Security Controls Under the New SWIFT Customer Security Programme

Cyberattacks are becoming more and more prominent and the funds transfer arena is one of the preferred targets of such threats. Given the agility and evolution of these cyber threats, combating fraud on the long term is a challenge and a key prevention factor for the entire financial industry.

CSP Context and Principles

As SWIFT partner since 2003, Allevo sustains and promotes SWIFT’s initiative to launch the Customer Security Programme (CSP), which aims to improve information sharing throughout the financial community, enhance SWIFT-related tools and provide audit frameworks, while recommending best practices and guidelines for fraud detection. Being at the heart of the banking-financial industry, SWIFT is committed to playing an important role in reinforcing and safeguarding the security of the wider ecosystem.

The SWIFT Customer Security Controls Framework describes a set of mandatory and advisory security controls for SWIFT customers and addresses all entities that have an active BIC8. All controls are articulated around three main objectives:

  • ‘Secure your Environment’ – SWIFT customers are individually responsible to protect and secure their local environments in general, as well as the back-office systems that come in contact with SWIFT applications in particular
  • ‘Know and Limit Access’ – prevent and detect fraud in your commercial relationships – your counterparts
  • ‘Detect and Respond’ – defend against future cyber threats.

Mandatory security controls establish a security baseline for the entire community, and must be implemented by all users on their local SWIFT infrastructure. SWIFT has chosen to prioritize these mandatory controls to set a realistic goal for near-term, tangible security gain and risk reduction.

Self-attestations must be submitted by the end of 2017, starting July, and in this endeavor, SWIFT will work in close partnership with the banking community, to ensure everything goes as smoothly as possible for all parties involved.

CSP actions include the introduction of 16 mandatory security controls, new services meant to help prevent and detect fraudulent activity, as well as community-wide information sharing initiatives that prepare for, and defend against, future attacks.

The 11 advisory controls are based on good practice that SWIFT recommends users to implement. Note that some of them may in time become mandatory as well, due to the evolving threat landscape. Since nothing beats being prepared ahead of time, you should also consider these advisory aspects once all the mandatory requirements are met.

CSP and SWIFT’s 2020 Strategy

CSP is a multi-year programme, whose measures should become part of everyday practice, and although clear delivery milestones have been defined, there is no definitive end to this programme, as levels of security should constantly heighten in order to stay ahead of emerging cyber threats.

As far as SWIFT2020 is concerned, you may already be aware that it focuses on operational excellence in SWIFT’s core financial messaging services in order to deliver on the highest expectations of customers, in terms of security, reliability and availability of service, while also addressing new cyber and geopolitical challenges.

Considering the role SWIFT plays as an industry-wide cooperative, CSP not only fits like a glove for this long-term strategy focused on security, but is quite a natural extension of it.

The Bigger Picture

Besides these security controls, SWIFT has also introduced enhanced security features to their products, designed to assist users in addressing security concerns, such as stronger password management, enhanced integrity checking and built-in two-factor authentication.

SWIFT is not only concerned with banks per se, but the entire ecosystem revolving around them, and banks should also care about breaches of security outside their walls, on their counterparties’ side.

Part of what SWIFT can and will do on this matter is to keep banks up to date with relevant cyber intelligence, and to continue to expand their information sharing platforms. SWIFT is engaging with vendors and third parties to help secure the broader environment, but banks should also act in a timely manner on SWIFT information and security updates, of course.

After all, this whole hassle is for the greater good of keeping everyone’s finances safe…

*Article based on information found on SWIFT’s website.

Leave a Reply