by reducing the number of functions performed, it said.
Physical access to equipment must be controlled, strong password and multi-factor authentication policies should be put in place, and identity and token management policies are needed to control who has access to data, SWIFT said.
SWIFT customers must also have systems in place to detect any unusual activity either in systems or transaction records, and incident response plans for staff to follow.
The advisory controls detail further steps to reduce vulnerabilities, manage identities, detect unusual activity and develop incident response plans.
Customers will be required to confirm they have put the mandatory controls in place by the end of 2017, and to repeat that confirmation annually. Compliance status can then be shared with other users through SWIFT's KYC (know your customer) registry, it said.
The mandatory controls may change over time as threats evolve, SWIFT said.
Asset recovery expert Alan Sheeley of Pinsent Masons, the law firm behind Out-Law.com, said: "All customers of SWIFT should already have these ‘basic’ controls in place. It appears that SWIFT is starting to proceed towards shifting the blame for failings. However, with hundreds, millions and sometimes billions at stake it seems appropriate to force customers to take proactive steps in the fight against cybercrime."
"From a customer’s perspective this means that they are being asked to shoulder some of the responsibility; from Swift’s position, why should they be the insurer to make sure cyber-attacks don’t happen? There is not, and never will be, a happy medium in this sphere where both parties can be as easily hacked," Sheeley said.
"What is important is that society as a whole, and irrespective of borders, starts to fight together against cybercrime. When money is lost and fault is not easily apportioned both parties need to act quickly and protect their position and ultimately try to work together to recover the monies that have been stolen by the fraudster. Speed is of the essence in this scenario," he said.
SWIFT also launched a new tool this week to help banks identify fraudulent messages.
The tool is designed to spot and flag any unusual activity based on users' normal patterns in using of the service, and allow users to stop and investigate any transactions they are concerned about.
Initially targeted at smaller financial institutions and central banks, the online service will develop a profile of each user’s message traffic based on its specific business activities and the countries, counterparties and currencies it is usually involved with, SWIFT said.
SWIFT warned its members in September 2016 about successful hacks that had taken place. While many attacks have been caught by its own security or by that of banks, others have been successful, it said. SWIFT did not say how much had been stolen.
This followed a warning in May 2016 that international banks were facing threats from a new wave of malicious software, or malware, that allows attackers to steal money.
In a statement issued to its customers and posted on its website at the time, SWIFT said that the malware attack was believed to be part of a broad and "highly adaptive campaign targeting banks" and that there was evidence that a number of banks have fallen victim to fraud as a result of their security measures being compromised.
SWIFT has also acknowledged that hackers altered its software on Bangladesh Central Bank's computers in February 2016, in a $81 million theft from the bank's account at the Federal Reserve Bank of New York.
"We cannot comment on the details of any particular customer or incident, but confirm that the commonality in what we have seen is that internal or external attackers have successfully compromised banks’ own environments and thereby obtained valid operator credentials with the authority to create, approve and submit messages from those entities’ interfaces," SWIFT said.
While the malware in question exists, it "can only be installed on users’ local systems by attackers that have successfully identified and exploited weaknesses in their local security", SWIFT said.