This blog is part of our ongoing SOC Insight series. Each piece focuses on a different area of trust and transparency and aims to answer the questions that are important to your business. Read more to learn how SWIFT’s Customer Security Programme can help your organization meet stakeholder needs.
The growing threat of cyber attacks continues to rise and, for most companies, the reality is there will be a breach at some point that they will need to respond to.
While companies are responsible for protecting their own technology environments, SWIFT (Society for Worldwide Interbank Financial Telecommunication) has established the Customer Security Programme (“CSP”) to support customers in the fight against cyber-attacks. SWIFT’s CSP aims to prevent fraudulent activity through a set of mandatory security controls, community-wide information sharing initiatives and enhanced security features on their payments infrastructure. SWIFT currently requires their users to perform a self attestation of their implementation of the mandatory security controls for adherence to the SWIFT Customer Security Controls Framework (“CSCF”). Advisory controls are only recommended, but remain important for users to be mindful of as SWIFT may require them in newer versions of the CSCF as annual updates to the framework are performed.
SWIFT originally planned to require all customers to undertake an independent assessment of their adherence to the CSCF in 2020. However, due to COVID-19, SWIFT decided to delay the introduction of the independent assessment requirement until 2021, and has deferred CSCF v2020, allowing companies to perform the 2020 self-attestation using CSCF 2019.
SWIFT released the 2021 CSCF framework in July 2020. Clients may opt to conduct an independent assessment against the 2021 framework this year, which will satisfy requirements for both 2020 and 2021.
To efficiently adapt to the new requirements of the SWIFT CSP, the following are some suggested considerations for clients:
1. Give your company time to account for any changes in the control environment due to COVID-19
There has been a lot of change with technology in 2020 given the “stay at home” orders associated with COVID-19, which resulted in companies changing the way the workforce is accessing systems and infrastructure. You should consider engaging an independent party to independently assess the readiness of your environment and to allow yourself time to remediate any gaps you may become aware of during this time.
2. Consider the external assessor and expertise
Swift will require independent assurance over the SWIFT CSP attestation, mandatory in 2021. This can be done either through an accredited member of an internal function or through formal external assurance. Either way, the bar for proving compliance will continue to rise. When determining who will help carry out this independent assessment, it is important to ensure your assessor has the expertise to determine you have the right controls in place and can guard against the potential damage of a cyber attack. We recommend an external party, who has familiarity with SWIFT and your industry, to help you understand how you compare to your peers and get additional insight into best practices in this space.
3. Changes in the future
Be ready for change. Each year, SWIFT expands and clarifies the requirements as part of the annual assessment. Ensure you remain abreast of new requirements and confirm your organization has the industry expertise that can help you quickly adapt to these evolving requirements. In order to ensure you are thinking strategically, start looking at the advisory controls (some of which will become mandatory in the following year as described in the SWIFT CSP) so that you can address any known issues prior to the next assessment deadline.
To be successful, organizations should take a thoughtful approach, requiring collaboration and strong leadership across the organization, as well as a constant focus on improving cybersecurity controls to meet new requirements.