The new year has only just begun, but there is no time to be sitting in neutral – quite the opposite in fact. It is already high time to make yourself familiar with the compliance requirements of the Customer Security Control Framework's (CSCF), the centrepiece of the SWIFT Customer Security Programme (CSP), and implement the necessary measures. SWIFT – the actual nervous system of the global financial market is used by almost everyone in the industry. There is “no way around” those compliance requirements. In this article, you will find out what it is all about and what needs to be done by when.
SWIFT is short for “Society for Worldwide Interbank Financial Telecommunication”, and it is a household name, particularly in the financial sector. The organisation guarantees secure payment and message traffic worldwide – specifically at over 11,000 banks with 26 million messages and 10 trillion euros in money transfers happening every day. Unsurprisingly, SWIFT is particularly attractive to cyber criminals, as was demonstrated by a successful attack in 2016 (please refer to our blog article).
As a result of this, the SWIFT CSP was created with the goal, to significantly improve cyber security within the SWIFT user community in order to be ready for all cyber threats to come.
SWIFT Customer Security Controls Framework
The CSCF describes a set of mandatory and recommended security controls for those who use the SWIFT network. Mandatory security controls establish a general security baseline for the SWIFT community and must be implemented in line with their architecture type by all users. Advisory controls are based on best security practice and SWIFT recommends that users adopt these controls where applicable.
CSCF update process
Since its introduction, the framework has been continuously improved: Since 2018, advisory controls (which are recommended) have been upgraded to mandatory controls (which are mandatory) and new advisory controls have been added on an annual basis. From our point of view, this tendency will continue in the future.
The strategy behind this is about continuously improving security.
As part of the change management process for the CSCF, updates are usually communicated in the middle of the year. Between July and December of the following year (i.e. with a latency period of approx. 1 year), SWIFT users are required to self-attest their compliance with the mandatory controls.
Source: SWIFT Customer Security Programme Controls
Attestation of compliance on the basis of the SWIFT Independent Assessment Framework (IAF)
As mentioned above, all SWIFT users must self-attest their level of compliance with the mandatory controls applicable to their architecture type on an annual basis. Compliance has to be verified by performing an assessment.
Source: Based on the SWIFT Independent Assessment Framework (Status: 09.02.2020)
Update - June 2020: In light of COVID-19, SWIFT has adapted the timeline.
As of next year, the assessment must be performed by an independent party. In the usual Community-Standard Assessment, this could be done by an internal function (such as internal audit; risk or compliance manager) or a qualified external organisation (e.g. InfoGuard).
In case of a SWIFT-Mandated Assessment, only external assurance is allowed.
Ensure SWIFT compliance – act now!
In light of the Covid-19 pandemic, SWIFT is asking SWIFT users to re-attest against the 2019 set of controls by the end of 2020. From July 2021 until December 2021 SWIFT will expect re-attestation to bring the institution in line with the combined control framework requirements for 2020 and 2021, supported by an independent assessment.
Do you know your level of compliance today? Do you need assistance either with interpreting the requirements or with how to implement necessary measures? Are you looking for a qualified external organisation to perform the assessment?
InfoGuard has expertise and knowledge in providing cyber security services and CSP assessment support related to the SWIFT CSP Programme. InfoGuard is one of the few Swiss companies listed in directories* in which SWIFT lists Cyber Security Service providers and CSP Assessment providers. As a customer, this gives you the advantage of having a partner by your side who knows exactly what is required. Please feel free to contact us with no obligation – we will be happy to help you.
*Note: SWIFT does not certify, warrant, endorse or recommend any service provider listed in its directory and SWIFT customers are not required to use providers listed in the directory.