Technology Insights HOME | Perspectives on Technology Trends

Technology Insights HOME

Perspectives on Technology Trends

Search

ARTICLE

3 mins to read

Understanding SWIFT’s 2021 Customer Security Programme and What the Changes Mean

Natalie Fedyuk

Managing Director - Security and Privacy

Views
Larger Font
3 minutes to read

Building on our guidance from 2020 on the changes to the Society for Worldwide Interbank Financial Telecommunication (SWIFT) Customer Security Programme (CSP) and Customer Security Controls Framework (CSCF), we are now sharing the revisions for 2021. The most notable updates include: 1) the release of an updated CSCF (v2021), and 2) a mandatory requirement to conduct independent assessments on an annual basis.

Given the broad reach and critical nature of the SWIFT platform across the financial sector, it remains an attractive channel for cyberattacks, which leverage flaws in poor implementations at organizations for financial gain or market disruptions. The updated guidance aims to address this problem. Outlined below are the revisions member organizations should be familiar with as they prepare to attest their compliance with the SWIFT Customer Security Programme this year.

New Assessment Methodology

The latest CSP removes the user-initiated assessment from the assessment types and now requires the use of a community-standard assessment for all users. As part of this change, all attestations submitted from 2021 onward must be independently assessed. This independent assessment relies on assessing the design and implementation of the controls and must be performed through either:

  • External assessment: Performed by an independent organization with cybersecurity assessment experience or individual assessors who have relevant security certifications.
  • Internal assessment: Performed by a member’s second or third line of defense function or the company’s functional equivalent. These functions include risk management, compliance and internal audit and must be independent from the first line of defense function that ultimately submits the attestation (e.g., the chief information security officer [CISO] office or other information security role). It is also imperative that internal assessors have recent and relevant cybersecurity experience, specifically in assessing cybersecurity controls.

The CSP requires members to reattest annually with the following considerations:

  • If there are no changes to the CSCF, a member’s control implementations or architecture, then members may, for up to two attestation cycles, re-attest their compliance by submitting a letter from their independent assessor confirming no changes, through the Know Your Customer–Security Attestation (KYC-SA) application. Please note that members can also share results of their assessment with other members, upon request, through the KYC-SA application.
  • If there are changes to the CSCF or there are changes to a member’s control implementations or architecture, a new assessment must be performed.
  • If a new version of the CSCF is released by SWIFT, then a new assessment must be performed in the following year, regardless of changes to the member’s environment.

Controls Framework Changes for 2021

The 2021 version of the CSCF introduced two major changes that are intended to enhance the framework, adapt it to the evolving threat landscape and help ensure more rigorous implementation of security controls for SWIFT members and the SWIFT network. As part of the changes, one advisory control has been promoted to a mandatory control and one control now has an extended scope.

  • New Mandatory Control – Control 1.4, Restriction of Internet Access, has been promoted to mandatory. This control centers around ensuring that internet access is restricted to the minimal amount necessary to conduct business functions both within the Secure Zone and with Operator PCs that interface with SWIFT.
  • Scope Change – Control 4.2, Multi-factor Authentication (MFA), has an expanded scope that also requires MFA to be utilized when accessing SWIFT-related applications or components utilized for transaction processing and operated by third-party service providers.

New Architecture Type

One of the most notable CSCF v2021 changes is the addition of the fifth architecture type: A4 – Customer Connector. SWIFT architecture types are reference architectures that members choose from as the closest representation of their environment. These architecture types also determine the applicability and scope of CSCF controls. This latest architecture type utilizes customer application programming interfaces (APIs) to directly connect and interface with SWIFT services.

What if Organizations Do Not Comply

To help ensure the safety of all members and the SWIFT network, SWIFT has made available to all members the list of noncompliant members. In addition, SWIFT continues to reserve the right to report noncompliance, such as failure to submit an annual attestation, to relevant supervisory authorities. SWIFT also reserves the right to request an independent external assessment from users to verify the accuracy of their KYC-SA attestation, as outlined in the Customer Security Controls Policy (CSCP).

Considerations for SWIFT Members

Cybersecurity threats are continuing to evolve, and the complexity of IT environments is increasing at an exponential pace. As organizations adopt the latest version of the CSCF, they should consider the following:

  • Has our organization executed an independent controls assessment of our SWIFT environment, according to the latest SWIFT CSCF (version 2021)?
  • Is our SWIFT program driven by compliance or security objectives?
  • How confident are we in our digital identity management capabilities?
  • Do we have the necessary skill set, supporting processes and technology to comply with the CSCF year over year?
  • Have we enhanced our third-party program to leverage the KYC-SA application to understand the risks our counterparties pose to our financial institution?
  • Can our organization detect and respond to a suspicious cybersecurity event in a timely manner?

To learn more about our cybersecurity consulting capabilities, contact us.

Was this article helpful to you?

Thanks for your feedback!

Subscribe to the Tech Insights Blog

Stay on top of the latest technology trends to keep your business ahead of the pack.

In this Article

Find a similar article by topics

Authors

Natalie Fedyuk

By Natalie Fedyuk

Verified Expert at Protiviti

Visit Natalie Fedyuk's profile

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

This blog was originally posted on The Protiviti View. Like companies in other industries, energy and utilities (E&U) organizations want...

Article

What is it about

This blog was originally posted on Forbes.com. Kim Bozzella is a member of the Forbes Technology Council. Here’s a problem...

Article

What is it about

The HITRUST Alliance Common Security Framework (HITRUST CSF) is a cybersecurity framework that helps organizations manage risk and meet regulatory...