The Society for Worldwide Interbank Financial Telecommunication (SWIFT) provides secure global payment services worldwide. In 2017 it launched the Customer Security Programme (CSP) as a targeted measure to combat cyber-attacks. The CSP has been optimised for 2019 and attestation of SWIFT compliance will also be adapted.
New and important features of the SWIFT Customer Security Programme 2019
Joining forces against threats from cyberspace
Today, SWIFT manages the communication traffic and transactions of more than 10,000 banks worldwide through its secure, standardised telecommunication network. The growing number of cyber-attacks on the SWIFT network and network participants’ infrastructure has prompted the transactions specialist to develop a security programme for its participants. With the CSP, it intends to harness the collective strength of network participants to counter threats from cyberspace.
The CSP was launched in 2017. It defines requirements for all participants with the aim of improving the exchange of information within the SWIFT community and maintaining an appropriate level of security for participants’ local SWIFT infrastructure. With this framework for coordinated quality assurance SWIFT is aiming to counter rising cyber risks and bolster the defensive capabilities of SWIFT participants against cyber-attacks.
Clamping down
Every year, SWIFT adapts its security programme to current circumstances. So far in 2019 it has upgraded three previously advisory-level controls to mandatory controls and added two new advisory controls to the programme (see figure 1). In addition, existing individual controls have been substantiated. SWIFT released its new CSP version on 10 August 2018. Participating financial institutions must demonstrate to SWIFT that they are in compliance with all mandatory controls by the end of 2019.
Figure 1: Overview of key CSP updates for 2019
Implementation with broad impact
Experience from certification cycles has shown that the implementation of the security programme and ongoing compliance with CSP requirements involve a great deal of work and expense for SWIFT participants. The requirements of SWIFT are extensive and also cover participants’ local IT infrastructure. Moreover, for some companies, certain specifications go beyond their own internal requirements for sound basic protection.
Substantial change announced for the attestation process
Mandatory confirmation of SWIFT compliance
Since the end of 2017, all participants have been required to confirm they comply with CSP controls. They can choose whether to verify their compliance through a self-attestation, an internal audit (self-inspection) or an external audit (third-party inspection).
For reasons of quality assurance, SWIFT reserves the right to require an independent external audit for selected participants. It has already initiated this process, as was announced to SWIFT institutions in the “Customer Security Programme Newsletter: Q4 2018” in autumn 2018.
At the SWIFT International Banking Operations Seminar (SIBOS) in Sydney in October 2018, SWIFT also announced changes to the attestation process that will tighten the confirmation requirements. Initial information indicates that self-attestations will no longer be possible. SWIFT plans to introduce the changes from 2020. Detailed information is expected in the coming months.
SWIFT participants requested and called upon to take action
For financial institutions in the SWIFT network, the recent changes and updates to the CSP represent far more than minor tweaks to security arrangements. They must ensure the operational effectiveness of the controls implemented and hence their SWIFT compliance. This means that they should familiarise themselves with the new and upgraded mandatory controls quickly and extensively. To this end, it is worth reading the detailed description of CSP contents on the SWIFT website. In fact, the updates may not yet be reflected in the local security architecture. As a result, SWIFT participants may need to implement new control measures and verify their effectiveness – and soon.
Looking ahead, SWIFT participants would be well advised to prepare for the changes in the attestation process at an early stage. In particular, if the previous self-attestation is to be replaced by an external audit it is essential to find the right partner and bring them on board early on.
External audit as a far-sighted solution
Proper implementation of SWIFT requirements is easier to demonstrate using a structured process. We at PwC assist various SWIFT participants in a number of roles (see figure 2). For example, we help SWIFT network participants to structure their information and cyber security in compliance with applicable rules to a tight schedule, and to enhance their SWIFT compliance in a targeted manner.
Figure 2: The steps to providing independent proof of SWIFT compliance with external help
Protecting the network and yourself
SWIFT is once again gearing up to fight cyber threats. With the CSP security programme, it is issuing binding and voluntary specifications to safeguard local SWIFT infrastructure. For 2019, SWIFT has upgraded three advisory-level controls to mandatory controls and added two new advisory controls to the programme. Furthermore, it has announced changes to the attestation process which will be released in the coming months. By introducing all of these changes, SWIFT is requiring its network participants to act. For the financial institutions themselves, the changes require an overhaul of their internal control framework and additional work and expense spent on ensuring compliance with CSP requirements. As SWIFT has indicated that the self-attestation to demonstrate SWIFT compliance will soon be done away with, it is worth prioritising the topic of internal information and cyber security – and bringing in a knowledgeable external provider to ensure a successful third-party Inspection.
