SWIFT Customer Security Program
In response to current risk and cyber security challenges, SWIFT established a complex set of rules and requirements, which should actively support customers in the fight against cyber-attacks. Thanks to a long-lasting cooperation with SWIFT, via Excellence centre in Belgium, we are uniquely positioned to guide you through the challenges associated with implementing SWIFT's Customer Security Controls Framework (CSCF) as well as address SWIFT dependencies and compliance requirements.
Resilience against cyber-attacks
To standardize the level of operational and cyber risk management, SWIFT introduced the Customer Security Program (CSP). The CSP is a framework, designed to help users set up own cyber security controls that they can implement themselves in their local environments.
Through the SWIFT CSP companies are able to align to the security requirements baseline that was created by SWIFT and is updated every year to respond to any new cyber challenges. As in previous years, also in 2021 updates to the Customer Security Controls Framework (CSCF) were announced - currently 22 mandatory controls and 9 advisory controls are in scope of CSCF.
Community-Standard Assessments 2021
Moreover, from mid-2021, all users will be obligated to perform ‘Community Standard Assessments’. This means that all attestations submitted in 2021 under the CSCF v2021 also require an independent assessment. A user can do this in either of two ways:
1. External assessment, by an independent external organization (such as Deloitte), which has existing cybersecurity assessment experience, and individual assessors who have relevant security industry certification(s).
2. Internal assessment, by a user’s second or third line of defense function (such as compliance, risk management or internal audit) or its functional equivalent [as appropriate], which is independent from the first line of defense function that submitted the attestation (such as the CISO office) or its functional equivalent [as appropriate]. As per external assessors, those undertaking the assessment work should possess recent and relevant experience in the assessment of cyber-related security controls.
Last, separate and distinct from the above two categories, SWIFT also reserves the right to seek independent external assurance to verify the veracity of their self-attestation, as outlined in the Customer Security Controls Policy (CSCP). These are called “SWIFT-Mandated assessments”.
SWIFT-Mandated assessments must cover all SWIFT mandatory controls applicable to the user’s architecture type as defined in the version of the CSCF applicable at the time the assessment is conducted, even if the assessment request relates to an attestation submitted under a prior version of the CSCF.
How we can help
Community-Standard Assessments 2021
As in 2021, all attestations against CSCF must be independently assessed, as part of the Community-Standard Assessment process, Deloitte offers an IT assurance team of SWIFT CSP experts to help you to fulfill this requirement, including support from the Deloitte SWIFT CSP Centre of Excellence (link). Numerous SWIFT CSP implementations and assurance work in the past ensures that the assessment results are adequate and the delivery efficient.
CSP Self-attestation Advisory
Deloitte will guide you through the Self-attestation process through
- leading CSP workshop with your key staff that is involved in the SWIFT self-attestation
- checking your system configurations and documentation
- reviewing your environment based on the SWIFT Customer Security Control Framework
In a result, we can deliver a management report useful for the self-attestation, as well as we can give you a high-level opinion on remediation activities defined by your organization.
Advise on closing the gaps
Thanks to our numerous international experience and deep understanding of SWIFT requirements and controls, we are always suggesting the most efficient remediation plans. We work closely with the organization key stakeholders in order to define a plan that suits you and allows you to close the gaps against SWIFT CSCF.
Through years of experience with different implementation methods, using all kinds of software and hardware, Deloitte is also exceptionally placed to provide assistance with the implementation of controls in the Customer Security Controls Framework.
Unique Customer Security Controls Framework CSCF credentials (framework used for SWIFT CSP)
As part of this program so far, Deloitte performed, more than 100 assessments based on SWIFT CSCF around the globe. Deloitte Czech Republic is part of Deloitte Global SWIFT CSP Network and closely cooperating with Deloitte Belgium SWIFT competence center.
Deloitte SWIFT CSP Centre of Excellence
In order to deliver the highest quality of service across regions and build upon our experience Deloitte Belgium has established a SWIFT CSP center of excellence with professionals skilled and experienced in security projects based on SWIFT Customer Security Controls Framework (CSCF). Our experts executed the projects from start to end, or supported local Deloitte offices as subject matter experts in delivering the security assessments based on CSCF.