SWIFT announces updates to the Customer Security Controls Framework for attestation in 2019.
The growing threat of cyber attacks has never been more pressing. Recent instances of payment fraud in banks local environments demonstrate the necessity for industry-wide collaboration to fight against these threats. Cyber attacks are becoming increasingly sophisticated in the financial community. The persistence of such threats underlines the importance of remaining vigilant and proactive over the long term. While customers are responsible for protecting their environments and access to SWIFT, the Customer Security Programme (CSP) has been introduced to support customers in the fight against cyber fraud.
SWIFT has established the Customer Security Programme (CSP) to support customers in the fight against cyber-attacks. The CSP is articulated around three mutually reinforcing areas. Banks will first need to protect and secure their local environment; it is then about preventing and detecting fraud in their commercial relationships and continuously sharing information and preparing to defend against future cyber threats.
The growing number of cyber-attacks, including those on local SWIFT infrastructures, has prompted SWIFT to promote some advisory controls to be mandatory controls for SWIFT participants to fight cyber threats.
Recently, SWIFT has released a new version of the Customer Security Controls Framework, which includes additional guidance on the implementation guidelines and includes changes to the existing controls. Where the old set of security controls were 16 mandatory and 11 advisory that set a security baseline for all SWIFT users, the new CSCF is now composed of 19 mandatory and ten advisory controls. Three advisory controls, 2.6A, 2.7A, and 5.A4, have been promoted to mandatory and two new advisory controls have been introduced to address: Virtualization platform protection and SWIFT-related applications hardening
Additional guidance has been added to some controls, such as 2.4A Back-office Data Flow Security, 4.1 Password Policy, 5.2 Tokens Management, 7.3A Penetration testing.
Below is a critical timeline that you should be aware of:
Organizations should examine and investigate their current environment – beyond the traditional security-log analysis – to determine whether they have already been attacked, or at least targeted, by this threat actor.
If your organization fails to comply with these new requirements, SWIFT can report this to your local supervisory authority. Failures to submit a self-attestation, or late submission, will be reported and non-compliance with the mandatory controls will be reported as well. SWIFT will also report noncompliance to other counterparties if there is no direct local supervisory authority for your organization. It is, therefore, crucial to perform the self-assessment as quickly as possible, and to send your self-attestation or confirmation of inspection of compliance every year
The new CSCF can now be consulted but will only become effective in the KYC-SA, the online repository for customer attestations, in July 2019. All SWIFT users must attest against the mandatory controls of this new version by the end of 2019.
Senior Information Security Engineer, EastNets
CSP Project Manager