Is your organization ready to respond to the new requirements of the SWIFT Customer Security Programme?

This blog is part of our ongoing SOC Insight series. Each piece focuses on a different area of trust and transparency and aims to answer the questions that are important to your business. Read more to learn how SWIFT’s Customer Security Programme can help your organization meet stakeholder needs.

The growing threat of cyber attacks continues to rise and, for most companies, the reality is there will be a breach at some point that they will need to respond to. 

 While companies are responsible for protecting their own technology environments, SWIFT (Society for Worldwide Interbank Financial Telecommunication) has established the Customer Security Programme (“CSP”) to support customers in the fight against cyber-attacks. SWIFT’s CSP aims to prevent fraudulent activity through a set of mandatory security controls, community-wide information sharing initiatives and enhanced security features on their payments infrastructure.  SWIFT currently requires their users to  perform a self attestation of their implementation of  the mandatory security controls for adherence to the SWIFT Customer Security Controls Framework (“CSCF”). Advisory controls are only recommended, but remain important for users to be mindful of as SWIFT may require them in newer versions of the CSCF as annual updates to the framework are performed.

 SWIFT originally planned to require all customers to undertake an independent assessment of their adherence to the CSCF in 2020.  However, due to COVID-19, SWIFT decided to delay the introduction of the independent assessment requirement until 2021, and has deferred CSCF v2020, allowing companies to perform the 2020 self-attestation using CSCF 2019.

 SWIFT released the 2021 CSCF framework in July 2020. Clients may opt to conduct an independent assessment against the 2021 framework this year, which will satisfy requirements for both 2020 and 2021.

 Considerations for an independent assessment of CSP

To efficiently adapt to the new requirements of the SWIFT CSP, the following are some suggested considerations for clients:

 1. Give your company time to account for any changes in the control environment due to COVID-19

There has been a lot of change with technology in 2020 given the “stay at home” orders associated with COVID-19, which resulted in companies changing the way the workforce is accessing systems and infrastructure. You should consider engaging an independent party to independently assess the readiness of your environment and to allow yourself time to remediate any gaps you may become aware of  during this time.

 2. Consider the external assessor and expertise

Swift will require independent assurance over the SWIFT CSP attestation, mandatory in 2021. This can be done either through an accredited member of an internal function or through formal external assurance. Either way, the bar for proving compliance will continue to rise. When determining who will help carry out this independent  assessment, it is important to ensure your assessor  has the expertise to determine you have the right controls in place and can guard against the potential damage of a cyber attack.  We recommend an external party, who has familiarity with SWIFT and your industry, to help you understand how you compare to your peers and get additional insight into best practices in this space. 

 3. Changes in the future

Be ready for change. Each year, SWIFT expands and clarifies the requirements as part of the annual assessment. Ensure you remain abreast of new requirements and confirm your organization has the industry expertise that can help you quickly adapt to these evolving requirements.  In order to ensure you are thinking strategically, start looking at the advisory controls (some of which will become mandatory in the following year as described in the SWIFT CSP) so that you can address any known issues prior to the next assessment deadline.

 Next steps toward meeting the SWIFT 2020 and 2021 CSP requirements

1. Assess your SWIFT BIC code footprint and determine your 2020 and 2021 obligations for independent reporting,  and whether your organization is prepared to perform an independent assessment in 2020 or wait until 2021.
2. Analyze and select your independent assessment team, considering synergy with existing controls reporting obligations for an efficient approach.
3. Plan for the independent assessment, considering a preliminary assessment to enable success in advance of the 2021 requirements.

To be successful, organizations should take a thoughtful approach, requiring collaboration and strong leadership across the organization, as well as a constant focus on improving cybersecurity controls to meet new requirements.