Banking information is some of the most important information to keep private. That is why recent high-profile cyber-attacks on customers using Society for Worldwide Interbank Financial Telecommunications (SWIFT) are so significant. Deloitte can help business leaders navigate the factors associated with implementing SWIFT's Customer Security Controls Framework (CSCF) as well as address SWIFT dependencies and ultimately disrupt through innovation.
In response to recent cyber-attacks, SWIFT issued baseline security requirements through its Customer Security Controls Framework. While the SWIFT network itself was not compromised in the attacks, in some cases hackers successfully breached the local operating environment established by SWIFT users.
To help limit opportunities that hackers have to exploit weaknesses in SWIFT users' local environments in the future, SWIFT created the Customer Security Program (CSP). The CSP is a framework design to help users set up cyber security controls that they can implement themselves in their local environments.
The CSP focusses on three mutually reinforcing areas. Customers will first need to protect and secure their local environment (you), it is then about preventing and detecting fraud in your commercial relationships (your counterparts), and continuously sharing information and preparing to defend against future cyber threats (your community).
You
Securing your local SWIFT-related infrastructure and putting in place the right people, policies and practices, are critical to avoiding cyber related fraud.
Your counterparts
Companies do not operate in a vacuum and all SWIFT users are part of a broader ecosystem. Even with strong security measures in place, attackers are very sophisticated and you need to assume that you may be the target of cyber-attacks. That is why it is also vital to manage security risk in your interactions and relationships with counterparties
Your community
The financial industry is truly global, and so are the cyber challenges it faces. What happens to one company in one location can be replicated elsewhere in the world.
SWIFT has requested users to set up these cyber security controls by 31 December 2017, and to update their systems according to CSP requests on an annual basis. The CSP compliance will come through self-attestation. SWIFT has already announced updates to the Customer Security Controls Framework for attestation in 2021.
SWIFT encourages its users to implement and monitor these customer security controls as part of a broader cyber security risk management program which should be regularly evaluated and adjusted, based on leading industry practices, and changes to the individual users' security posture and infrastructure.Moreover, from mid-2021, all users will be obligated to perform ‘Community Standard Assessments’. This means that all attestations submitted in 2021 under the CSCF v2021 also require an independent assessment. A user can do this in either of two ways:
External assessment, by an independent external organisation, which has existing cybersecurity assessment experience, and individual assessors who have relevant security industry certification(s). Deloitte Belgium can help you with the external assessment, orInternal assessment, by a user’s second or third line of defense function (such as compliance, risk management or internal audit) or its functional equivalent [as appropriate], which is independent from the first line of defense function that submitted the attestation (such as the CISO office) or its functional equivalent [as appropriate]. As per external assessors, those undertaking the assessment work should possess recent and relevant experience in the assessment of cyber-related security controls.Last, separate and distinct from the above two categories, SWIFT also reserves the right to seek independent external assurance to verify the veracity of their self-attestation, as outlined in the Customer Security Controls Policy (CSCP). These are called “SWIFT-Mandated assessments”.
SWIFT-Mandated assessments must cover all SWIFT mandatory controls applicable to the user’s architecture type as defined in the version of the CSCF applicable at the time the assessment is conducted, even if the assessment request relates to an attestation submitted under a prior version of the CSCF.
Opens in new window