A series of high-profile cyber-attacks. A change in the sophistication of attackers. These events led SWIFT to move beyond the security of their already well-defended products and networks to the security of their members’ systems - the target of the attacks.
SWIFT developed their Customer Security Programme (CSP) in response to the cyber-attack on the SWIFT systems of the Bank of Bangladesh in 2016 in which millions of dollars were stolen, and subsequent attacks on other banks and corporations. They realized the need to help SWIFT members keep their SWIFT infrastructure secure, and ensure that SWIFT could maintain their industry leading position of trust, as one of the primary financial messaging services in the world. The goal of the CSP is to strengthen the cyber security posture of the SWIFT payment network by increasing the cyber maturity of its members. The SWIFT CSP is built around three pillars: (1) securing your local environment, (2) preventing and detecting fraud in your commercial relationships, and (3) continuously sharing information and preparing to defend against future cyber threats.
As part of the CSP, SWIFT developed the Customer Security Controls Framework (CSCF) – a set of control guidelines for SWIFT members on how to securely operate their SWIFT environment. They also introduced the requirement for companies to attest to their level of compliance with this framework. This attestation acts as an indicator to SWIFT, the member, their regulators and counterparties of the security posture of the member.
Nevertheless, Compliance is not the only goal. Putting in place the SWIFT CSCF controls not only enhances the security posture of an organization – it also serves as a way to demonstrate their maturity to third parties. Counterparties and regulators, encourage by SWIFT, are increasingly using SWIFT CSCF compliance, as a way to enhance their evaluation of third party cyber risk – potentially replacing or reducing costly audit activities.
The SWIFT CSCF is evolving over time. SWIFT adapts the framework to the changing threats as well as to the maturity of their membership. What does this mean for SWIFT members? This means that SWIFT CSCF compliance is not simply a project that you run once or twice a year. It’s a framework that you need to integrate into the security governance and processes of your organization. The 2020 version of the framework promotes two advisory controls to mandatory, introduces two new advisory controls, and expands the scope of one existing advisory control.
The two advisory controls being promoted to mandatory are controls 1.3 Virtualization Platform Protection and 2.10 Application Hardening. They aim to protect and reduce potential vulnerabilities on virtualization platforms that support the SWIFT environment, and harden the applications that provide SWIFT services.
The newly introduced advisory controls are controls 1.4A and 2.11A. Respectively, they aim to provide guidance on restricting internet access to and from SWIFT systems, and protecting the Relationship Management Application (RMA) business control, which determines which entities can exchange messages with the member.
Finally, the scope of control 2.4A Back Office Data Flow Security has been expanded to include middleware and MQ servers. The purpose of this control is to protect the back-office systems and messaging systems that create the SWIFT messages. These back-office and upstream messaging systems are now becoming the focus of attackers.
Further to the changes above, you will notice a clear trend to evolve the SWIFT CSCF by expanding the scope to supporting technologies of the payment infrastructure, strengthening the requirement for components already in scope – all to keep pace with the changing threats.
The first option is to integrate the SWIFT CSCF into the governance of your organization, making the processes standardized and, where appropriate, part of normal operations, thereby reducing the overhead of implementing the controls. The second option is to design or alter systems to limit the impact of the SWIFT requirements. This second option is one we see many organizations choosing. Organizations seeking to reduce the impact of compliance are also changing the way they use the SWIFT service to reduce their SWIFT footprint, and structuring their networks and systems to limit where the controls need to be applied.
Another change SWIFT introduced through the update is that self-assessment is no longer an option for attestation. From June 2020, SWIFT members are required to have an independent assessment of the attestation status of their organization. The type of assessment can either be a review or an audit. These can be provided internally or externally, as long as sufficient evidence and independence can be demonstrated. Internal assessments can be conducted by risk management or internal audit functions – these can be supplemented with expert resources from companies such as KPMG. External assessments can provide clear independence in the assessment, and also provide additional confidence to both internal and external stakeholders.
KPMG has the experience and the expertise to deliver both types of assessments including the competence to issue the independent International Standard on Assurance Engagements (ISAE) assurance report. We provide attestation support across the globe, with Belgium acting as a global hub. In addition to the assessment offering, KPMG has a number of services that can assist with the implementation of the SWIFT CSCF. These range from integrating the CSCF controls into your existing risk, governance and IT processes, to performing gap assessments, through to technical transformation of key systems, security, and network controls. Areas covered include, Identity and Access Management, Privileged Access Management, network and system architecture, Security Operations and cloud transformation.
KPMG can help you understand your position today, with a view to reaching your security goals of tomorrow. Get in touch using the details below if you would like to know more.