What is SWIFT Customer Security Program (CSP) 2022?
SWIFT (Society For Worldwide Interbank Financial Telecommunication) provides a network arrangement that lets financial institutions send and receive information about monetary transactions in a secure and reliable environment. SWIFT CSP or Customer Security Program focuses on detecting and preventing fraudulent activities through a set of mandatory security controls, initiatives, and features on their products.
To the latest mark of knowledge, SWIFT has introduced numerous changes in 2021 to the Customer Security Programme (CSP) and Customer Security Controls Framework (CSCF). The SWIFT CSP changes are a continuous approach to defend against attacks and fraudulent activities connected to the financial scope. The SWIFT CSP is a bar of cybersecurity encircling the financial industry, following several cyber heists.
With the criticality and broad nature of the SWIFT platform, it has always been an attractive bite for attackers in the financial sector. With technological advancements, attackers are now able to utilize even a simple flaw in various organizational implementations. The revived direction that grows each year is a healthy way to resolve the issue, and SWIFT CSP 2022 means to guarantee security and solidness in the monetary area.
History of Customer Security Controls Framework (CSCF)
The CSCF or Customer Security Controls Framework has a continuous track of evolution. In a few years, it has evolved from 27 controls in 2017 to 31 in 2021. The mandatory controls have also shown a clear spike through the years. Organizations get granted a time period of 18 months for understanding and implementing any changes to the framework.
The latest implemented version of CSCF was in 2020, and the new norms expect organizational compliance by the end of 2021. The CSCF change management has proposed a ‘Phased Approach’ while implementing its latest revisions to the framework: new mandatory controls or any scope extensions get first introduced as an advisory control, and changes to controls that go mandatory in the course.
Another insight into the continuous update section of CSCF is that more and more advisory controls will soon hit the mandatory floor, and organizations will need to get ready on testing their controls and implement the same. While you adhere to the security controls way before it turns mandatory, it would help you in developing the required maturity and posture. Additionally, it can aid organizations in evading any kinds of non-conformities or non-compliances.
SWIFT CSP: Latest Assessment Methodology
The most recent CSP amendment removes client-initiated evaluation from the appraisal classes and presently demands community standard assessments for all individuals. These further state that any SWIFT CSP attestation furnished from 2021 need to get independently assessed. The process relies on accessing the design and implementation of the controls either by external or internal assessments.
- External Assessment
The assessment gets performed by a SWIFT CSP service provider organization with assessment expertise or individual assessors or qualified hands with relevant cyber security certifications.
- Internal Assessment
The assessment gets performed by the organization’s second or third line of defense function or functional equivalent. They must have appropriate cyber security expertise in assessing security controls and should be independent of the first line of defense function that ultimately submits the attestation.
SWIFT CSP: Re-Attestation Considerations
SWIFT CSP requires users to re-attest annually with the following considerations;
1. If there are changes to the CSCF, or if the organization has changes in their control deployments and architecture, a new assessment is mandatory.
2. If there are zero changes to the CSCF, or the control deployments and architecture, the users may re-attest their compliance up to two attestation cycles. It is possible by submitting a letter from their independent assessor confirming there are no changes through the KYC-SA application.
3. If a new version of CSCF gets released by the SWIFT, a new assessment becomes mandatory regardless of changes to the user environment, control, and architecture.
SWIFT CSP: Control Framework Changes
SWIFT 2021 version of CSCF introduced two significant changes that get aimed towards the augmentation of the framework. The changes are a part of the evolving threat vectors and the broad landscape of the SWIFT network and users that require ultimate protection. In the SWIFT CSP 2021 changes, one advisory control got promoted to a mandatory one, and there is an extended scope with the other control.
- Mandatory Control
The advisory control on ‘Restriction of Internet Access’ has now got promoted to the mandatory side. It imposes restrictions or limits the internet usage to a minimal amount necessary to conduct business within the secure scope or operators’ system that interfaces with the SWIFT.
- Extended Scope
In the extended scope revision, Multi-Factor Authentication has an expanded scope that mandates its usability, while accessing SWIFT-related components and applications.
SWIFT CSP: New Architecture Type
In addition to the framework changes, attestation considerations, and assessment methodologies, one of the vital changes in CSCF 2021 is the inclusion of the fifth architecture type, ‘A4 Customer Connector‘. The architecture type utilizes customer Application Programming Interfaces (APIs) to directly bridge and interface with SWIFT services. These architectures of the SWIFT define the reference for members to choose their nearest representation of the environment and determine the applicability and scope of CSCF controls.
Aftermaths of Non-Compliance to SWIFT CSP 2022
The SWIFT network has its rules and regulation tied stiffly to its users and members. They are a part of protection against fraudulent activities, which require SWIFT network members to connect the required compliance surrounding the financial zone. Compliance is indeed a necessity, and any non-conformities get strictly marked and listed within the SWIFT network. The non-compliant members of SWIFT CSP 2021 will get identified and made available within the network. It is a part of ensuring safety, transparency, and security within the network. SWIFT holds the very right to report on non-compliance, like when failing to report annual compliance directly to the supervisory authorities. They can also call for an independent external assessment in the case of KYC-SA, as outlined in CSCP.
Considerations for SWIFT users/members
So, with all the changes introduced by the SWIFT network in 2021, there are many considerations that sprout for the member users in the SWIFT network to identify and enact promptly. Cyber security threats are on an exponential hike, and these considerations can let you decide if you require a SWIFT CSP assessment.
- Can your organization identify and promptly respond to a security incident?
- Have you improved your third-party programs to make full use of the KYC-SA application which can let you analyse the risks associated with the counterparties?
- How does your organization independently execute security control assessment of your SWIFT environment in line with CSP 2021 guidelines?
- Is your SWIFT program able to stick to the required security goals and be driven by needed compliance?
- Does your organization have a sufficient resource and skill set capabilities supporting technologies while complying with CSCF on a yearly basis?
- How certain are you in your digital identity management capabilities?
How can a SWIFT CSP service provider/ external assessor help?
Enabling a SWIFT CSP service provider to conduct an assessment audit for attestation can mirror several benefits on the go. Handing the process to cyber security assessors or professionals can be useful to penetrate the shortfalls in your current security architecture. It’s essential to carry out these pre-attestation assessments and spot the deviations from the required SWIFT CSCF guidelines. The earlier you are towards the attestation audit, you have enough time to converge the deviations and run a priority-based approach. Whether the requirement shoots at reinforcing security controls more effectively, increasing community transparency, risk management, independent assessment, and counterparty attestations, seeking the aid of a qualified SWIFT CSP service provider is very much significant in the current digital clock.
SWIFT CSCF 2022 Updates
As 2021 is about to end, SWIFT published the latest version of CSCF against the second half of 2022. Here is the future glance that the 2022 update will bring into practice.
- The first and foremost change is the Promotion of ‘Transaction Business Controls’ from advisory to mandatory section. The move is a part of reducing fraudulent financial loss.
- Another update meets the creation of new advisory control – Customer Environment Protection, ensuring the safety of customer environment and customer-related equipment.
- There is an extension of the scope of controls for;
- Software Integrity is now Advisory for architecture A4
- Similarly, Operating System Privileged Account Control is now advisory for architecture B and general-purpose operators’ systems.
In addition to the above mentioned, there are other minor changes to security controls such as Customer Environment Protection, Internet Data Flow Security, Back Office Data Flow Security, Vulnerability Scanning, Password Policies, MFA, Access Control, Token Management, Staff screening, Logging, Incident Planning, and Security Training & Awareness. We can have a detailed view of this at the start of 2022 through our tech blogs.