Solutions
SWIFT Customer Security Program
Compliance deadline: 31 December 2022
In response to the cybersecurity challenges, SWIFT has established a complex set of rules and requirements that require 23 mandatory and 9 recommended controls for SWIFT users.
Resilience to cyber-attacks
In order to standardize the management of cyber security and operational risks, SWIFT has introduced the Customer Security Program (CSP), a framework that helps SWIFT users to establish and maintain an information security control environment for their SWIFT system. It covers control areas similar to those of well-known information security frameworks (e.g. ISO 27001, NIST CSF), but also includes controls related to key-links, back-office encryption or even employee due diligence.
Starting in 2021, self-audit will no longer be sufficient for demonstrating compliance with the requirements. Instead, an independent audit will be necessary to confirm that the necessary controls have been properly designed and implemented.
What is an independent investigation?
There are two main types of independent audits:
- By an external, independent party - Compliance can be verified by an independent, external party with appropriate information security experience and expertise, e.g. CISA qualification.
- An independent audit - compliance with SWIFT controls can be verified by the SWIFT user's second or third line of defense, e.g. the compliance department, if they have the appropriate information security expertise and are truly independent in terms of organization.
A risk assessment report of the independent review should be produced, listing the areas of controls that do not meet SWIFT CSP requirements and management's intended action in this regard.
What happens if I do not carry out the independent review?
If the independent review is not conducted and submitted to SWIFT by the end of 2022, SWIFT will report the noncompliance to the regulatory authority, the MNB in Hungary.
How can Deloitte help?
At Deloitte, we are committed to supporting our clients through the independent review process. This includes identifying and summarizing any deficiencies, making recommendations for remediation, and verifying improvements. We also provide guidance on industry best practices and offer practical implementation suggestions while upholding the principles of independence.
Want to know more about our program?
For more information, please download our SWIFT Customer Security Program leaflet.