Digesting SWIFT’s 2020 Customer Security Programme (CSP) and COVID Guidance – and What the Changes Mean to Your Organization

Andrew Retrum, Managing Director Security and Privacy

In response to the current business climate produced by the COVID-19 pandemic, the Society for Worldwide Interbank Financial Telecommunication (SWIFT) recently issued guidance to ease the strain on customers as they work to implement its updated Customer Security Programme (CSP) and Customer Security Controls Framework (CSCF). With a network that links more than 11,000 financial institutions in more than 200 countries around the globe, SWIFT serves as a secure, standardized environment for firms to send and receive information about financial transactions.

A network of this size is not immune to cyber threats, particularly in the current environment, where financial institutions are experiencing a significant uptick in cyberattacks. As a result, SWIFT is taking proactive measures on several fronts to ensure the continued security of its network and customers’ information. For example, the CSCF, a central pillar of the CSP, is updated annually to stay relevant and provide customers a more holistic security approach. With each passing year, the framework becomes more robust – additional controls are promoted from advisory (optional) to mandatory, and new control requirements are added as needed. The program, not just the controls, continues to evolve along with the assurance requirements (or attestations) that help customers demonstrate to SWIFT and fellow SWIFT customers that they are effectively managing cyber security.

In the recent guidance, the following updates were made to the CSCF:

  • Attestation update:  For 2020, customers must re-attest to the 19 mandatory controls that are part of the 2019 version of the CSCF. Two additional mandatory controls have been added for 2020, and SWIFT recommends that customers implement these now, although the attestation process for 2020 controls will be combined with 2021 updates and be required in calendar year 2021.
  • Assessment methodologies: For 2020, customers will be allowed to perform a self-assessment. An independent or third-party assessment will not be required for the 2020 calendar year attestation.

Designed to support organizations during the pandemic, the changes would allow customers greater time and flexibility to choose an approach that is most suitable to them and supports their attestation requirements. Given these changes, organizations should strive to independently assess their environment and compliance with version 2020 of the CSCF before the end of the year, regardless of the revised timeline. Organizations that are already compliant with version 2020 of the CSCF will have fewer additional controls, if any, to implement in 2021 ahead of that year’s attestation.

SWIFT’s CSP, which is designed to support customers in their fight against cyberattacks, continues to be strengthened with numerous mandatory security controls. Below are some of the key takeaways from the 2020 version of the CSP.

New Assessment Methodology

The latest CSP removes the user-initiated assessment from the assessment types and now requires the use of a community-standard assessment for all users. As part of this change, all attestations submitted from 2021 onward must be independently assessed. This independent assessment relies on assessing the design and implementation of the controls and must be performed through either:

  • External assessment: Performed by an independent organization with cybersecurity assessment experience as well as individual assessors who have relevant security certifications.
  • Internal assessment: Performed by a user’s second or third line of defense function or the company’s functional equivalent. These functions include risk management, compliance and internal audit and must be independent from the first line of defense function that ultimately submits the attestation (e.g., the CISO office or other information security role). It is also imperative that the internal assessors have recent and relevant cybersecurity experience, specifically in assessing cybersecurity controls.

A key part of the community-standard assessment is the requirement that organizations re-assess their environment each year in which changes are made to the SWIFT infrastructure, whether by updates to the infrastructure or a newly published CSCF. In the event that a user’s architecture, control configuration and implementation methods do not change and no material changes are required due to an updated CSCF, an organization can rely on the same assessment for up to two attestation cycles. Organizations are required to confirm with the assessor that provided the assessment that they agree with the assessment being reused.

Updated Controls Framework

The 2020 version of the CSP introduced a number of changes to the controls designed to drive the maturing of the framework, adapt to the evolving threat landscape and ensure it adequately protects SWIFT members. As part of the changes, two advisory controls have been promoted to mandatory controls, two new advisory controls have been added to the CSP and one control now has an extended scope.

What If Organizations Do Not Comply

To ensure the safety of all members and its network, SWIFT has made available to all counterparties a list of all non-compliant users. There is also the Know Your Customer – Security Attestation (KYC-SA) application provided by SWIFT that allows organizations to exchange security status information with their counterparties. Finally, SWIFT reserves the right to report non-compliance to local supervisory bodies (e.g., the Hong Kong Monetary Association and the U.S. Securities and Exchange Commission). Any mandatory controls not in place will also be reported.

Key Questions Organizations Should be Asking:

The cybersecurity threat landscape is ever-changing and requires constant improvement to thwart potential adversaries from causing material damage to businesses. As organizations digest the latest version of the CSP, these questions should be considered:

  • Has my organization executed an independent controls assessment of our SWIFT environment, according to the latest SWIFT CSP (version 2020)?
  • Do we have mechanisms in place to allow annual review of our environment and comparison to the latest SWIFT CSP changes?
  • Have we leveraged the KYC-SA application to understand what risks our counterparties pose to our own financial institution?
  • Do we have a consistent and repeatable process in place for conducting community-standard assessments and ensuring adequate yearly attestation?
  • Is my organization prepared to respond in the event of a major cybersecurity-related event?

Add comment