Building on our guidance from 2020 on the changes to the Society for Worldwide Interbank Financial Telecommunication (SWIFT) Customer Security Programme (CSP) and Customer Security Controls Framework (CSCF), we are now sharing the revisions for 2021. The most notable updates include: 1) the release of an updated CSCF (v2021), and 2) a mandatory requirement to conduct independent assessments on an annual basis.
Given the broad reach and critical nature of the SWIFT platform across the financial sector, it remains an attractive channel for cyberattacks, which leverage flaws in poor implementations at organizations for financial gain or market disruptions. The updated guidance aims to address this problem. Outlined below are the revisions member organizations should be familiar with as they prepare to attest their compliance with the SWIFT Customer Security Programme this year.
New Assessment Methodology
The latest CSP removes the user-initiated assessment from the assessment types and now requires the use of a community-standard assessment for all users. As part of this change, all attestations submitted from 2021 onward must be independently assessed. This independent assessment relies on assessing the design and implementation of the controls and must be performed through either:
- External assessment: Performed by an independent organization with cybersecurity assessment experience or individual assessors who have relevant security certifications.
- Internal assessment: Performed by a member’s second or third line of defense function or the company’s functional equivalent. These functions include risk management, compliance and internal audit and must be independent from the first line of defense function that ultimately submits the attestation (e.g., the chief information security officer [CISO] office or other information security role). It is also imperative that internal assessors have recent and relevant cybersecurity experience, specifically in assessing cybersecurity controls.
The CSP requires members to reattest annually with the following considerations:
- If there are no changes to the CSCF, a member’s control implementations or architecture, then members may, for up to two attestation cycles, re-attest their compliance by submitting a letter from their independent assessor confirming no changes, through the Know Your Customer–Security Attestation (KYC-SA) application. Please note that members can also share results of their assessment with other members, upon request, through the KYC-SA application.
- If there are changes to the CSCF or there are changes to a member’s control implementations or architecture, a new assessment must be performed.
- If a new version of the CSCF is released by SWIFT, then a new assessment must be performed in the following year, regardless of changes to the member’s environment.
Controls Framework Changes for 2021
The 2021 version of the CSCF introduced two major changes that are intended to enhance the framework, adapt it to the evolving threat landscape and help ensure more rigorous implementation of security controls for SWIFT members and the SWIFT network. As part of the changes, one advisory control has been promoted to a mandatory control and one control now has an extended scope.
- New Mandatory Control – Control 1.4, Restriction of Internet Access, has been promoted to mandatory. This control centers around ensuring that internet access is restricted to the minimal amount necessary to conduct business functions both within the Secure Zone and with Operator PCs that interface with SWIFT.
- Scope Change – Control 4.2, Multi-factor Authentication (MFA), has an expanded scope that also requires MFA to be utilized when accessing SWIFT-related applications or components utilized for transaction processing and operated by third-party service providers.
New Architecture Type
One of the most notable CSCF v2021 changes is the addition of the fifth architecture type: A4 – Customer Connector. SWIFT architecture types are reference architectures that members choose from as the closest representation of their environment. These architecture types also determine the applicability and scope of CSCF controls. This latest architecture type utilizes customer application programming interfaces (APIs) to directly connect and interface with SWIFT services.
What if Organizations Do Not Comply
To help ensure the safety of all members and the SWIFT network, SWIFT has made available to all members the list of noncompliant members. In addition, SWIFT continues to reserve the right to report noncompliance, such as failure to submit an annual attestation, to relevant supervisory authorities. SWIFT also reserves the right to request an independent external assessment from users to verify the accuracy of their KYC-SA attestation, as outlined in the Customer Security Controls Policy (CSCP).
Considerations for SWIFT Members
Cybersecurity threats are continuing to evolve, and the complexity of IT environments is increasing at an exponential pace. As organizations adopt the latest version of the CSCF, they should consider the following:
- Has our organization executed an independent controls assessment of our SWIFT environment, according to the latest SWIFT CSCF (version 2021)?
- Is our SWIFT program driven by compliance or security objectives?
- How confident are we in our digital identity management capabilities?
- Do we have the necessary skill set, supporting processes and technology to comply with the CSCF year over year?
- Have we enhanced our third-party program to leverage the KYC-SA application to understand the risks our counterparties pose to our financial institution?
- Can our organization detect and respond to a suspicious cybersecurity event in a timely manner?