The new year has only just begun, but there is no time to be sitting in neutral – quite the opposite in fact. It is already high time to make yourself familiar with the compliance requirements of the Customer Security Control Framework's (CSCF), the centrepiece of the SWIFT Customer Security Programme (CSP), and implement the necessary measures. SWIFT – the actual nervous system of the global financial market is used by almost everyone in the industry. There is “no way around” those compliance requirements. In this article, you will find out what it is all about and what needs to be done by when.
SWIFT is short for “Society for Worldwide Interbank Financial Telecommunication”, and it is a household name, particularly in the financial sector. The organisation guarantees secure payment and message traffic worldwide – specifically at over 11,000 banks with 26 million messages and 10 trillion euros in money transfers happening every day. Unsurprisingly, SWIFT is particularly attractive to cyber criminals, as was demonstrated by a successful attack in 2016 (please refer to our blog article).
As a result of this, the SWIFT CSP was created with the goal, to significantly improve cyber security within the SWIFT user community in order to be ready for all cyber threats to come.
SWIFT Customer Security Controls Framework
The CSCF describes a set of mandatory and recommended security controls for those who use the SWIFT network. Mandatory security controls establish a general security baseline for the SWIFT community and must be implemented in line with their architecture type by all users. Advisory controls are based on best security practice and SWIFT recommends that users adopt these controls where applicable.
CSCF update process
Since its introduction, the framework has been continuously improved: Since 2018, advisory controls (which are recommended) have been upgraded to mandatory controls (which are mandatory) and new advisory controls have been added on an annual basis. From our point of view, this tendency will continue in the future.
The strategy behind this is about continuously improving security.
As part of the change management process for the CSCF, updates are usually communicated in the middle of the year. Between July and December of the following year (i.e. with a latency period of approx. 1 year), SWIFT users are required to self-attest their compliance with the mandatory controls.
Source: SWIFT Customer Security Controls Policy (Status: 08.07.2019)
Attestation of compliance on the basis of the SWIFT Independent Assessment Framework (IAF)
As mentioned above, all SWIFT users must self-attest their level of compliance with the mandatory controls applicable to their architecture type on an annual basis. Compliance has to be verified by performing an assessment.
Source: Based on the SWIFT Independent Assessment Framework (Status: 09.02.2020)
As of this year, the assessment must be performed by an independent party. In the usual Community-Standard Assessment, this could be done by an internal function (such as internal audit; risk or compliance manager) or a qualified external organisation (e.g. InfoGuard).
In case of a SWIFT-Mandated Assessment, only external assurance is allowed.
Ensure SWIFT compliance – act now!
Attestation phase for CSCF v2020 starts in July and ends in December 2020. Do you know your level of compliance today? Do you need assistance either with interpreting the requirements or with how to implement necessary measures? Are you looking for a qualified external organisation to perform the assessment?
Our InfoGuard experts have already been providing advice and support in the areas of compliance and assessment to a wide range of companies – either on a project or mandate basis. InfoGuard is one of the few Swiss companies to be a member of the SWIFT Cyber Security Partner Program – both as a partner and as an assessor. As a customer, this gives you the advantage of having a partner by your side who knows exactly what is required. Please feel free to contact us with no obligation – we will be happy to help you.