The SWIFT Customer Security Program (CSP) defines a set of security controls to which all SWIFT-connected entities must comply. Since 2021, the self-assessment has been replaced by a mandatory independent assessment. As a CSP assessor, BDO shares its experiences and insights into how an effective assessment is performed, common issues and pitfalls encountered during the assessment, and the most common weaknesses identified.
SWIFT Customer Security Program
What is SWIFT?
SWIFT is the leading provider of secure financial messaging services around the globe. The core service remains payment processing, but SWIFT provides other services such as cash management and securities and FX trade. Some figures: the SWIFT network consists of more than 11.000 users in over 200 countries. More than 10 billion messages were sent over the SWIFT network in 2021. Mainly financial institutions, but also other businesses are connected to the SWIFT network. They connect either directly via their own SWIFT infrastructure or via a Service Bureau. These SWIFT customers directly pose a risk to the network, since they could be potential weak links. Security risks often arise upstream of the SWIFT network. If a corrupted file is entered upstream, the fraudulent payment could be carried out over the SWIFT network by the ban
SWIFT’s goal: Reinforcing the security of the global banking system
One of SWIFT’s primary objectives is safeguarding the confidentiality, integrity and availability of the network and its messages. The financial sector is facing a constantly evolving threat landscape, to which SWIFT responds through continuous monitoring of the network and improvement of existing security measures. However, a disruption on the network could result not only from an attack on SWIFT, but also from an attack on one of its customers. As a result, SWIFT was compelled to act and created the Customer Security Program.
The SWIFT Customer Security Program
The CSP is an initiative to raise the bar concerning cybersecurity hygiene for SWIFT customers, helping to ensure defences against cyberattacks are up to date and effective, reducing the risk of successful cyberattacks. The CSP is oriented towards three parties: you, your community and your counterparts. Every organization using the SWIFT network has to attest the level of compliance against the Customer Security Controls Framework (CSCF). Community sensibilization should further encourage every actor to take on their responsibilities and implement good information security practices.
On an annual basis, SWIFT revisits the CSCF and publishes the new updated framework on July 1st. Attestation against the CSCF is to be done between July 1st and December 31st of the year following publication. The CSCF is based on a set of industry-recognized cyber security standards, NIST, ISO 27001 and PCI DSS. In total, there are 32 security controls (24 mandatory and 8 advisory/optional), oriented around 7 security themes. The way your organization interacts with SWIFT determines which of the controls you must comply with.
What happens in cases of non-compliance with the SWIFT CSP?
SWIFT reserves the right to report member organizations who have not attested compliance to both the to the supervisory/regulatory entities as well as entities with which the non-compliant member is transacting. As such, non-compliance can result in hefty regulatory fines as well as loss of business.