SWIFT Customer Security Program (CSP) Requirements
The Society for Worldwide Interbank Financial Telecommunication (SWIFT), established the Customer Security Program to support its customers in the fight against cyber-fraud using the SWIFT network.
The latest successful cyberattack targeting the global bank transfer system in March 2016 succeeded in stealing $81 million funds from Bangladesh Bank account at the Federal Reserve Bank of New York1.
SWIFT confirms new cyber threats, due to an increasing sophistication and frequency of cyberattacks that are encouraging governments, banks and other players to reevaluate their security measures.
In order to enhance SWIFT security on global financial markets, SWIFT released the Customer Security Program2 (CSP) in May 2016, that set up guidelines and controls to improve information sharing throughout the community, enhance SWIFT-related tools for customers and provide audit frameworks.
Published in May 2017, the Customer Security Controls Policy updates the CSP by including further information on roles, responsibilities and process details of the customer security attestation and follow-up.
The timeline to develop and implement the required changes is very short as inspections and enforcement begin in January 2018.
SWIFT requirements should be considered as users’ high priority as failure to comply with the requirements, on an annual basis, will be reported to regulators and other SWIFT members.
In order to reinforce the environment security of each SWIFT user, each organization is required to define, document, implement and assess their payment processes and technologies against SWIFT’s controls through:
- A Self-assessment against the SWIFT Customer Security Controls Framework (CSCF), comprised of 16 mandatory security controls and 11 advisory (non-mandatory) security controls;
- Self-attestation on user’s compliance with the CSCF controls, based on the results of the self-assessment (referring to SWIFT Customer Security Controls Policy).
Swift Customer Security Controls
The 27 controls3 presented by SWIFT are mapped against international standards where applicable, such as NIST, PCI-DSS and ISO 27002.
Each of these principles are then divided into controls, for example, the Principle “Plan for incident Response and Information Sharing” describes the 4 controls:
- Cyber Incident Response Planning – Mandatory
- Security Training and Awareness – Mandatory
- Penetration Testing – Advisory
- Scenario Risk Assessment – Advisory
Users are required to self-assess their SWIFT local environments against CSCF. The first self-attestation must be submitted by 31 December 2017, and on a yearly basis thereafter.
Key Challenges to be Addressed
Here are some of the challenges SWIFT users will face when preparing for the self-assessment exercise:
Companies will have to assess the necessity of the 11 advisory controls4, based on the maturity assessment of the cybersecurity existing frameworks.
The assessment of mandatory and advisory controls can lead to major technological enhancements, including the deployment of local intrusion detection technology on all critical SWIFT systems.
Depending on your organization architecture and governance, some of the controls may not be applicable to your organization and they will need to be justified in your self-assessment.
Sia Partners can assist SWIFT users in evaluating the maturity of their current cybersecurity framework, including processes, controls and governance. Our objective is to design the most efficient controls to close the gaps with the targeted framework and help the organization in the controls implementation. Sia Partners can also support the client in preparing the SWIFT CSP attestation.
- The SWIFT Customer Security Program (CSP) was established in May 2016 in order to support SWIFT users in the fight against cyber-attacks targeting SWIFT global messaging network
- The CSP was updated in May 2017 through the release of the Customer Security Controls Policy
- The CSP is targeting all SWIFT users globally
- It comprised of 27, including 16 mandatory controls, and requires all SWIFT users to provide a self-assessment of their local environment on a yearly basis
- SWIFT requires the first self-assessment to be submitted by Dec 31 2017, and will enforce it with inspections starting January 2018.
- Failure to comply will be reported to local regulators and other SWIFT counterparts