SWIFT Customer Security Programme (CSP)
The SWIFT Network offers its users a myriad of services that continue to expand year after year. And, although it is often perceived ‘just’ as a messaging system, most of the world’s money traverses through its systems at some point. This makes SWIFT a clear target for cyber fraud attacks, and, whilst its applications, services, and systems have been designed with top security in mind, it’s not rare to see SWIFT-related incidents (involving millions of dollars each) pop up in the news from time to time.
As an experienced digital forensic investigator, Foregenix has performed several investigations. A common finding point is in end-user implementations being the weakest link. SWIFT users (over 11,000 of them) can avoid these errors with a concerted effort in Cybersecurity.
In the real world, SWIFT processes are typically managed by first-line operators, and it’s still a rare case to find organisations that have dedicated sufficient resources to build strong security around their SWIFT implementations. Some of these systems even escape the scope of action and oversight of their information security officers.
Being aware of these security implementation issues, SWIFT established the Customer Security Programme (“CSP”) back in 2016 to support customers and drive industry-wide collaboration in the fight against cyber fraud; this programme aims to provide a safe path to SWIFT technology deployment and help increase the users’ security posture. As part of its core offering, the SWIFT CSP establishes a common set of security controls known as the Customer Security Controls Framework (CSCF), which consists of both mandatory, and advisory security controls for SWIFT users, covering three objectives:
- Secure your environment
- Know and limit access
- Detect and respond
These controls lay a security baseline for SWIFT customers and support them with better risk management. Applying these controls will raise the security bar for customers on the SWIFT network and provide further support in their efforts to prevent and detect fraudulent use of their local infrastructure. Communication and implementation of these controls will also help to increase security awareness and education in the on-going fight against cyber fraud.
SWIFT CSP plans for 2020 were to require all customers to have an independent assessment of their SWIFT environment against CSCF v2020, but, due to COVID-19 this requirement has since been relaxed until 2021, and customers can still perform self-attestation against CSCF v2019.
Controls previously articulated in CSCF v2020 are rolled into CSCF v2021, and users will need to attest against that framework in the second half of 2021. Independent assessment can be performed either by an accredited member of internal function, or by a third party which specialises in security and understands SWIFT architecture and environments.
How we can help
Foregenix is in a unique position to help organisations secure their SWIFT infrastructure, you can find us in SWIFT’s Directory of CSP Assessment Providers .*
We help organisations develop a solid and successful cybersecurity program and increase their security posture to prevent costly SWIFT-related cyber fraud. We support SWIFT members that wish to undergo a deeper, stricter security inspection to better understand their risk profile and increase the level and efficiency of their cybersecurity controls. For over a decade, we’ve helped organisations navigate their assessment journey, with unrivalled support throughout. Our core objective is to strengthen your cybersecurity position.
We offer a focused, tested, and well-supported path towards compliance in regards to the SWIFT Customer Security Controls Framework. More specifically, our methodology considers the needs and challenges posed by each of SWIFT’s architecture types, and our processes are tailored to suit our clients’ individual requirements. Our cybersecurity experts will review your business’s security strategy and risk assessment methodology to understand how the CSCF controls apply to the SWIFT in-scope components, and will define the current position against these.
Foregenix doesn’t stop there. We help our customers create a thorough implementation roadmap and generate action lists to remediate any gaps whilst offering Senior Management a clear understanding of the implications of the risk management approach taken. We also provide technical advice on the best alternatives to implement controls to close identified gaps.
Do you want to learn more about SWIFT’s CSP challenges? Are you trying to understand the true risks behind a poor SWIFT security implementation? Please drop us a line at firstname.lastname@example.org
*SWIFT does not certify, warrant, endorse or recommend any service provider listed in its directory and SWIFT customers are not required to use providers listed in the directory.