• Print
  • Decrease text size
  • Reset text size
  • Larger text size
08/10/2017

SWIFT Customer Security Program (CSP) Requirements

SWIFT has established the Customer Security Program to support its customers in the fight against cyber-fraud targeting their SWIFT-related infrastructure.

SWIFT confirms new cyber threats, due to an increasing sophistication and frequency of cyberattacks that are encouraging governments, banks and other players to reevaluate their security measures.

 

Background

In order to support its customers reinforce their security, SWIFT introduced the Customer Security Program2 (CSP) ) in May 2016, that sets guidelines and controls to improve information sharing throughout the community, enhances SWIFT-related tools for customers and provides control frameworks.

As part of the CSP, SWIFT published its  Customer Security Controls Framework in April 2017 which introduces 16 mandatory security controls  that all SWIFT users must apply to their SWIFT-related infrastructure.

Our Understanding

SWIFT requirements should be considered as users’ high priority as failure to comply with the requirements, on an annual basis, will be reported to regulators.

Each organization is required to assess, define, document, implement and attest the compliance of their SWIFT Local infrastructure processes and technologies against SWIFT’s controls through:

  • An assessment against the SWIFT Customer Security Controls Framework (CSCF), comprised of 16 mandatory security controls and 11 advisory (non-mandatory) security controls; 
  • Self-attestation on user’s compliance with the CSCF controls, based on the results of the self-assessment (referring to SWIFT Customer Security Controls Policy).

Swift Customer Security Controls

The 27 controls3 presented by SWIFT are mapped against international standards where applicable, such as NIST, PCI-DSS and ISO 27002.

Each of these principles are then divided into controls, for example, the Principle “7. Plan for incident Response and Information Sharing” describes the 4 controls:

7.1 Cyber Incident Response Planning – Mandatory

7.2 Security Training and Awareness – Mandatory

7.3A Penetration Testing – Advisory

7.4A Scenario Risk Assessment – Advisory 

Timeline

Users are required to self-attest the compliance of their SWIFT local environments against CSCF. The first self-attestation must be submitted by 31 December 2017, and on a yearly basis thereafter.

Key Challenges to be Addressed

Here are some of the challenges SWIFT users will face when preparing for the self-assessment exercise:

Companies will have to assess the necessity of the 11 advisory controls4, based on the maturity assessment of the cybersecurity existing frameworks.

The assessment of mandatory and advisory controls can lead to major technological enhancements, including the deployment of local intrusion detection technology on all critical SWIFT systems.

Depending on your organization architecture and governance, some of the controls may not be applicable to your organization and they will need to be justified in your self-attestation.

Our Approach

Sia Partners can assist SWIFT users in evaluating the maturity of their current cybersecurity framework, including processes, controls and governance. Our objective is to design the most efficient controls to close the gaps with the targeted framework and help the organization in the controls implementation. Sia Partners can also support the client in preparing the SWIFT CSP attestation.  

Sia Partners

 

Sources

  1. http://www.reuters.com/investigates/special-report/cyber-heist-federal/
  2. https://www.swift.com/myswift/customer-security-programme-csp
  3. https://www.swift.com/myswift/customer-security-programme-csp/security-controls
  4. http://www.bankinfosecurity.com/swift-will-begin-enforcing-mandatory-security-controls-a-9421
  • Key Takeaways

    • The SWIFT Customer Security Program (CSP) was established in May 2016 in order to support SWIFT users in the fight against cyber-attacks targeting SWIFT global messaging network
    • The CSP was updated in May 2017 through the release of the Customer Security Controls Policy
    • The CSP is targeting all SWIFT users globally
    • It comprised of 27, including 16 mandatory controls, and requires all SWIFT users to provide a self-assessment of their local environment on a yearly basis
    • SWIFT requires the first self-assessment to be submitted by Dec 31 2017, and will enforce it with inspections starting January 2018.
    • Failure to comply will be reported to local regulators and other SWIFT counterparts
0 comment
Post a comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Image CAPTCHA
Enter the characters shown in the image.
Back to Top