Financial Institutions Can Strengthen Cybersecurity with SWIFT’s CSCF v2021
The Society for Worldwide Interbank Financial Telecommunications (SWIFT) has introduced an updated set of baseline customer security controls that all of its users must implement on their SWIFT-related infrastructure by mid-year 2021.
SWIFT is the world’s largest provider of secure financial messaging services to banks and other financial institutions. SWIFT has more than 11,000 users in over 200 countries, which makes it an attractive target to cybercriminals looking for banking information to perpetuate their fraudulent schemes.
The growing number of fraud instances over the last few years within SWIFT customers’ local environments indicates the necessity for industry-wide collaboration among financial institutions to protect their organizations against persistent threats.
To help financial institutions detect, defend and recover from cyberthreats, SWIFT designed its Customer Security Program (CSP) in 2016. CSP’s goal is to mitigate the risk of fraudulent activity through a set of controls, updated on an annual basis. The latest version of those controls, along with a new independent assessment requirement, go into effect in July 2021.
Though SWIFT does not penalize organizations for non-compliance, it is mandatory to report it. SWIFT makes this information visible to local monetary authorities, central banks, and financial regulatory agencies. Therefore, non-compliance may severely limit an organization’s ability to transact with other parties.
CSCF v2021: Turn your attention to updated security controls
SWIFT created the CSP to support financial institutions in protecting their own environments against cybercrime. The CSP established a common set of security controls, the Customer Security Controls Framework (CSCF), designed to help users secure their systems with a list of mandatory controls, community-wide information sharing initiatives, and security features on their payment infrastructure.
The CSCF is designed to evolve based on threats observed across the transaction landscape. The CSCF’s
controls are centered around three overarching objectives:
- Secure your environment
- Know and limit access
- Detect and respond
The updated CSCF v2021 includes changes to existing controls and additional guidance and clarification on implementation guidelines. The newest version includes 31 security controls, 22 mandatory controls, and 9 advisory controls. Mandatory controls must be implemented by all users on the user’s local SWIFT infrastructure. Advisory controls are based on recommended best practices advised by SWIFT.
Assess your compliance with SWIFT Controls v2021
SWIFT originally planned to require all financial institutions to undertake an independent assessment of their adherence to the CSCF in 2020. However, due to COVID-19 disruptions, SWIFT decided to delay the introduction of the independent assessment requirement until 2021. Beginning in July 2021, all financial institutions using SWIFT will need to support their attestation against CSCF v2021 with an independent internal or external assessment.
The CSCF assessment may be completed by an accredited member of an independent internal function (e.g., risk management, internal audit, etc.) or by an independent external party. In either case, the assessor must be free from any conflict of interest and demonstrate a proper level of independence, and the assessment must be properly executed and conducted in a reliable, objective manner.
Prior to starting your independent assessment, you should consider performing a readiness assessment before July 2021 to evaluate compliance of the new requirements and identify your independent assessor. A thorough readiness assessment should include the following steps:
- Evaluate the updated guidelines and clarify scope definitions, including the impact of the new architecture type, identified as A4.
- Assess the impact of implementing the control 1.4 Restrict Internet Access. (Note that this control was promoted from advisory to mandatory in CSCF v2021.)
- Analyze and select your independent assessment team, considering collaboration with other required regulatory assessments for an efficient approach.
Engage the right resources
If your organization decides to retain a third-party provider to perform the compliance assessment, verify that the assessor has recent cybersecurity assessment experience using industry standards, such as ISO 27001, SOC 2, SOC 3 or NIST Cybersecurity Framework. In addition, individual assessors on the provider’s team should have relevant security industry certifications, such as Certified Information System Auditor (CISA), and Certified Information Security Manager (CISM).
Financial institutions will continue to be a major target for cybercriminals. As SWIFT adds more users to its platform and the financial community grows, it’s crucial for all financial institutions to remain alert and properly secure their systems.
Complying with SWIFT’s updated controls requirements is one of the most important tasks for your cybersecurity team in the first part of 2021. Don’t delay your readiness and compliance assessments so you can take immediate action on any security gaps requiring your attention.
Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.