Hackers abuse banks' security flaws to grab large amounts of money across payment systems and the local infrastructure. It's time to put an end to this, and SWIFT, the international organisation among financial institutions, has set up a Customer Security Programme (CSP). The programme aims at a significant improvement in the security of local SWIFT infrastructures against cyberthreats. Here is how it works, and what banks will need to do about it.
In case you've never heard of it yet, SWIFT stands for Society of Worldwide Interbank Financial Telecommunication and has existed since 1973. It has the task of standardising worldwide transaction and messaging traffic over the SWIFT telecom network. Its ca. 11'000 clients are responsible for the security of their environment and access to SWIFT. The Customer Security Programme will care for a uniformly high and reliable protection of all SWIFT users, such as banks, stock exchanges, brokers, and enterprises in more than 200 countries.
Cybercriminals on the rise – time for action is now
The following ambitious plan is SWIFT's roadmap for the implementation of the programme:
- By December 2017 all SWIFT users had to specify to what extent they complied with the compulsory and optional security controls. A self-assessment was required to this end. In addition, SWIFT would conduct a formal audit of the responses.
- Since January 2018 the SWIFT security framework applies to the context of the "Customer Security Programme" initiative. Clients are immediately committed to adhere to the corresponding security criteria.
- Starting with December 2018 all users must certify that they meet the compulsory security controls in full.
SWIFT CSP – building blocks to construct security
The heart of the CSP is the Customer Security Control Framework, that consists of 3 targets:
- Secure Your Environment
- Know & Limit Access
- Detect & Respond
These three targets are structured in eight fundamental principles. 27 controls are formulated, of which 16 are compulsory for all SWIFT users and financial service providers; 11 additional controls are recommended. In 2018, a new release of the SIP (Shared Infrastructure Programme) is due; it is expected to harmonise the two programmes, namely the SIP and the CSP. The target is to align controls for those users who do not run a local SWIFT infrastructure, but instead, for instance, are users of SWIFT Service Bureaux, or access SWIFT through their system providers.
NIST, PCI DSS, ISO/IEC ‒ Security by regulations and standards
The security controls selected by SWIFT are based on the following international security standards:
- National Institute of Standards and Technology (NIST)
- Payment Card Industry Data Security Standard (PCI DSS)
- ISO/IEC 27002 Standard for IT security controls
In this way, the controls cover several issues that are regularly addressed in the context of end-of-year IT audits. Being able to prove compliance with these controls over all of the SWIFT infrastructure, can be a challenge. For instance, businesses are expected to prove that employees receive regular training with explicit reference to SWIFT.
Cyber Security Guide – for your security
For this purpose, I warmly advise that you do not limit the effort to checking and securing your SWIFT-related infrastructure, but rather extend the scope to the whole internal IT, and bring your infrastructure to the state-of-the-art in all things related to cyber security. The effort does not have to carry large additional costs. Are you wondering how it works? You will find the answers in our handy Cyber Security Guide.
Non-Compliance with SWIFT CSP is a No-Go
In case of poor compliance and missing self-attestation, in the worst case, SWIFT can alert the local supervisor. Increased transparency is also a target. In the future, all SWIFT users will be able to request mandatory information on their CSP compliance.
Swiss banks, and how do they protect against cyberattacks
Here at InfoGuard, we have wide experience in the field of cyber security in Swiss banks. We can stand by you, as a SWIFT client, in your SWIFT CSP compliance programme including the following items:
- Assessment of the current infrastructure and existing security solutions
- Evaluation of your control targets and concrete suggestion for their optimisation
- Implementation of controls through technical solutions, products and consulting services
Our suggestion: take the chance of the SWIFT CSP to think of a comprehensive solution for cyber security in your enterprise. This means a solution that goes beyond the implementation of the CSP. This is the only way to reach a higher level of security in your business!
Your cyber security partner, well established in the Swiss banking sector
You and your enterprise are not alone with this challenge: many other Swiss banks are in the same condition; some have already taken action. Many have put their trust in InfoGuard. If you need more information or details related to your own experience, we are pleased to serve you. Call on us, and take advantage of our experience of many years, and of our wide portfolio of solutions for your security!