The SWIFT Customer Security Program (CSP) defines a set of security controls to which all SWIFT-connected entities must comply. Since 2021, the self-assessment has been replaced by a mandatory independent assessment. As a CSP assessor, BDO shares its experiences and insights into how an effective assessment is performed, common issues and pitfalls encountered during the assessment, and the most common weaknesses identified.
Recap: what is SWIFT?
SWIFT is the leading provider of secure financial messaging services around the globe. The core service remains payment processing, but SWIFT provides other services such as cash management and securities and FX trade. Some figures: the SWIFT network consists of more than 11.000 users in over 200 countries . More than 10 billion messages were sent over the SWIFT network in 2021 .
Mainly financial institutions, but also other businesses are connected to the SWIFT network. They connect either directly via their own SWIFT infrastructure or via a Service Bureau. These SWIFT customers directly pose a risk to the network, since they could be potential weak links. Security risks often arise upstream of the SWIFT network. If a corrupted file is entered upstream, the fraudulent payment could be carried out over the SWIFT network by the bank.
SWIFT’s goal: Reinforcing the security of the global banking system
One of SWIFT’s primary objectives is safeguarding the confidentiality, integrity and availability of the network and its messages. The financial sector is facing a constantly evolving threat landscape, to which SWIFT responds through continuous monitoring of the network and improvement of existing security measures. However, a disruption on the network could result not only from an attack on SWIFT, but also from an attack on one of its customers. As a result, SWIFT was compelled to act and created the Customer Security Program.
The SWIFT Customer Security Program
The CSP is an initiative to raise the bar concerning cybersecurity hygiene for SWIFT customers, helping to ensure defences against cyberattacks are up to date and effective, reducing the risk of successful cyberattacks. CSP is oriented towards three parties: you, your community and your counterparts. Every organization using the SWIFT network has to attest the level of compliance against the Customer Security Controls Framework (CSCF). Community sensibilization should further encourage every actor to take its responsibilities and implement good information security practices.
On an annual basis SWIFT revisits the CSCF and publishes the new updated framework on July 1St. Attestation against the CSCF is to be done between July 1st and December 31st of the year following publication.
The CSCF is based on a set of industry-recognized cyber security standards, based on NIST, ISO 27001 and PCI DSS. In total, there are 32 security controls (23 mandatory and 9 advisory/optional), oriented around 8 security themes. The way your organization interacts with SWIFT determines which of the controls you must comply with.
|CSP Security Conrols Framework
|Secure Your Environment
||Restrict Internet access
||Segregate critical systems from general IT environment
||Reduce attack surface and vulnerabilities
||Physically secure the environment
|Know and Limit Access
||Prevent compromise of credentials
||Manage identities and segregate privileges
|Detect and Respond
||Detect anomalous activity to system or transaction records
||Plan for incident response and information sharing
A short history of the Customer Security Program
SWIFT adopted CSP in 2016 and published the accompanying Customer Security Controls Framework (CSCF) as early as 2017, which has since been updated several times since then. The CSCF describes the security controls that must be complied with each year. In 2017, there were 16 mandatory controls, whereas now in 2022 there are 23. These updates represent continual improvement of security controls, based on the monitoring of adversary tactics and learning from real-world attacks in the cybersecurity threat landscape.
Furthermore, as from 2021, all institutions affiliated to the SWIFT network must have an independent CSCF assessment carried out annually by an independent party. It is essential that the evaluator has the appropriate level of competence to assess and implement the technical and organizational controls.
BDO’s practical experience with CSCF v2021
Common issues and pitfalls
BDO has performed numerous assessments in 2021. Our experience with these shows that getting a few key topics straight is vital in order to have an efficient and successful assessment. The main topics are:
- Preparation for the assessment should be performed timely and proactively. It is important to have early buy-in from management and understanding of the CSP requirements.
- Effective project planning is required to minimise the lead time and strain on the IT team, but not always easy from start on. We noticed that by creating a detailed plan upfront with concrete milestones, and validating it with our client, the assessment can go very smoothly with minimal impact on the client’s day-to-day activities.
- We noticed that some clients were struggling with the definition of the scope of the engagement and what components were in or out of scope. We learned that walking the client through the definitions of the scope and of the components as stated in the CSCF enhances understanding from both sides and avoids discussions.
- One of the main concerns for clients that outsource their financial messaging services to a Service Bureau or other third party, was to obtain documentation of implemented controls at the Service Bureau to make sure that its security level complies with the CSP requirements.
- A positive experience was that most of our clients are actually quite well prepared for the assessment, either having done it internally for the past few years or being used to the audit process. Clients knew what information we expect to receive and were therefore very able to efficiently answer our requests. Setting clear requirements and expectations upfront will limit the going back and forth between assessor and client and speed up the overall process.
- The CSP has raised security awareness in the financial industry, but also improved the interactions between business departments and IT. We received feedback that thanks to our assessment, the IT and Treasury teams are in general more aligned regarding information security aspects.
Do CSP controls only apply to local SWIFT hardware?
A: No. Organizations with an indirect link to the SWIFT network also need to comply with the controls. Which components are in scope is documented in the CSCF within each control. For example, regular computers used by employees of the Treasury department (to access Alliance Lite2 GUI, for instance) are also in scope, these are the General Purpose Operator PCs (GPOPC).
We are already ISO 27001 or PCI-DSS certified. Can we refer to our certification and avoid a CSP assessment?
A: No. However, having a certification such as ISO 27001 means your organization is mature in terms of its internal control framework and its documentation, which will greatly facilitate the assessment. Policies and procedures will likely already be in place, and your employees will know what it’s like to be audited and what we, as assessors, will ask as evidence of the implementation of controls.
In rare cases, a compliance analysis could be conducted, which would entail performing a mapping exercise between the SWIFT framework and the certification you have. However, it is likely that gaps between both will still exist, meaning that the CSCF assessment will need to take place for the remaining controls.
If I outsource my SWIFT connection or the hosting of my SWIFT components, does that have an impact on my architecture type?
A: Outsourcing the connection or hosting of SWIFT components to a third party does not change your architecture type. For instance, if you use a SaaS Treasury Management System (TMS), you are still responsible for the security of your own enterprise network and the connection to the SaaS TMS. Although you do not own the hardware, you are responsible for its security in the eyes of SWIFT. Therefore, you will need to ascertain that your supplier is CSP compliant, or even review their CSP security controls yourself.
Recurring control deficiencies
Every organization is different in terms of its activities, infrastructure setup and related risks. Nevertheless, many organizations face the same issues, especially when zooming in on cybersecurity. What topics were most often an issue during our assessment?
- Control 7.1: The establishment of a Cyber Incident Response Plan was often an issue, in particular for smaller customers. Although a BCP and DRP may be present, these are often not practical enough to consider an incident response plan, as they often lack contact details, escalation timers and authority and how and when to notify stakeholders.
- Control 5.2: Regarding hardware tokens used by customers, we noted that they are not always safely stored. These tokens should be removed from the system whenever the user leaves their workstation, and stored in a location with restricted access based on the need to know principle.
- Control 5.1: Periodic access reviews were not always strictly performed within the defined timelines. Although this control is part of the more basic IT General Controls within Access Management, many organizations do not take into account separation of duties or rethink least privilege and need to know whenever performing these reviews. This control is one that can, when implemented correctly, reduce both fraud risk and cybersecurity risk, leading to a real reduction of expected losses from these types of attacks.
BDO can help you in obtaining the SWIFT Customer Security Program attestation
BDO offers you knowledgeable and experienced cybersecurity professionals to guide you towards CSP attestation. We take pride in the skills and expertise of our people. As such, we ensure that all consultants working on the assessments are SWIFT CSP certified.
- Planning & kick-off: We start by understanding your organization, validating the architecture type and agreeing on the scope and the timeline of the assessment.
- SWIFT CSP independent assessment: Our certified professionals conduct an independent assessment of the current level of mandatory security controls against the CSCF requirements. The assessment includes a validation of polices, processes and business practices as discussed throughout meetings with stakeholders and evidenced by a walkthrough of relevant systems and documentation.
- Actionable remediation plan: For any gaps in security controls against the CSCF requirements, BDO will propose potential improvement points and remediation steps in a prioritised action plan.
BDO’s security professionals guide you towards the way of attestation in a pragmatic and well-structured manner, staying on top of the engagement until you have a statement in hand to upload onto the SWIFT KYC-SA portal.