SWIFT customers – Independent assessments required

14 December, 2020

The Society for Worldwide Interbank Financial Telecommunication (SWIFT) launched their Customer Security Programme (CSP) in 2016, which set benchmark security practices critical to defending against, detecting and recovering from cybercrime. This was in response to a number of instances of payment fraud related to the SWIFT systems.

While SWIFT customers are individually responsible for the security of their own environments, the security of the industry as a whole is a shared responsibility and SWIFT is committed to playing an important role in reinforcing and safeguarding the security of the wider ecosystem. The CSP has identified 21 mandatory and 10 optional security controls which support the fight against cyberattacks, for all its 11,000 customers worldwide.

 

A photo over the river Liffey with the Custom House building against a dramatic sunset.

As of 2020, SWIFT has published an Independent Assessment Framework (IAF) to support its customers and their independent assessors in carrying out their responsibilities as part of the CSP. This means that, from 2021, all SWIFT users will be required to undergo this "independent assessment" of their compliance with the SWIFT CSCF in order to support their annual self-attestation.

Originally, it was intended for these assessments to start in 2020 but SWIFT has pushed this out to 2021 to take account of the pandemic. SWIFT have emphasised the importance of security controls during this period. It makes sense to get prepared for these assessments as December 2021 draws near.

What is expected of you as a SWIFT user organisation?

The following timeline showcases the key milestones of which all SWIFT users should be aware.

Q4 2021

Independent assessment
Customers attest to CSP v2021 and obtain mandatory assurance either through independent, third-party assurance or accredited second or third line.

Q4 2020

Fourth attestation
In light of COVID-19, SWIFT allows customers to attest against CSP 2019 in 2020.

Q4 2019

Third attestation
Third annual attestation required with higher scrutiny, inspections and enforcement for attestation.

2019

Result sharing
Regulators are notified of customers who are non-compliant with mandatory controls and those who did not attest.

Q4 2018

Second attestation
Second annual attestation required with higher scrutiny, inspections and enforcement for attestation.

Q2 2018

Customer remediation
SWIFT customers work to remediate areas of non-compliance to attestation. CSP v2 published in Q3 2018. Attestation on the new framework required for 2019.

Q4 2017

Self-attestation
SWIFT required detailed self-attestation from customers.

Q2 2017

Control descriptions published (CSP)


SWIFT customer security programme FAQs​

What is the SWIFT CSP?

SWIFT customer security programme (CSP) aims to improve information sharing throughout the community, enhance SWIFT-related tools for their customers and provide a customer security control framework. The programme also shares best practices for fraud detection and seeks to enhance support by third party providers.

When is the deadline for SWIFT CSP compliance?

SWIFT users are required to submit a self-attestation on an annual basis by 31 December. In 2021, all SWIFT users are required to undergo an "independent assessment" in support of their annual self-attestation. This deadline was originally December 2020 but pushed out to 2021 to take account of the impact of the COVID-19 pandemic.

COVID-19 impact on deadline

Given the global COVID-19 situation SWIFT has published updated guidelines regarding changes to the CSP self-attestation and independent assessment requirements for 2020. SWIFT has announced that in 2020, members can self-attest against the 2019 version of the SWIFT CSP and can optionally support the self-attestation with an independent assessment. In 2021, independent assessment will be a mandatory requirement and customers will be required to attest against the 2021 version of the CSP framework.

Given the increased cyber-risks related to remote working which became widespread during COVID-19 for most operations of financial institutions, including critical processes such as SWIFT payments, it is now even more important to ensure compliance with the mandatory controls of the CSP framework. Despite the changes announced by SWIFT in 2020 in light of COVID-19, SWIFT still expects the members to comply with the 2019 set of mandatory controls and reiterates the importance of securing their SWIFT environment at all times.

What form does the SWIFT required independent assessment need to take?

There are two forms in which a SWIFT customer can gain an independent assessment:

  • Internal assessment carried out by the company's second or third line of defence such as the users' internal compliance, internal risk of internal audit departments (independent from the first line of defence function submitting the attestation); or
  • External assessment carried out by an independent external organisation with cybersecurity assessment experience and individual assessors who have relevant security industry certification

What are the 21 SWIFT CSP mandatory controls?

The 21 mandatory security controls establish a security baseline for the entire community and must be implemented by all users on their local SWIFT infrastructure. These controls focus on securing customer environments, knowing and limiting access and detecting and responding.

Additionally, SWIFT has chosen to prioritise these mandatory controls to set a realistic goal for near-term, tangible security gain and risk reduction. Advisory controls are based on good practice that SWIFT recommends users to implement. Over time, mandatory controls may change due to the evolving threat landscape, and some advisory controls may become mandatory.

The controls have been developed based on SWIFT's analysis of cyberthreat intelligence and in conjunction with industry experts and user feedback. The control definitions are also intended to be in line with existing information security industry standards.

What happens if you attest non-compliance?

SWIFT reports all cases of non-compliance along with instances where members have not attested at all to local regulators. In addition SWIFT will select a sample of attestations for validation each year.

What happens if I suspect my organisation has been targeted or breached?

It is vital that you share all relevant information and let SWIFT know there is a problem as soon as possible, in order to protect both your infrastructure and other organisations in the network.


The four key actions to take now

Gap analysis

Perform an assessment to determine if controls exist, and if so, the extent thereof to satisfy SWIFT requirements.

Remediation

Develop approaches to remedy any control gaps identified and support implementation where applicable.

Independent assessment

  • Design review of controls and completion of the SWIFT CSP assessment template provided by SWIFT
  • Minimum scope: completion of SWIFT assessment template for mandatory controls
  • Maximum scope: report to management listing any issues and our recommendations covering both mandatory and advisory controls

Independent validation or QA

  • Review of work you have performed
  • Conduct QA review of your organisations CSP assessment performed by, e.g. your internal audit function

We are here to help you

We can tailor our approach depending on your requirements. Based on your maturity you can select one of or a combination of the four actions above. We will provide insight relevant to your industry and the Irish market segment, as well as a balanced view on how to prioritise any associated actions.

Cohesive team who understand SWIFT

We have a comprehensive understanding of SWIFT through our extensive history in performing SWIFT reviews.

Proven CSP experience through our network

We have performed numerous SWIFT CSP assessment engagements across multiple territories and industries.

Technical expertise and knowledge

Our team consists of distinctive skills and subject matter expertise in the area of cybersecurity which can bring you unparalleled technical excellence, industry insight and an objective perspective.

Adapting to your requirements

PwC will leverage inhouse subject matter experts and our extensive SWIFT CSP experience to ensure that your needs are met ahead of SWIFT's required independent assessment in 2021.

Contact us

Richard Day

Partner, PwC Ireland (Republic of)

Tel: +353 1 792 8573

Khanya Madaza

Director, PwC Ireland (Republic of)

Tel: +353 1 792 6384

Leonard McAuliffe

Director, PwC Ireland (Republic of)

Tel: +353 1 792 8632

Maxim Mitkov

Senior Manager, PwC Ireland (Republic of)

Tel: +353 1 792 8206

Follow PwC Ireland