SWIFT Customer Security Programme: New Challenges?

SWIFT is the world’s largest provider of secure financial messaging services to banks and other financial institutions. The network has more than 11,000 users in over 200 countries, which makes it an attractive target to cybercriminals looking for banking information to perpetuate their fraudulent schemes.

Since the 2016 cyber-heist against the Central Bank of Bangladesh that resulted in a loss of $81 million, SWIFT introduced a common set of security controls to foster a more secure financial ecosystem. The Customer Security Programme (CSP) is an industry cooperative to reinforce and safeguard the security of information sharing within the entire ecosystem. As part of an effort to enhance the cybersecurity of the entire ecosystem, members of SWIFT were required to annually self-attest to an initial set of mandatory cybersecurity controls.

Even with enhanced measures for security, it appears that SWIFT cyber fraud, with increasing levels of sophistication, has been on the rise since 2016. Banks and financial services providers cannot risk taking a hands-off approach by relying on the SWIFT network to prevent any fraud. The annual assessment process gives firms the opportunity to not only ensure compliance with SWIFT standards but also be proactive in strengthening current security measures. 

SWIFT users will need to support their attestation against 2021 standards with an independent internal or external assessment to submit by the end of the year. SWIFT has also published CSCF v2022 for attestation due December 2022 that can also be kept in mind this year. 

The CSP establishes a common set of security controls, the Customer Security Controls Framework (CSCF), to help users secure their systems. 

All controls are articulated around three overarching objectives, which is underpinned by eight principles. SWIFT developed the controls to mitigate cybersecurity risks by analyzing their cyber threat intelligence and feedback from industry experts and users. These controls are constantly evolving to keep up with cybersecurity practices or for any changes in technologies and regulatory modifications. SWIFT reports any non-compliant organizations to industry regulators.

Each year, users must have their security controls reviewed by an independent party as an informative assessment that will help fill out the annual self-attestation. SWIFT considers mandatory controls as realistic goals for near-term implementation, tangible security gain and risk reduction. Advisory controls are based on good practice that SWIFT recommends users implement. Over time, mandatory controls may change while some advisory controls may become mandatory.

SWIFT had announced that the assessment required for the year 2020 will be based on the 2019 benchmark. The requirements initially planned are postponed for one year, in addition to the new requirements introduced in 2021.

These requirements are of major importance to SWIFT users: in the event of non-compliance with the new control framework, SWIFT could report misconduct to the local supervisory authority and notify users of the SWIFT network.

The CSCF v2021 builds incrementally on last year’s version, as SWIFT minimized the number of changes to ensure the community has more time to fully implement the controls from previous CSCF versions. For 2021, SWIFT: 

• ‘Promoted’ one control from advisory to mandatory 
  • 1.4 Restriction of Internet Access – SWIFT also centralized the guidance on internet access from control 1.1 e) to this control  
• Introduced a new architecture type for users with a non-SWIFT footprint 
  • Differentiates users relying on SWIFT related connectors (or SWIFT footprint), from those relying on customer connectors (no SWIFT footprint)
  • This introduction gradually supports technology usage resulting from SWIFT’s strategy (such as Cloud and APIs)
• Clarified a number of guidelines and scope definitions
  • Scope definitions: connectors, general purpose operator PCs, and third-party cloud providers 
  • Existing controls: for great efficiency and alignment to reality in light of latest events (increase cyber threats due to covid, remote work, etc)
• Incorporated some user suggested implementations
  • 1.1 SWIFT Environment Protection – Inclusion of temporary access as a potential alternative to different jump servers for users and admin connection to secure zone
  • 2.9A Transaction Business Controls – 24/7 operational environment taken into account and suggested implementation methods reorganized; also clarified the outbound focus of this control
  • 6.1 Malware Protection – Reference to Endpoint Protection Platform (EPP) usage as a potential alternative implementation and explicit request to act upon results; added clarification regarding the scanning
  • 6.5A Intrusion Detection – Reference to Endpoint Detection and Response (EDR) usage as potential alternative implementation
  • 7.4A Scenario Risk Assessment – included reference to cyber wargames

Since the CSCF v2020 controls were rolled into CSCF v2021, users will need to attest against that framework in the second half of 2021 with an independent internal or external assessment.

Recently, SWIFT published a new version of the CSCF for users to attest against in the second half of 2022. In addition to updated security controls, SWIFT established a new CSCF Working Group of 23 National Member and User Groups to centralize, prioritize, and review all feedback from the community before finalizing the recommended changes. 

The updated security controls include:

• ‘Promoting’ one control from advisory to mandatory 
  • 2.9 Transaction Business Controls – SWIFT recognized the effectiveness of the control in reducing fraudulent financial losses, which supports and aligns with other regulations like the Committee on Payments and Market Infrastructures   
• Creating a new advisory control  
  • 1.5A Customer Environment Protection – ensures protection of the ‘customer connector’ and other customer-related equipment by aligning the new control applicable for architecture A4 with the existing control 1.1 already applicable to the other architecture A types.
• Extending scope of controls   
  • 6.2 Software Integrity is now Advisory for architecture A4. Customer connectors, introduced as advisory component in-scope for numerous controls in CSCF v2021, is now considered fully as in-scope for those controls. 
  • 1.2 Operating System Privileged Account Control is now Advisory for general-purpose operator Pcs and architecture B. This helps provide basic security hygiene on end-user devices.  
• Improving usability and comprehension of the document by aligning wording, revising presentation of summary tables, clarifying graphics, and refining definitions used 
• Incorporating minor clarifications or changes to specific controls or to the overall CSCF framework 
  • 1.5A Customer Environment Protection – Clarify ‘Secure Zones’ to support the new control 
  • 2.1 Internet Data Flow Security – Move the interactive flows to/from jump servers in Control 2.6 for consistency 
  • 2.4A Back Office Data Flow Security – Remove redundant references to customer connector 
  • 2.7 Vulnerability Scanning –Explicitly refer to network devices as in-scope components 
  • 2.8A Critical Activity Outsourcing – Consistently use the term ‘critical activities’ 
  • 4.1 Password Policy – Retrofit latest development (in TIPs) regarding PIN policy for 
  • 4.2 Multi-Factor Authentication – Incorporate Timed One-Time Passwords (TOTP) and soft tokens as possible Multi-Factor Authentication (MFA) options to align with reality 
  • 5.1 Logical Access Control – Ensure accountability and traceability of (re)assigned and delegated accounts; explicitly refer to network devices 
  • 5.2 Token Management – Explicitly refer to non-connected tokens 
  • 5.3A Staff Screening Process – Align control objective with the requested recurring staff screening 
  • 6.4 Logging and Monitoring – Provide guidance on global log retention to support forensics in line with local legislation 
  • 7.1 Cyber Incident Response Planning – Consider SWIFT recovery roadmap as a guide, not as a prescribed approach 
  • 7.2 Security Training and Awareness – Split ‘annual security awareness’ expectation from ‘maintaining knowledge over time’

Sia Partners is listed as a cyber security provider and an assessment provider in SWIFT directories to support the Customer Security Programme (CSP).* 

We have worked on numerous engagements relating to CSP and our consultants have in-depth knowledge in supporting the client in preparing the SWIFT CSP attestation. From our experience conducting SWIFT assessments, these are ten points that we recommend CISOs be particularly mindful of in consideration of the v2021 (and future) updates.  

1. Users should not entirely rely on last year’s assessment. The environments and controls are changing every year, especially as SWIFT updates the controls based on user feedback. While last year’s assessments can serve as a baseline to consider, it is crucial to diligently conduct each year’s assessments for any potential noncompliance. 
2. There is increased risk, both inherent and residual, to the working in the ‘new normal.’ With so many employees still working remotely, there are a lot of new threats now to be aware of. SWIFT users must continue to assess security for remote workers. And even with proper controls in place, the inherent risk to SWIFT is not something to be taken lightly. CISOs should have a comprehensive review of risks this year in the control assessment. 
3. Confirm and ensure understanding of your architecture type. With the introduction of a new architecture type in v2021, it is highly recommended that you review your architecture type. Does the update mean that your architecture is considered differently? Are you able to address any new considerations to your SWIFT footprint? 
4. Review and protect the security of your data flows. Although this control is considered advisory, it is critical to ensure the confidentiality, integrity, and mutual authenticity of the data flows between your SWIFT infrastructure components and the back office. Financial institutions need to make sure that the transmissions and flows of financial transactions are secure. 
5. Adequately monitor any anomalous activity. The logging of security-relevant activities for suspicious security events is the basis for effectively detecting abnormal behavior and potential attacks. Yet, beyond logging that data, how you how monitor the data is critical to configure the appropriate alarms. 
6. Ensure secure zone is properly implemented. SWIFT has really strict requirements on type of controls that need to be in place, so it can be difficult to implement the secure zone. The secure zone contains SWIFT-related systems and optionally other protected systems.
7. Have a well-prepared incident response plan. Especially in light of the past year, adequate business continuity procedures are an important key aspect to all firms. Defining and testing a cyber incident response plan is a highly effective way of reducing the impact and duration of a real cyber incident. Sia Partners can assist you in becoming a more resilient organization – see our Operational Resilience capabilities. 
8. Assess for your advisory controls since most will become mandatory in the next couple years. The label of mandatory controls is primarily to set realistic goals for users to achieve near-term, tangible security and risk reduction. While advisory controls recommended good practices for SWIFT users to implement, they might become mandatory due to evolving threats. Users should take advantage of the opportunity to stay ahead of the curve by assessing for advisory control compliance.
9. Make sure your approach to SWIFT cybersecurity is tied back to risk assessment. The implementation and yearly attestation of controls should not be viewed as merely a one-off activity, nor is it necessarily an exhaustive or all-inclusive process. The CSCF provides industry baselines and best practices for user-specific infrastructure. But the independent assessor’s findings and recommendations should be incorporated as a part of your institution’s cybersecurity governance and risk program. Do not lose track of the findings from each year’s assessments. 
10. Start the assessment and attestation process early because you may need to remediate or implement additional controls. Ensure that your institution has enough time to do so before December 31. 

Sia Partners is one of the few consulting firms to be globally recognized as a SWIFT cyber service provider and auditor. 

Our global consultancy practice can assist with SWIFT CSCF review, compliance with privacy laws in multiple jurisdictions, and integration of the latest cybersecurity tools into your daily workflow. As emphasized by SWIFT, compliance to control objectives is a risk-based approach: while mandatory controls are prioritized for near-term tangible risk reduction, advisory controls are based on recommended best practices for all users. 

Sia Partners has extensive experience helping organizations enact best practices in cybersecurity. Our market-leading expertise in Cyber Risk Management and Data Privacy can help your organization stand up an information security program that fits your needs.

Sia Partners can assist SWIFT users in evaluating the maturity of their current cybersecurity framework, including processes, controls and governance. Our objective is to design the most efficient controls to close the gaps with the targeted framework and help the organization in the implementation of controls.

*SWIFT does not certify, warrant, endorse or recommend any service provider listed in its directory and SWIFT customers are not required to use providers listed in the directory.