SWIFT Customer Security Programme – what’s in it for the banking community?

In recent years, cases of cybersecurity breaches have grown in both frequency and sophistication.  Of all the affected industries, the financial sector remains particularly vulnerable. According to a report by the Boston Consulting Group, banking and non-banking financial firms are 300 times more likely than other institutions to experience cyberattacks. 

As cybersecurity breaches continue to grow in both frequency and sophistication for all industries, and the financial sector remains particularly vulnerable. Banking and Non-Banking Financial firms are 300 times more likely than other institutions to experience them, according to a report by the Boston Consulting Group.

Also with the banks being interconnected through payment networks like SWIFT, the threat of loss is greater. A report published by the Federal Reserve Bank of New York in January 2020, stated that the interconnectivity of banks brings about a massive spillover effect of cyberattacks within the banking network. The report mentions that a cyberattack on any of the five most active U.S. banks could affect 38% of the network and that cyberattacks on six small banks with less than $10 billion in assets could threaten the solvency of one of the top five U.S. banks.

The SWIFT network, for several decades, has been working towards making transactions secure by providing a secure network to more than 10,000 financial institutions in 212 different countries to send and receive transaction information among each other. Despite all the measures taken by SWIFT to make transactions in the network secure, several cases of cyberattacks have been reported in the network. 

A timeline of cyberattacks on financial institutions in the SWIFT network

Date Financial
Institution
Method of Cyber AttackTheft Value
May’18Banco de ChileDestructive software as cover for a fraudulent SWIFT transfer$10M
Mar’18Malaysian Central BankAttempted use of fraudulent SWIFT transactions$390M
Feb’18City Union Bank, IndiaA SWIFT transfer to a Chinese institution$1M
Jan’18Bancomext,
Mexico
Fraudulent SWIFT transactions$110M
Oct’17Far Eastern International Bank, TaiwanMalware planted in the company’s systems to access a SWIFT terminal and make fraudulent transactions$14M
Jul’16Union Bank
of India
Attempted use of fraudulent SWIFT transactions$170M
Jul’16Nigerian
Bank
Attempted use of fraudulent SWIFT transactions$100M
Feb’16Bangladesh
Central Bank
Fraudulent SWIFT transfer requests to the Federal
Reserve Bank of New York
$1M
Early 2015Ecuadorian
Banco del Austro, Ecuador
Compromised payments systems to make SWIFT transfers to 23 Hong Kong-registered companies$12M

Source: carnegieendowment.org

In 2019 and 2020, cyberattacks on SWIFT users continued at a similar rate as in previous years. SWIFT does not foresee the rate of the cyberattacks slowing down!

As an initiative to combat such cyberattacks and breaches in the global banking system, SWIFT established the Customer Security Programme (CSP) in 2016. The program is planned such that it improves information sharing in the community, enhances SWIFT-related tools and strengthens end-point security to combat cyber fraud.

So, how will this work?

SWIFT has defined 22 mandatory controls and 10 advisory controls applicable to all SWIFT users. 

Mandatory Controls

  1. SWIFT Environment Protection
  2. Operating System Privileged Account Control
  3. Virtualisation Platform Protection
  4. Restriction of Internet Access
  5. Internal Data Flow Security
  6. Security Updates
  7. System Hardening
  8. Operator Session Confidentiality and Integrity
  9. Vulnerability Scanning
  10. Application Hardening
  11. Physical Security
  12. Password Policy
  13. Multi-Factor Authentication
  14. Logical Access Control
  15. Token Management
  16. Physical and Logical Password Storage
  17. Malware Protection
  18. Software Integrity
  19. Database Integrity
  20. Logging and Monitoring
  21. Cyber Incident Response Planning
  22. Security Training and Awareness

Advisory Controls

  1. Back-Office Data Flow Security
  2. External Transmission Data Protection
  3. Vulnerability Scanning
  4. Critical Activity Outsourcing
  5. Transaction Business Controls
  6. RMA BusinessControls
  7. Personnel Vetting Process
  8. Intrusion Detection
  9. Penetration Testing
  10. Scenario Risk Assessment

As a SWIFT user, your role is simple. All you’d need to do is reinforce control in three ways.

1.  Protection and secure your local environment

2.  Prevent and detect fraud in your commercial relationships

3.  Prepare the community to defend against future cyber threats by sharing information

If you are a banking or a non-banking financial institution in the SWIFT community, here’s what you need to do.

1.  Submit an annual Security Attestation

Attest your controls before the expiry date of the current version of controls, confirming full compliance with the mandatory security controls by 31st December every year, and re-attest at least annually thereafter. 

2.      Manage and monitor counterparty risk

Form commercial relationships with other SWIFT users, with whom you can exchange business messages. To minimise risk and manage these relationships efficiently, be sure to establish and maintain cybersecurity processes for your organisation.

3.      Enhance the accuracy of your attestation

Verify that your security attestation corresponds with your actual level of security control implementation. Also, perform a Community Standard Assessment to further enhance the accuracy of your attestations. Starting from 2021, you will also need to submit an Independent Assessment done by an internal or external CSP assessment provider. 

4.      Share and view counterparty attestations

You can send access requests to your counterparties to view their attestation contents via the KYC-Security Attestation application (KYC-SA). They can accept or reject those requests. Your counterparties can also send you access requests to view your attestation contents via the KYC-Security Attestation application (KYC-SA). You can accept or reject those requests.

Can you get external help? Yes.

SWIFT has published a list of CSP assessment providers who can assist you in addressing cybersecurity within your own organisation to ensure you meet the mandatory controls.

Such assessment providers, like Birchford, hold SWIFT certification and ISO 27001 LA certification. They will analyse your SWIFT infrastructure under both mandatory and advisory controls.  The scope of their assessment could be in the following areas: 

  • Readiness assessment – A Gap assessment of the cybersecurity controls against the CSCF requirements and other frameworks (NIST, FFIEC, COBIT). 
  • Remediation plan – Recommendations as remediation actions for missing controls. 
  • Program management – Design a governance framework and transformation program to implement required changes. 
  • Subsequent annual external assessments requirement – Assist in the implementation of changes and perform the required self-assessment and self-attestation. 

Thereafter you are ready to announce your compliance. You can then submit the results of the analysis on the SWIFT online portal, and your results could be visible to everyone. 

We spoke to Baran Ozer, Director of sales at Birchford, who said 

“The expanding threat landscape of cyberattacks has never been more pressing. Numerous payment fraud instances in local bank environments demonstrate the necessity for industry-wide collaboration to fight back and our certified SWIFT and security professionals can give business leaders a helping hand during this campaign. Our combined know-how of SWIFT and security already produced some innovative and instrumental solutions for banks and financial institutions to comply with some mandatory controls.”

Birchford houses a team of  SWIFT certified consultants.  Their combined expertise of SWIFT and security can help you comply with and cover all aspects of the Customer Security Programme, from assessment to complete implementation. Reach them on birchford.com