SWIFT Customer Security Programme (CSP) Overview
The customer Security Programme (CSP) was founded in 2017 in response to the increased level of cyber-attacks on the financial sector. Although customers are responsible for protecting their own environments and SWIFT access,
the Customer Security Programme (CSP) has been introduced to assist customers and drive industry-wide collaboration in the fight against cyberattacks and fraud.
The CSP established the Customer Security Controls Framework (CSCF), a common set of security controls designed to assist customers in securing their local environments and fostering a more secure financial ecosystem.
SWIFT Customer Security Controls Framework (CSCF)
The SWIFT Customer Security Controls Framework (CSCF) consists of both mandatory and advisory security controls for SWIFT members.
Mandatory security controls establish a security baseline for all members on their local SWIFT infrastructure. Advisory controls are based on good practices that SWIFT recommends its members implement. And because of the evolving threat landscape, mandatory controls may change over time, and some advisory controls may become mandatory.
The controls were developed using SWIFT’s analysis of cyber threat intelligence, as well as feedback from industry experts and members. Their definitions are also intended to be consistent with existing industry standards in the information security industry.
All controls are structured around three broad objectives:
- secure your environment,
- know and limit access, and
- detect and respond.
And these three overall objectives are backed up by eight security principles. Within each objective, the associated principles go over the most important focus areas as you can see in table 1.
Objectives | Principles | Controls |
1. Secure your Environment | Restrict internal access | The 31 security controls (22 mandatory and 9 advisory controls) underpin these objectives and principles.
The controls help to mitigate specific cybersecurity risks that SWIFT members face due to the cyber threat landscape. |
Protect critical systems from the general IT environment | ||
Reduce attack surface and vulnerabilities | ||
Physically secure the environment | ||
2. Know and Limit Access | Prevent compromise of credentials | |
Manage identities and segregate privileges | ||
3. Detect and Respond | Detect anomalous activity in systems or transactions records | |
Plan for incident response and information sharing |
Table 1 Framework Objectives and Principles
To determine which components are in scope and thus which controls are applied to them, each member must identify which of the five reference architecture types most closely matches their own architecture deployment. Depending on the architecture, some security controls may or may not be applicable.
To make sure that members are compliant, SWIFT has created a process that requires its members to attest to compliance with the mandatory and optionally advisory security controls. Members must fill out an attestation form and submit it to the KYC Security Attestation application (KYC-SA) before the end of each year, as specified in the CSCF in effect at the time.
The impact of the SWIFT CSP 2021 release
SWIFT CSCF v2021 was released in July 2020, according to the CSP Policy, SWIFT members must attest to their level of compliance with the mandatory controls applicable to their architecture type (A1, A2, A3, A4, or B), as specified in the CSCF by the end of 2021.
Changes have been kept to a minimum in comparison to CSCF v2020 in order to provide the SWIFT community sufficient time to completely implement controls, according to the CSCF v2021 guidance.
The following are the major changes in CSCF version 2021.
- 1 advisory control “Internet Access Restriction” has been promoted to mandatory.
- To accommodate the non-SWIFT footprint, a new architecture type called A4 was introduced.
- 2 Multi-factor Authentication (MFA) has been expanded to also be required when accessing a SWIFT-related service or application provided by a third party.
- Re-introduce independent assessment.
Table 2 presents the number of mandatory and advisory controls that are relevant to each architecture type in CSCF 2021.
Architecture | A1 | A2 | A3 | A4 | B |
Mandatory | 22 | 22 | 21 | 17 | 14 |
Advisory | 9 | 9 | 9 | 9 | 8 |
Total | 31 | 31 | 30 | 26 | 22 |
Table 2: Number of controls per type of architecture
Independent Assessment Framework
By the end of December 2021, all members must have completed their first Community-Standard Assessment. SWIFT mandates that all mandatory controls in attestations against CSCF v2021 be independently assessed to further enhance the integrity, consistency, and correctness of attestations, as endorsed by its Board of Overseers.
This must be accomplished by one or both of the following types of assessments:
Independent External Assessment
Performed by a third-party firm with prior cybersecurity assessment experience, as well as individual assessors with relevant security industry qualifications and/or experience.
Independent Internal Assessment
- Performed by a member’s second or third line-of-defense function (such as compliance, risk management, or internal audit) or its functional equivalent (as appropriate), which is separate from the first line-of-defense function that submitted the attestation (such as the CISO office) or its functional equivalent (as appropriate). Those
- Member should have current and relevant expertise evaluating cyber-related security procedures as well as appropriate qualifications.
SWIFT also reserves the right, as outlined in the Customer Security Controls Policy, to seek independent external assurance to verify the accuracy of their self-attestation (CSCP). These are known as “SWIFT-Mandated assessments.”
References
- https://www.swift.com/about-us/history
- https://www.swift.com/myswift/customer-security-programme-csp/security-controls
- https://www.swift.com/news-events/news/swift-announces-updates-customer-security-controls-framework-attestation-2020
- SWIFT Customer Security Controls Framework v2020 & v2021