Solutions

SWIFT Customer Security Program

Banking information is some of the most important information to keep private. That is why recent high-profile cyber-attacks on customers using Society for Worldwide Interbank Financial Telecommunications (SWIFT) are so significant. Deloitte can help business leaders navigate the factors associated with implementing SWIFT's Customer Security Controls Framework (CSCF) as well as address SWIFT dependencies and ultimately disrupt through innovation.

Limiting future cyber-attacks

In response to recent cyber-attacks, SWIFT issued baseline security requirements through its Customer Security Controls Framework. While the SWIFT network itself was not compromised in the attacks, in some cases hackers successfully breached the local operating environment established by SWIFT users.

To help limit opportunities that hackers have to exploit weaknesses in SWIFT users' local environments in the future, SWIFT created the Customer Security Program (CSP). The CSP is a framework design to help users set up cyber security controls that they can implement themselves in their local environments.

The CSP focusses on three mutually reinforcing areas. Customers will first need to protect and secure their local environment (you), it is then about preventing and detecting fraud in your commercial relationships (your counterparts), and continuously sharing information and preparing to defend against future cyber threats (your community).

You

Securing your local SWIFT-related infrastructure and putting in place the right people, policies and practices, are critical to avoiding cyber related fraud.

Your counterparts

Companies do not operate in a vacuum and all SWIFT users are part of a broader ecosystem. Even with strong security measures in place, attackers are very sophisticated and you need to assume that you may be the target of cyber-attacks. That is why it is also vital to manage security risk in your interactions and relationships with counterparties

Your community

The financial industry is truly global, and so are the cyber challenges it faces. What happens to one company in one location can be replicated elsewhere in the world.

SWIFT Systems and the the SWIFT Customer Security Program

How SWIFT users can work to protect themselves

SWIFT has requested users to set up these cyber security controls by 31 December 2017, and to update their systems according to CSP requests on an annual basis. The CSP compliance will come through self-attestation. SWIFT has already announced updates to the Customer Security Controls Framework for attestation in 2020.

SWIFT encourages its users to implement and monitor these customer security controls as part of a broader cyber security risk management program which should be regularly evaluated and adjusted, based on leading industry practices, and changes to the individual users' security posture and infrastructure.

Moreover, from mid-2020, all users will be obligated to perform ‘Community Standard Assessments’. This means that all attestations submitted in 2020 under the CSCF v2020 also require an independent assessment. A user can do this in either of two ways:

  1. External assessment, by an independent external organisation, which has existing cybersecurity assessment experience, and individual assessors who have relevant security industry certification(s). Deloitte Belgium can help you with the external assessment, or
  2. Internal assessment, by a user’s second or third line of defense function (such as compliance, risk management or internal audit) or its functional equivalent [as appropriate], which is independent from the first line of defense function that submitted the attestation (such as the CISO office) or its functional equivalent [as appropriate]. As per external assessors, those undertaking the assessment work should possess recent and relevant experience in the assessment of cyber-related security controls.

Last, separate and distinct from the above two categories, SWIFT also reserves the right to seek independent external assurance to verify the veracity of their self-attestation, as outlined in the Customer Security Controls Policy (CSCP). 

SWIFT-Mandated assessments must cover all SWIFT mandatory controls applicable to the user’s architecture type as defined in the version of the CSCF applicable at the time the assessment is conducted, even if the assessment request relates to an attestation submitted under a prior version of the CSCF.

SWIFT announced updates to CSCF v2020

More info

SWIFT's strategic security principles

The SWIFT Customer Security Controls Framework is build up out of 3 objectives and 7 strategic security principles. The framework is applicable to four types of SWIFT user architectures, titled A1, A2, A3, and B. SWIFT users must first identify which architecture applies to them before implementing the applicable controls.

Click to enlarge

SWIFT CSP controls scope

The diagram below depicts the scope of the customer security controls framework.

Click to enlarge

The scope of the SWIFT security controls is limited to the local SWIFT infrastructure and operator PCs (also referred to as the “secure zone”) and the connection to and from the secure zone. This includes the connection between the secure zone (1) operators, and (2) the back office or middleware. Depending on your set-up and applicable architecture, the scope may vary in size.

We help clients to establish controls and processes around their most sensitive assets, balancing the need to reduce risk, while also helping to enable productivity, business growth, and cost optimization objectives.

Why Deloitte Belgium?

Deloitte Belgium has provided over 100 entities with evaluations of their local SWIFT infrastructure and compliance with either the CSCF or the enhanced version, better known as the SIPSOF (Shared Infrastructure Program, Security and Operational Framework). We offer holistic services that can support your organization as you address your SWIFT dependencies:

SWIFT CSP Workshop

  • Team of consultants with deep SWIFT CSP experience perform a CSP workshop with your key staff that were involved in the SWIFT self-attestation.
  • Purpose of the workshop is the perform a review of your self-attestation and provide you with high level opinion on remediation activities defined by your organization.
  • Added values: quick confirmation of your self-attestation, confirmation of your team understanding of the CSCF and high level assessment of your remediation plan.

Review for CSP Self-attestation

  • Team of consultants with deep SWIFT CSP experience, Deloitte will review your environment based on the SWIFT Customer Security Control Framework.
  • Through interviewing your staff, inspecting system configurations and documentation we will deliver a management report that can be used for the self-attestation.
  • Added values: review of your environment by our team with a high level of understanding and experience that will limit your team involvement and disruption to minimum.

Advise on closing the gaps

  • Team of consultants with deep SWIFT CSP experience will work closely with the organization key stakeholders in order to define a plan how to close the gaps against SWIFT CSCF.
  • Added values: project and remediation plan prepared by experts with the correct understanding of how the controls should be implemented in your environment with minimal impact and disruption.

Closing the gaps project management

  • If you are struggling with (timely/correct) implementation of controls, Deloitte has project managers with an in-depth knowledge of the Customer Security Program. Therewith, Deloitte can guide you to correctly and timely remediate all controls within the Customer Security Controls Framework.
  • Added values: our project managers will ensure that new controls are implemented with minimal disruption to the current environment and will close all gaps against CSCF.

Controls implementation

  • Through years of experience with different implementation methods, using all kinds of software and hardware, the Cyber practice of Deloitte Belgium is exceptionally placed to provide assistance with the implementation of controls in the Customer Security Controls Framework.
  • Added values: controls implemented by team that understand the CSCF and will implement controls that will fully mitigate gaps with minimal disruption to your current environment.

Moreover, Deloitte in Belgium, and globally through the Deloitte Touche Tohmatsu Limited network of member firms, are the number one providers of security risk management solutions.

 

* While Deloitte is prepared to assist you in connection with the SWIFT Customer Security Controls Framework, please note that Deloitte does not represent or speak for SWIFT and the Customer Security Controls Framework is part of the contractual framework between SWIFT and its users.

Get in Touch

Bert Truyman

Bert Truyman

Partner, Risk Advisory

Bert leads the ICT Audit and Assurance group in Belgium providing ICT (internal) audit, Third party assurance (e.g ISAE 3402, SOC 2), risk & controls and compliance services. He has specialised in pro... More

Michal Zavodny

Michal Zavodny

Manager, Risk Advisory

Michal is a manager with over 5 years (10 years overall work experience) of experience in the evaluation of business processes and complex IT environments. He is experienced with delivering IT cyber r... More