SWIFT customer security program

Services

SWIFT Customer Security Programme

Banking information is some of the most important to keep safe. That's why recent high-profile cyber-attacks on customers using Society for Worldwide Interbank Financial Telecommunications (SWIFT) are so significant. Deloitte can help business leaders navigate the factors associated with implementing SWIFT's Customer Security Controls Framework (CSCF), as well as address SWIFT dependencies.

In response to recent cyber-attacks, SWIFT issued baseline security requirements through its Customer Security Programme (CSP). While the SWIFT network itself was not compromised by these attacks, in some cases, cybercriminals successfully breached the local operating environment established by SWIFT users.

To reduce the opportunities cybercriminals have to exploit weaknesses in SWIFT users' local environments in the future, SWIFT created the CSP. The CSP is a programme designed to help organisations using Swift to design, review and implement specific cyber security controls for their local environments.

The CSP main components are the CSCF (Customer Security Control Framework) and the CSCP (Customer Security Controls Policy). An Independent Assessment Framework (IAF) has also been defined to guide the clients while assessing the CSP.

After the original release of the SWIFT CSP, users had to perform their first self-assessment by 31 December 2017, while complete compliance with mandatory controls was expected for the second self-assessment deadline of 31 December 2018. Since then, SWIFT has been updating the CSP on an annual basis to improve its coverage and to take into account the evolution of the cyber threat landscape. Compliance assessment declarations are expected at the end of each year.

SWIFT encourages its users to implement and monitor these customer security controls as part of a broader cyber security risk management programme, which should be regularly evaluated and adjusted based on leading industry practices and changes to the individual users' security position and infrastructure.

SWIFT's strategic security principles

Click to enlarge the picture


The framework can be applied to four types of SWIFT user architectures, titled A1, A2, A3, and B. SWIFT users must first identify which architecture applies to them before identifying and implementing the applicable controls.


More information on the CSP CSCF is available here.

The introduction of a new assessment methodology

In order to improve the level of assurance currently provided by the self-attestations, an independent assessment framework (IAF) has been developed by SWIFT and will require all attestations to be supported by an independent assessment from the CSCF 2020. The self-assessment will no longer be possible and SWIFT customers will now have to rely on an independent assessment performed either by their internal second or third line of defense (e.g. risk management, internal audit, etc.), or by an external third party organization.




Assessing the CSP

How different will your declaration be on 31.12.2020?

How different will your declaration be on 31.12.2020?

Click to enlarge the picture

While a self-attestation usually takes a light approach, an independent assessment will, for the vast majority of the CSCF controls, rely on “point in time” evaluations of the user’s implementation.


An update of the control framework

The CSCF also introduces some changes to the controls to adapt the framework to the evolution of the cyber threat landscape and to progressively improve the overall growth of the control environment.

Two advisory controls, introduced in CSCF v2019, are being promoted to mandatory:

  • 1.3 – Virtualization platform protection: The objective is to secure the virtualization platform and virtual machines hosting the SWIFT-related components to the same level as physical systems
  • 2.10 – Application hardening: The objective is to reduce the attack surface of SWIFT-related components by performing interfaces and application hardening

Two new advisory controls are introduced:

  • 1.4A – Restrict Internet access: This control has been extracted from control 1.1 and centralize the guidance related to internet access
  • 2.11A – RMS business control: This control has been extracted from control 2.9A to split the transactions and RMA business controls

Finally one control is being extended:

  • 2.4A – Back-office data flow security: The middleware components are now included in the scope


The SWIFT CSP controls


Click to enlarge the picture


How confident are you in the effectiveness of your last self-declaration?

We propose that you begin the 2020 journey in 2019 by performing a gap assessment to fully understand your current situation towards 2020 requirements and assessment framework. This could help you to better identify and plan your projects to ensure you’ll be compliant by the given date. Doing a gap assessment evaluating the design, implementation, and operating effectiveness of your control environment would also help to prevent your first independent assessment revealing unexpected non-compliant controls.

Deloitte’s cyber risk practice is widely acknowledged as a leading security consulting practice, and is eminently qualified to help your organization be secure, vigilant, and resilient in the face of evolving cyber threats.

Deloitte ranked #1 by Gartner in security consulting services for the sixth consecutive year

Gartner, the world's leading information technology research and advisory company, has positioned Deloitte first globally, based on revenue, in security consulting services for the sixth consecutive year in its report, Market Share: Security Consulting Services, Worldwide, 2017.

  • Deloitte’s leadership in the field of information security assures you of our ability to assign qualified, knowledgeable, and industry-respected personnel who have performed similar consulting assignments
  • Our experience in delivering similar mandates for local organizations brings industry specific experience. Our local industry resources and high experience of security technologies, constitute an invaluable set of resources for SWIFT CSP-related engagements. This enables us to use proven tools and methods to carry out comprehensive engagements
  • We are technology and solution agnostic and we only recommend a solution that makes sense for the business and provides value

We offer holistic services that can support your organization as you address your SWIFT dependencies:

  • CSP readiness: Deloitte will perform a SWIFT CSP gap analysis, identify the gaps (from a design, implementation, and operating effectiveness perspective), define actionable and pragmatic recommendations, and propose a remediation strategy and a roadmap to prioritize the implementation of such recommendations. This can be done on the full scope or a limited one (e.g. focusing on new controls becoming mandatory once a new version of the CSP is released)
  • Compliance assessment: Deloitte will independently assess the compliance of your organization with the SWIFT CSP requirements. This service can also be co-sourced with your internal audit team
  • Security control design: Deloitte will assist the design of security controls in line with SWIFT CSP requirements, including security architecture, identity And access management, incident response, etc.

* While Deloitte is prepared to assist you in connection with the SWIFT Customer Security Controls Framework, please note that Deloitte does not represent or speak for SWIFT; and the Customer Security Controls Framework is part of the contractual framework between SWIFT and its users.

We help clients establish controls and processes around their most sensitive assets, balancing the need to reduce risk, while also helping to enable productivity, business growth, and cost optimization objectives.

Learn more about our cyber risk services.

SWIFT Customer Security Programme

In response to recent cyber-attacks, SWIFT issued baseline security requirements through its Customer Security Controls Framework. While the SWIFT network itself was not compromised in the attacks, in some cases, hackers successfully breached the local operating environment established by SWIFT users.

To reduce the opportunities hackers have to exploit weaknesses in SWIFT users' local environments in the future, SWIFT created the Customer Security Programme (CSP). The CSP is a framework designed to help users set-up cyber security controls that users can implement in their local environments.

After the original release of the SWIFT CSP, users had to perform their first self-assessment by 31 December 2017, while complete compliance with mandatory controls was expected for the second self-assessment deadline of 31 December 2018. Since then, SWIFT has been updating the CSP on an annual basis to improve its coverage and to take into account the evolution of the cyber threat landscape. Compliance assessment declarations are expected at the end of each year.

SWIFT encourages its users to implement and monitor these customer security controls as part of a broader cyber security risk management programme, which should be regularly evaluated and adjusted based on leading industry practices and changes to the individual users' security position and infrastructure.

SWIFT's strategic security principles

Click to enlarge the picture

The framework can be applied to four types of SWIFT user architectures, titled A1, A2, A3, and B. SWIFT users must first identify which architecture applies to them before identifying and implementing the applicable controls.

More information on the CSP CSCF is available here.

The introduction of a new assessment methodology

In order to improve the level of assurance currently provided by the self-attestations, an independent assessment framework (IAF) has been developed by SWIFT and will require all attestations to be supported by an independent assessment from the CSP v2020. The self-assessment will no longer be possible and SWIFT customers will now have to rely on an independent assessment performed either by their internal second or third line of defense (e.g. risk management, internal audit, etc.), or by an external third party organization.

PDF - 3.17mb


Auditing the CSP

How different will your declaration be on 31.12.2020?

How different will your declaration be on 31.12.2020?

Click to enlarge the picture

While a self-attestation usually takes a light approach, an independent assessment should rely on evidence for the design, the implementation, and the operating effectiveness of the controls.


An update of the control framework


The CSP v2020 also introduces some changes to the controls to adapt the framework to the evolution of the cyber threat landscape and to progressively improve the overall growth of the control environment.

Two advisory controls, introduced in CSP v2019, are being promoted to mandatory:

  • 1.3 – Virtualization platform protection: The objective is to secure the virtualization platform and virtual machines hosting the SWIFT-related components to the same level as physical systems
  • 2.10 – Application hardening: The objective is to reduce the attack surface of SWIFT-related components by performing interfaces and application hardening

Two new advisory controls are introduced:

  • 1.4A – Restrict Internet access: This control has been extracted from control 1.1 and centralize the guidance related to internet access
  • 2.11A – RMS business control: This control has been extracted from control 2.9A to split the transactions and RMA business controls

Finally one control is being extended:

  • 2.4A – Back-office data flow security: The middleware components are now included in the scope


The SWIFT CSP controls


Click to enlarge the picture


How confident are you in the effectiveness of your last self-declaration?

We propose that you begin the v2020 journey in 2019 by performing a gap assessment to fully understand your current situation towards v2020 requirements. This could help you to better identify and plan your projects to ensure you’ll be compliant by the given date. Doing a gap assessment evaluating the design, implementation, and operating effectiveness of your control environment would also help to prevent your first independent assessment revealing unexpected non-compliant controls.

Deloitte’s cyber risk practice is widely acknowledged as a leading security consulting practice, and is eminently qualified to help your organization be secure, vigilant, and resilient in the face of evolving cyber threats.

Deloitte ranked #1 by Gartner in security consulting services for the sixth consecutive year

Gartner, the world's leading information technology research and advisory company, has positioned Deloitte first globally, based on revenue, in security consulting services for the sixth consecutive year in its report, Market Share: Security Consulting Services, Worldwide, 2017.

  • Deloitte’s leadership in the field of information security assures you of our ability to assign qualified, knowledgeable, and industry-respected personnel who have performed similar consulting assignments
  • Our experience in delivering similar mandates for local organizations brings industry specific experience. Our local industry resources and high experience of security technologies, constitute an invaluable set of resources for SWIFT CSP-related engagements. This enables us to use proven tools and methods to carry out comprehensive engagements
  • We are technology and solution agnostic and we only recommend a solution that makes sense for the business and provides value

We offer holistic services that can support your organization as you address your SWIFT dependencies:

  • CSP readiness: Deloitte will perform a SWIFT CSP gap analysis, identify the gaps (from a design, implementation, and operating effectiveness perspective), define actionable and pragmatic recommendations, and propose a remediation strategy and a roadmap to prioritize the implementation of such recommendations. This can be done on the full scope or a limited one (e.g. focusing on new controls becoming mandatory once a new version of the CSP is released)
  • Compliance assessment: Deloitte will independently assess the compliance of your organization with the SWIFT CSP requirements. This service can also be co-sourced with your internal audit team
  • Security control design: Deloitte will assist the design of security controls in line with SWIFT CSP requirements, including security architecture, identity And access management, incident response, etc.

* While Deloitte is prepared to assist you in connection with the SWIFT Customer Security Controls Framework, please note that Deloitte does not represent or speak for SWIFT; and the Customer Security Controls Framework is part of the contractual framework between SWIFT and its users.

We help clients establish controls and processes around their most sensitive assets, balancing the need to reduce risk, while also helping to enable productivity, business growth, and cost optimization objectives.

Learn more about our cyber risk services.

${section1-content6}
${section1-content7}
${section1-content8}
${section1-content9}
${section1-content10}
${section1-content10}
${section1-content10}
${section1-content10}

${title-section2}

${section2-content1}
${section2-content2}
${section2-content3}
${section2-content4}
${section2-content5}
${section2-content6}
${section2-content7}
${section2-content8}
${section2-content9}
${section2-content10}

${title-section3}

${section3-content1}
${section3-content2}
${section3-content3}
${section3-content4}
${section3-content5}
${section3-content6}
${section3-content7}
${section3-content8}
${section3-content9}
${section3-content10}

${title-section4}

${section4-content1}
${section4-content2}
${section4-content3}
${section4-content4}
${section4-content5}
${section4-content6}
${section4-content7}
${section4-content8}
${section4-content9}
${section4-content10}

${title-section5}

${section5-content1}
${section5-content2}
${section5-content3}
${section5-content4}
${section5-content5}
${section5-content6}
${section5-content7}
${section5-content8}
${section5-content9}
${section5-content10}

Contacts

Stéphane Hurtaud

Stéphane Hurtaud

Partner | Cyber Security Leader

Stéphane is a partner within our Risk Advisory practice. He has over 21 years of experience in the IT risk, Information Security and IT audit fields, with a strong focus on the financial services indu... More

Maxime Verac

Maxime Verac

Director | Information & Technology Risk

Maxime Verac is a Director within Deloitte’s Information & Technology Risk services in Luxembourg. He has 12 years of experience in Information Security. During the last 12 years, as a consultant, he ... More

Regis Jeandin

Regis Jeandin

Senior Manager | Tech. & Enterprise Application

Regis joined Deloitte in November 2017 as senior manager in the Advisory & Consulting team, where he covers security and privacy aspects related to the information security. Regis has almost 20 years ... More

Insert CSS fragment. Do not delete! This box/component contains code needed on this page. This message will not be visible when page is activated.