The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is the world’s leading provider of secure financial messaging services and is headquartered in Belgium.
SWIFT’s international governance and oversight ensure the neutral, global nature of its cooperative structure. SWIFT operates a global office network with a presence in all major financial centers.
What is SWIFT’s Customer Security Program (CSP)?
SWIFT’s Customer Security Program (CSP) was established to enhance cybersecurity within the SWIFT user community and lead collaborative efforts across the financial industry in addressing evolving cyber threats.
The CSP helps financial institutions ensure their defenses against cyberattacks remain current and robust, safeguarding the integrity of the global financial network.
A key component of the CSP is the SWIFT Customer Security Controls Framework (CSCF), which consists of both mandatory and advisory security controls for users. The framework helps protect not only individual institutions’ networks but also the SWIFT community as a whole.
Who are SWIFT users?
SWIFT users include a variety of financial institutions and organizations involved in the financial industry, such as:
- Supervised Financial Institutions: Banks, investment firms, insurance companies, and other regulated financial entities.
- Non-Supervised Entities: Organizations active in the financial sector but not necessarily under the same regulatory supervision.
-
Closed User Groups (CUGs) and Corporate Entities, including:
- Corporates
- Financial Market Regulators
- Payment System Participants
- Securities Market Data Providers
- Securities Market Infrastructure System Participants
- Service Participants within Member-Administered Closed User Groups
- Treasury Counterparties
Are SWIFT users required to have an assessment of SWIFT CSCF compliance?
Yes, SWIFT mandates that, at a minimum, all mandatory controls outlined in the SWIFT Customer Security Controls Framework (CSCF) must be independently assessed. This assessment must be conducted within the official attestation window, which typically runs from early July to December 31 of each year.
What is the mandatory framework in Kuwait governing SWIFT CSCF compliance?
According to the Cybersecurity Framework for the Kuwaiti Banking Sector, Control No. 4.5.2, item (d), the Central Bank of Kuwait requires regulated entities to comply with the latest versions of applicable best practices and standards, such as the SWIFT CSCF. This ensures that local financial institutions meet the global cybersecurity standards set by SWIFT.
What is the latest version of the SWIFT CSCF, and what changes have been introduced?
The latest version of the SWIFT Customer Security Controls Framework (CSCF) is v2024, released in July 2023. This version introduces several updates aimed at enhancing the security of SWIFT users:
- New Mandatory Control 2.8: Outsourced Critical Activity Protection: This control emphasizes the importance of managing risks associated with third-party providers and service providers. It requires organizations to implement measures to protect outsourced critical activities, reflecting the growing focus on third-party risk management.
- Focus on Back Office Data Flow Security (Control 2.4A): While not yet mandatory, SWIFT has highlighted the significance of securing data exchanges with back-office applications. Organizations are encouraged to prepare for the future implementation of this control, which aims to address risks related to the confidentiality and integrity of sensitive data.
- Clarifications and Enhancements to Existing Controls: Several controls have been updated for improved clarity and usability. For instance, Control 2.3 (System Hardening) now includes USB port protection policies and application whitelisting improvements. Control 2.9 (Transaction Business Controls) has been adjusted to allow business controls to be performed outside the secure zone.
- Integration with Swiss Interbank Clearing (SIC): The assessment process can now be combined with the review of the Swiss Interbank Clearing network, enabling organizations to leverage synergies and ensure both networks meet high-security standards.
What are the principles of the SWIFT CSCF?
The SWIFT Customer Security Controls Framework (CSCF) contains eight principles designed to guide institutions in strengthening their cybersecurity defenses. These principles are:
- Restrict Internet Access
- Segregate Critical Systems from the General IT Environment
- Reduce Attack Surface and Vulnerabilities
- Physically Secure the Environment
- Prevent Compromise of Credentials
- Manage Identities and Segregate Privileges
- Detect Anomalous Activity in Systems or Transaction Records
- Plan for Incident Response and Information Sharing
What is the deadline for achieving SWIFT CSP compliance?
SWIFT customers must submit their annual attestation by December 31 each year. This attestation confirms that the institution has met all relevant compliance requirements outlined in the SWIFT CSP.
What is the scope and timing for the SWIFT CSCF assessment?
The scope of the SWIFT CSCF assessment must cover all mandatory controls for the applicable year and architecture type. The timing for the attestation submission is from early July until the year-end deadline of December 31.
What is the added value to business entities from SWIFT CSCF compliance?
Achieving compliance with the SWIFT Customer Security Controls Framework (CSCF) provides several key benefits for business entities:
- Regulatory Compliance: Ensure compliance with SWIFT’s cybersecurity standards and relevant local regulations.
- Enhanced Stakeholder Confidence: Improve trust in the reliability and security of the financial institution’s technology infrastructure.
- Risk Management: Proactively identify and manage cybersecurity risks within SWIFT-connected systems, ensuring business continuity.
Why Baker Tilly?
Baker Tilly Kuwait stands out due to its specialized experience in cybersecurity and SWIFT compliance. The firm offers several key advantages to its clients:
- Global Expertise with Local Presence: A global consulting firm with a strong local presence in Kuwait, offering access to a network of over 250 cybersecurity experts worldwide.
- State-of-the-Art Tools: Baker Tilly Kuwait uses world-class laboratories and the latest tools for vulnerability assessments and to detect cyberattack risks.
- Up-to-Date Cybersecurity Knowledge: The firm maintains updated databases of emerging cyberattack methods and tools to mitigate those threats.
- Bilingual Team: The team provides services in both Arabic and English, ensuring seamless communication with local and international clients.