SWIFT Customer Security Programme – what’s in it for the banking community?
In recent years, cases of cybersecurity breaches have grown in both frequency and sophistication. Of all the affected industries, the financial sector remains particularly vulnerable. According to a report by the Boston Consulting Group, banking and non-banking financial firms are 300 times more likely than other institutions to experience cyberattacks.
As cybersecurity breaches continue to grow in both frequency and sophistication for all industries, and the financial sector remains particularly vulnerable. Banking and Non-Banking Financial firms are 300 times more likely than other institutions to experience them, according to a report by the Boston Consulting Group.
Also with the banks being interconnected through payment networks like SWIFT, the threat of loss is greater. A report published by the Federal Reserve Bank of New York in January 2020, stated that the interconnectivity of banks brings about a massive spillover effect of cyberattacks within the banking network. The report mentions that a cyberattack on any of the five most active U.S. banks could affect 38% of the network and that cyberattacks on six small banks with less than $10 billion in assets could threaten the solvency of one of the top five U.S. banks.
The SWIFT network, for several decades, has been working towards making transactions secure by providing a secure network to more than 10,000 financial institutions in 212 different countries to send and receive transaction information among each other. Despite all the measures taken by SWIFT to make transactions in the network secure, several cases of cyberattacks have been reported in the network.
A timeline of cyberattacks on financial institutions in the SWIFT network
Date | Financial Institution | Method of Cyber Attack | Theft Value |
May’18 | Banco de Chile | Destructive software as cover for a fraudulent SWIFT transfer | $10M |
Mar’18 | Malaysian Central Bank | Attempted use of fraudulent SWIFT transactions | $390M |
Feb’18 | City Union Bank, India | A SWIFT transfer to a Chinese institution | $1M |
Jan’18 | Bancomext, Mexico | Fraudulent SWIFT transactions | $110M |
Oct’17 | Far Eastern International Bank, Taiwan | Malware planted in the company’s systems to access a SWIFT terminal and make fraudulent transactions | $14M |
Jul’16 | Union Bank of India | Attempted use of fraudulent SWIFT transactions | $170M |
Jul’16 | Nigerian Bank | Attempted use of fraudulent SWIFT transactions | $100M |
Feb’16 | Bangladesh Central Bank | Fraudulent SWIFT transfer requests to the Federal Reserve Bank of New York | $1M |
Early 2015 | Ecuadorian Banco del Austro, Ecuador | Compromised payments systems to make SWIFT transfers to 23 Hong Kong-registered companies | $12M |
Source: carnegieendowment.org
In 2019 and 2020, cyberattacks on SWIFT users continued at a similar rate as in previous years. SWIFT does not foresee the rate of the cyberattacks slowing down!
As an initiative to combat such cyberattacks and breaches in the global banking system, SWIFT established the Customer Security Programme (CSP) in 2016. The program is planned such that it improves information sharing in the community, enhances SWIFT-related tools and strengthens end-point security to combat cyber fraud.
So, how will this work?
SWIFT has defined 22 mandatory controls and 10 advisory controls applicable to all SWIFT users.
Mandatory Controls
- SWIFT Environment Protection
- Operating System Privileged Account Control
- Virtualisation Platform Protection
- Restriction of Internet Access
- Internal Data Flow Security
- Security Updates
- System Hardening
- Operator Session Confidentiality and Integrity
- Vulnerability Scanning
- Application Hardening
- Physical Security
- Password Policy
- Multi-Factor Authentication
- Logical Access Control
- Token Management
- Physical and Logical Password Storage
- Malware Protection
- Software Integrity
- Database Integrity
- Logging and Monitoring
- Cyber Incident Response Planning
- Security Training and Awareness
Advisory Controls
- Back-Office Data Flow Security
- External Transmission Data Protection
- Vulnerability Scanning
- Critical Activity Outsourcing
- Transaction Business Controls
- RMA BusinessControls
- Personnel Vetting Process
- Intrusion Detection
- Penetration Testing
- Scenario Risk Assessment
As a SWIFT user, your role is simple. All you’d need to do is reinforce control in three ways.
1. Protection and secure your local environment
2. Prevent and detect fraud in your commercial relationships
3. Prepare the community to defend against future cyber threats by sharing information
If you are a banking or a non-banking financial institution in the SWIFT community, here’s what you need to do.
1. Submit an annual Security Attestation
Attest your controls before the expiry date of the current version of controls, confirming full compliance with the mandatory security controls by 31st December every year, and re-attest at least annually thereafter.
2. Manage and monitor counterparty risk
Form commercial relationships with other SWIFT users, with whom you can exchange business messages. To minimise risk and manage these relationships efficiently, be sure to establish and maintain cybersecurity processes for your organisation.
3. Enhance the accuracy of your attestation
Verify that your security attestation corresponds with your actual level of security control implementation. Also, perform a Community Standard Assessment to further enhance the accuracy of your attestations. Starting from 2021, you will also need to submit an Independent Assessment done by an internal or external CSP assessment provider.
4. Share and view counterparty attestations
You can send access requests to your counterparties to view their attestation contents via the KYC-Security Attestation application (KYC-SA). They can accept or reject those requests. Your counterparties can also send you access requests to view your attestation contents via the KYC-Security Attestation application (KYC-SA). You can accept or reject those requests.
Can you get external help? Yes.
SWIFT has published a list of CSP assessment providers who can assist you in addressing cybersecurity within your own organisation to ensure you meet the mandatory controls.
Such assessment providers, like Birchford, hold SWIFT certification and ISO 27001 LA certification. They will analyse your SWIFT infrastructure under both mandatory and advisory controls. The scope of their assessment could be in the following areas:
- Readiness assessment – A Gap assessment of the cybersecurity controls against the CSCF requirements and other frameworks (NIST, FFIEC, COBIT).
- Remediation plan – Recommendations as remediation actions for missing controls.
- Program management – Design a governance framework and transformation program to implement required changes.
- Subsequent annual external assessments requirement – Assist in the implementation of changes and perform the required self-assessment and self-attestation.
Thereafter you are ready to announce your compliance. You can then submit the results of the analysis on the SWIFT online portal, and your results could be visible to everyone.
We spoke to Baran Ozer, Director of sales at Birchford, who said
“The expanding threat landscape of cyberattacks has never been more pressing. Numerous payment fraud instances in local bank environments demonstrate the necessity for industry-wide collaboration to fight back and our certified SWIFT and security professionals can give business leaders a helping hand during this campaign. Our combined know-how of SWIFT and security already produced some innovative and instrumental solutions for banks and financial institutions to comply with some mandatory controls.”
Birchford houses a team of SWIFT certified consultants. Their combined expertise of SWIFT and security can help you comply with and cover all aspects of the Customer Security Programme, from assessment to complete implementation. Reach them on birchford.com.