This article describes the SWIFT customer security controls, what drives them and ways to implement them.
This year the financial community is required to build and continuously improve the security defenses. SWIFT introduced the Customer Security Controls Framework (CSCF), which is part of the broader Customer Security Program (CSP). CSP is there to help the community increase own cyber defenses by implementing SWIFT security requirements. By the end of this year (2018), all SWIFT members are obliged to attest their compliance to SWIFT on the status of the 16 mandatory controls and 11 advisory (optional) controls. Important to note, that as of 2019 the framework is expanding to the 19 mandatory and 10 advisory controls. The attestation information is consolidated in the SWIFT KYC (Know Your Customer) portal where, on request, the attestation information can be accessed by counterparties. Attestation to the mandatory controls is monitored by SWIFT and non-compliance can be reported to the regulator and possibly to counterparties.
Less than six months are left to implement the minimum security requirements, which are the sixteen (16) mandatory controls. After that all SWIFT users must maintain and improve the required cyber defenses in order to protect their own SWIFT payment infrastructure from cyber threats.
Cyber incidents in the SWIFT payment infrastructure can have a wide impact on an organization. This impact is not only limited to the treasury environment, but can also affect the financial statements, share prices, reputation, cash flow, and the business well-being. By putting the effective cyber security measures in place, your organization avoids penalties, protects its reputation, and reinforces the security of the global banking eco-system. This is the same eco-system, which is continuously being put through the test. There are examples today of successful cyber-attacks, where the financial assets are stolen and transported via the SWIFT network. The latest example (link) of a successful attack took place in August 2018, where an adversary transferred 139 million rupees (€1,6 million) to foreign bank account. This hack is not the only example. Incidents such as these happen regularly and the adversaries are becoming smarter and more sophisticated. To ignore such threats means running the risk of losing the crown jewels entrusted by the customers.
The most important goal of the SWIFT CSP is to mitigate the cyber threats targeting financial community. It is essential to give priority and allocate resources to implement measures mitigating such risks. SWIFT reserves the right to report the mandatory controls non-compliance to the central authority (central bank), which may impose penalties, and also to counterparties with whom messages are exchanged.
There are three ways to comply with the SWIFT requirements: self-assessment, internal audit or external audit. The audit, whether internal or external, can either be of advisory nature or take the formal assurance approach. To fulfil the requirements, any of the three options are sufficient. However, the independence, depth and reliability of the attestation data is different for each type. Self-attestation may raise questions, from new and from existing counterparties, requesting more information that support the attestation status. The internal audit approach should support the attestation by sufficient evidence, however the results can still be questioned because internal audit belongs to the same attesting organization. The third option is external audit, which offers the most independent assessment of the controls. KPMG has the experience and capability with delivering all three types of assessments including the capability to issue the independent International Standard on Assurance Engagements (ISAE) assurance report.
KPMG has a focus team dedicated to helping the financial community meet SWIFT requirements. Based on experience there are a number of trends that are apparent. The first trend is that the majority of SWIFT responsible persons try to implement the controls on their own without having sufficient expertise in this area. The second trend is that organizations implement a stand-alone security framework that serves only one purpose - to meet SWIFT security requirements. The third trend relates to growing number of SWIFT-members requesting KYC security attestation from their counterparts. The KYC security attestation is becoming part of the business process, the financial institutions are being very cautious when exploring new opportunities and dealing with new and existing counterparties. To win their trust it is necessary to provide reliable evidence of being in control of the associated cyber risks.
KPMG sees the requirements laid out in the SWIFT Customer Security Controls Framework as being an addition to the existing security control framework. By sharing this vision, KPMG helps customer enrich and improve their current control frameworks to accommodate SWIFT requirements as well as other regulatory requirements. In other words, one framework to answer multiple regulatory and compliance requirements.