• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Business / SWIFT publishes cybersecurity counterparty risk guidelines

By McCarthy Tétrault LLP | 3 Minutes Read March 29, 2019

SWIFT publishes cybersecurity counterparty risk guidelines

cybersecurity counterparty risk

On February 15, 2019, the Society for Worldwide Interbank Financial Telecommunication (“SWIFT”) published guidelines for assessing cybersecurity counterparty risk for financial institutions (the “Guidelines”). The Guidelines are important because the SWIFT banking and payments network is a key target for malicious actors. Financial services institutions thus have strong incentive to view ensure the Guidelines are implemented globally in order to minimize cybersecurity risk.

The Guidelines are non-binding and SWIFT has limited enforcement powers against member institutions. Nevertheless, they are legally significant. Compliance with cybersecurity best practices and industry standards is a common term in cyberinsurance contracts. An organization’s ability to claim under a cyberinsurance policy in the event of a cyber incident may thus be impacted by implementation of the Guidelines. Furthermore, information about cybersecurity compliance (or noncompliance) is also likely to be sought by litigants in the event an organization’s data is lost or compromised. It is important to work with counsel to ensure an appropriate privilege strategy is in place to protect this information.

Implementation of the Guidelines is also a business imperative. No member of the SWIFT network wants to transact with a party who does not employ cybersecurity best practices. Full compliance with the Guidelines as well as domestic regulatory requirements is vital to ensuring financial institutions are able to maintain the benefits of the SWIFT network.

Cybersecurity governance

The first major recommendation contained in the Guidelines is the establishment of a cybersecurity governance model to systematize oversight of cyber risk management processes. For example, cybersecurity governance could be structured according to the 3 lines of the defence model. Frontline risk decisions relating to internal controls and operations can be taken by the first line. Escalations can be brought to the second line, as long as they have some degree of operational independence from the first line. The third line of defence is the independent auditing and assurance of first and second line behaviour. 

A cybersecurity governance structure should incorporate cross-disciplinary expertise including stakeholders from the line of business, payments operations, IT, information security, risk management, compliance and audit. The Guidelines also suggest giving oversight of the cybersecurity governance framework to a senior executive in order to ensure accountability and facilitate information flow to the Board of Directors.

Cybersecurity risk management

In addition to having an effective governance model, organizations should also establish a cybersecurity risk management framework for dealing with counterparties. First, organizations should gather necessary data on counterparties and their cybersecurity practices. This includes region of operation, degree of regulatory oversight, size and ownership structure, history of the counterparty relationship, known cyber incidents, and information on transaction type, value and frequency. 

After gathering this data, organizations should then analyze the level of risk posed against their own risk appetites. Risks should be scored based upon the organization’s rules for counterparty transactions, the organization’s risk models, and expert judgement. Once the risk is scored, an organization can implement appropriate measures to “treat” the risks.

Risk mitigation

The Guidelines suggest using risk mitigation countermeasures based on both the business relationship an organization has with the counterparty as well as the nature of the transaction. For example, an institution can request counterparties provide additional controls, fraud detection systems, or independent assessments to substantiate information. Transactions should be flagged for review based on their type, value, currency, and ultimate destination of the funds. Higher risk transactions should be reviewed by a second set of eyes and subject to additional verification procedures by the counterparty. These mitigation approaches can be tailored based on the counterparty’s risk profile and the organization’s own regulatory requirements and risk tolerance.

Often direct outreach to senior management may be the best method of communicating. Strengthening these relationships not only can be useful in providing reassurance, but is also important in the event of a cyber incident. The Guidelines encourage organizations to periodically review counterparty risk profiles and adjust their communication and mitigation approaches accordingly.

Conclusion

Cybersecurity counterparty risk is very real. The well-documented 2016 incident of fraudulent transfer requests from the Bangladesh Bank to the Federal Reserve Bank of New York resulted in US$81 million going missing. Organizations should consequently take the Guidelines very seriously and work with counsel to ensure that they have appropriate cybersecurity governance, risk management, and risk mitigation processes in place. 

  • About
  • Latest Posts
Follow me
McCarthy Tétrault LLP
McCarthy Tétrault is a Canadian law firm that offers a full suite of legal and business solutions to clients in Canada and around the world. They deliver integrated business, litigation, tax, real property, and labour and employment solutions through offices in Vancouver, Calgary, Toronto, Montréal, Québec City, New York and London, UK.
Follow me
Latest posts by McCarthy Tétrault LLP (see all)
  • Application dismissed: challenges in the workplace and performance management constitute credible non-discriminatory explanation for termination - January 23, 2023
  • The Digital Implementation Act: problems and criticisms – appropriate purposes - December 19, 2022
  • Should directors consider creditors’ interests when a corporation is near insolvency? - November 21, 2022

Article by McCarthy Tétrault LLP / Business, Finance and Accounting, Information Technology, Privacy / cybersecurity, cybersecurity counterparty risk, cybersecurity governance, fraud, fraud detection, managing cybersecurity risks, Risk mitigation

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About McCarthy Tétrault LLP

McCarthy Tétrault is a Canadian law firm that offers a full suite of legal and business solutions to clients in Canada and around the world. They deliver integrated business, litigation, tax, real property, and labour and employment solutions through offices in Vancouver, Calgary, Toronto, Montréal, Québec City, New York and London, UK.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy