Tuesday, 12 June 2012
Failure is not an option
Commercial Risk Europe’s cyber risk correspondent Nik Pratt reports on the huge risk and insurance management challenges presented by cyber risk from a speech given by Enrique Flores, Insurance and Risk Manager at Swift, the banking payments consortium.
The Society for Worldwide Interbank Financial Telecommunications (Swift) is a bank-owned consortium established in 1973 to provide a secure network for cross-border financial transactions.
Since then it has developed beyond this basic network status to provide software and services to financial institutions, act as a standards body for financial messages and has even developed a forum for start-up services related to financial messaging and communications.
Nevertheless, Swift’s core business and key responsibility remains the facilitation of cross-border payments. “We define our business as financial messaging—an email service for exclusive use by banks,” said Enrique Flores, Insurance and Risk Manager, Swift.
“It is a highly structured and highly automated network designed to reduce operational risks. If we are down, banks cannot operate as normal and cannot make cross-border payments so we need to be available all the time—our threshold is five minutes per year so there is very little margin for error,” he added.
Most of the information in Swift’s system is highly confidential. Furthermore there is a lot of it. It serves more than 10,000 financial institutions that operate in 250 countries and send 18 million messages a day—a figure that has risen notably since the 2.4 million messages sent in 2004 and the 15 million messages sent in 2010.
And the co-operative structure of Swift further complicates the issue in that its members (the banks) are also its customers.
Mr Flores says that Swift’s risk management process is composed around three areas—governance, culture and controls.
At the first level of the three-tiered approach to risk management are a series of user groups. The users then vote for the board that sits above them and then above the board is the oversight committee, explained Mr Flores. “We are a telco not a bank so we cannot be governed by banking regulations so we have central bank oversight instead.”
There are highly formalised controls in place, said Mr Flores, including internal and external operational audits and a complex configuration management process to cater for the numerous software upgrades made every year.
There are also more than 200 business continuity tests for both users and suppliers. “We engage in rigorous software qualification. It is a big expense but it is worth it. We have a reliance on proven technology. Only when we feel comfortable with it and when third parties have also used it, do we use it.”
Mr Flores also stressed the behavioural parts of Swift’s risk management programme. “We have the CEO making videos saying how important it is to wear the right badge at the right time. It means mandatory screening and security training of staff and contractors. It is about discipline and about awareness with articles, posters, campaigns and tests around social engineering. For example, we will send someone into an area with the wrong badge and expect staff to challenge them. It is not easy but it has to be done. It is about creating an environment where not just the IT and risk people are thinking about threats. It has to be everyone.”
Like many Marvel Comic superheroes, Swift’s critical status is both a gift and a curse, said Mr Flores. “We have a clear but challenging mission and we can benefit from our cooperative role so that we can address industry pain points where risk expertise can be leveraged. But evolution is not easy though. There is change ahead for us and for our industry and many of these changes will be disruptive. There are new banking business models and processes such as mobile payments and peer to peer payments.”
There is also the changing nature of Swift itself. As mentioned, the co-operative has expanded beyond its network status to provide software and services to financial institutions and act as a standards body for financial messages. It has even developed a forum for start-up services related to financial messaging and communications called Innotribe.
This creates a conundrum of sorts. “From a risk perspective we are happy with what we provide today but we also have to support the company in embracing change. But change requires risk taking and this sometimes results in failure and failure is not an option,” said Mr Flores.
The complexity and scale of Swift’s risk profile also serves to illustrate the enormity of the task faced by insurers as they attempt to offer adequate cover for the cyber threats that face critical infrastructures.
Mr Flores said that one of his biggest luxuries as a risk manager is that he has a very clear mission. “If we see a risk it has to be mitigated. There is no argument because failure is not an option.” Insurers though will face a challenge in finding the capacity and coverage for a potential client such as Swift where the sky is the limit.
Cyber risk and the coverage options available will be a key element of this year’s Risk Distribution survey of Europe’s leading brokers carried out by Commercial Risk Europe, sponsored by Lloyd’s of London and published in October. To take part in the survey please contact Adrian Ladbury—email@example.com— and to secure your copy of this report please contact Hugo Foster—firstname.lastname@example.org