The financial sector continues to be a prime target for highly sophisticated, customized cyber-attacks. The Society for Worldwide Interbank Financial Telecommunications (SWIFT) interbank messaging network has recently been under attack resulting in millions of dollars in losses for member financial institutions. In response, SWIFT has introduced a Customer Security Program (CSP) that all its member organizations who use the interbank messaging network must comply with by implementing SWIFT’s Customer Security Controls Framework (CSCF) and report their compliance to SWIFT on an annual basis. SWIFT is introducing this program with the aim of improving information sharing between members, enhance SWIFT-related tools and provide the community with a standardized assurance framework.

What is the SWIFT Customer Security Program?

The SWIFT CSP requires each organization to define, document, implement and attest that their SWIFT environment is compliant with SWIFT’s CSCF Objectives, Principles and Controls as listed in the table below.

The SWIFT CSCF includes mandatory and advisory security controls for SWIFT users. As a response to a constantly changing cybersecurity threat landscape, SWIFT security controls will be regularly reviewed and updated, promoting current advisory controls as mandatory and introducing new security controls as advisory at first. The number of controls that a SWIFT member organization must follow depends on the architecture of the implemented SWIFT organization’s environment.

SWIFT compliance requirements

Since 2021 SWIFT requires its members to attest their compliance with CSCF by independent assessments either by internal resources or by an external independent auditor. What matters is that sufficient evidence is collected and reviewed by an independent party. An internal assessment can be carried out by second or third line (risk management or internal audit) of risk defense of the organization. However, an external assessment can provide clear independence in a SWIFT compliance assessment and deliver confidence to internal and external stakeholders.

All SWIFT members must attest their compliance with at least CSCF mandatory controls by 31 of December every year.

Our offering and tools

KPMG can help to assess the design and implementation of controls the organization has applied in their local SWIFT environment following the SWIFT CSCF. We will help to point out possible improvement areas and suggest actions to improve the security of the organization’s local SWIFT environment to achieve compliance with SWFIT’s controls requirements.

KPMG SWIFT CSCF assessment

The KPMG SWIFT CSCF engagement starts with a meeting to understand the customer’s business so we can develop a detailed plan for the assessment. During the planning phase the scope and limitations of the engagement are defined, key contacts identified, and key deadlines agreed. The planning phase takes around two weeks. After the completion of the planning activities, the assessment fieldwork starts.

The fieldwork includes interviews with key contacts and business representatives, review of documentation, onsite physical security and configuration reviews. The fieldwork takes about three to five days depending on the architecture of the organization’s SWIFT environment.

Success of the fieldwork phase is dependent on the availability and co-operation of the customers employees. Most of the fieldwork activities can be carried out via remote interviews and some testing such as physical security reviews must be performed on-site.

After fieldwork a SWIFT CSCF assessment report with assessment results is written. The reporting phase takes two weeks during which KPMG performs required quality assurance activities and provides progress updates to the customer.

Deliverables

The key deliverable of SWIFT CSCF assessment is the assessment report provided in accordance with the SWIFT CSCF reporting template and an independent assessment completion letter. The CSCF report includes the description of the design and implementation of controls applied within the local SWIFT environment as well as the level of compliance with CSCF requirements. Where relevant, areas of improvement with suggestions to increase the level of security for the local SWIFT environment will be included.

To ensure that the required assessment is carried out before the year end, it is recommended to perform the independent SWIFT CSCF assessment in Q3 or Q4. This leaves sufficient time to remediate any identified nonconformities and perform required follow-up activities before the end of current year attestation timeframe.

Võta meiega ühendust