SWIFT Customer Security Program (CSP) Requirements
SWIFT has established the Customer Security Program to support its customers in the fight against cyber-fraud targeting their SWIFT-related infrastructure.
SWIFT confirms new cyber threats, due to an increasing sophistication and frequency of cyberattacks that are encouraging governments, banks and other players to reevaluate their security measures.
In order to support its customers reinforce their security, SWIFT introduced the Customer Security Program2 (CSP) ) in May 2016, that sets guidelines and controls to improve information sharing throughout the community, enhances SWIFT-related tools for customers and provides control frameworks.
As part of the CSP, SWIFT published its Customer Security Controls Framework in April 2017 which introduces 16 mandatory security controls that all SWIFT users must apply to their SWIFT-related infrastructure.
SWIFT requirements should be considered as users’ high priority as failure to comply with the requirements, on an annual basis, will be reported to regulators.
Each organization is required to assess, define, document, implement and attest the compliance of their SWIFT Local infrastructure processes and technologies against SWIFT’s controls through:
- An assessment against the SWIFT Customer Security Controls Framework (CSCF), comprised of 16 mandatory security controls and 11 advisory (non-mandatory) security controls;
- Self-attestation on user’s compliance with the CSCF controls, based on the results of the self-assessment (referring to SWIFT Customer Security Controls Policy).
Swift Customer Security Controls
The 27 controls3 presented by SWIFT are mapped against international standards where applicable, such as NIST, PCI-DSS and ISO 27002.
Each of these principles are then divided into controls, for example, the Principle “7. Plan for incident Response and Information Sharing” describes the 4 controls:
7.1 Cyber Incident Response Planning – Mandatory
7.2 Security Training and Awareness – Mandatory
7.3A Penetration Testing – Advisory
7.4A Scenario Risk Assessment – Advisory
Users are required to self-attest the compliance of their SWIFT local environments against CSCF. The first self-attestation must be submitted by 31 December 2017, and on a yearly basis thereafter.
Key Challenges to be Addressed
Here are some of the challenges SWIFT users will face when preparing for the self-assessment exercise:
Companies will have to assess the necessity of the 11 advisory controls4, based on the maturity assessment of the cybersecurity existing frameworks.
The assessment of mandatory and advisory controls can lead to major technological enhancements, including the deployment of local intrusion detection technology on all critical SWIFT systems.
Depending on your organization architecture and governance, some of the controls may not be applicable to your organization and they will need to be justified in your self-attestation.
Sia Partners can assist SWIFT users in evaluating the maturity of their current cybersecurity framework, including processes, controls and governance. Our objective is to design the most efficient controls to close the gaps with the targeted framework and help the organization in the controls implementation. Sia Partners can also support the client in preparing the SWIFT CSP attestation.
- The SWIFT Customer Security Program (CSP) was established in May 2016 in order to support SWIFT users in the fight against cyber-attacks targeting SWIFT global messaging network
- The CSP was updated in May 2017 through the release of the Customer Security Controls Policy
- The CSP is targeting all SWIFT users globally
- It comprised of 27, including 16 mandatory controls, and requires all SWIFT users to provide a self-assessment of their local environment on a yearly basis
- SWIFT requires the first self-assessment to be submitted by Dec 31 2017, and will enforce it with inspections starting January 2018.
- Failure to comply will be reported to local regulators and other SWIFT counterparts