Computer security and the management of cyber risks in particular are important attention points not only for financial institutions, but also for the regulators. SWIFT is a forerunner in this regard, publishing the Customer Security Programme (CSP) as early as 2017, which offers all affiliated financial institutions common basic principles for the management of cyber risks. The programme laid the foundation for a Control Framework (CSCF), which has since been updated several times: in 2017 there were 16 mandatory controls, in 2021 there are 22. Furthermore, as from 2021, users must have an independent CSCF assessment carried out annually. This is quite a challenge in which BDO is happy to support you.
SWIFT Customer Security Programme (CSP) - Community-Standard Assessment
SWIFT operates a telecommunications network that regulates payments worldwide. The platform has more than 11,000 users connected to each other via the network. This highly sensitive network faces a high risk of far-reaching cyber attacks.
To deal with this risk, SWIFT adopted the Customer Security Programme (CSP) in 2016. The aim is to define basic principles for the management of cyber risks that apply to all affiliated financial institutions. To this end, SWIFT has drawn up a comprehensive catalogue of security controls. Since 2017, the annually renewed Customer Security Control Framework (CSCF) has been setting out the security standards and requirements of the CSP.
Customer Security Control Framework (CSCF)
Since its publication in 2017, the CSCF has been continually reinforced and adapted to the evolution of cyber risks. While there were only 16 mandatory controls in 2017, this number gradually increased to 22 mandatory and 9 optional controls in 2021. For 2022, it will again be increased to 23 mandatory and 9 optional controls. In addition to strengthening the existing controls, optional controls have become mandatory over the years and new controls have also been introduced.
“The CSCF was mapped against industry-recognised standards, with the aim of improving the integration of the SWIFT control objectives into existing organisations.” These include the standards NIST Cybersecurity Framework v1.1, ISO 27002 (2013) and PCI DSS 3.2.1, which many financial institutions apply.
Since this year, users have been required to conduct an annual independent CSCF assessment. Until the end of 2020, the assessment on the basis of the Control Framework was optional. Furthermore, there was a lack of clarity as to whether the assessment should be a self-assessment performed by the competent department or whether it should be performed by an independent third party.
|Nature of the assessment
||Optional - at the initiative of the user
||Internal or external
|Independent assessment in accordance with CSP standard
||Mandatory for all users
||Internal or external
|SWIFT mandatory assessment
||Mandatory - Sample compiled via QA analysis
As from 2021, all institutions affiliated to the SWIFT network must be assessed by an independent party. In this, SWIFT leaves the option open as to whether to entrust the assessment to an internal or to an external evaluator. Potential internal evaluators include the Risk Office, the internal audit or another independent body that is part of the company’s 2nd or 3rd Line of Defence. It is essential that the evaluator has the appropriate level of competence to assess and implement the technical and organisational controls.
Moreover, since 2018 SWIFT has reserved the right to have an external body check the accuracy of the findings for a sample of the institutions. In that case, the intervention of an independent internal evaluator is not permitted.
In the world of financial services, developments are following each other in rapid succession. This poses major challenges for financial institutions, especially small and medium-sized ones. In order to implement the standards efficiently and in good time, we recommend the timely involvement of all stakeholders. In particular, it is necessary to make policymakers aware of long-term solutions for a continuous assessment of the CSCF.
Although an independent external evaluator has not been used up to now, it is important to ensure that it is possible to draw upon previous work. Those involved can use already documented and unchanged CSP controls to make the external assessment more efficient.
The results of the annual CSCF must be made known to SWIFT between 1 July and 31 December. Typically, we suggest the following process:
Our step-by-step approach makes it possible to correct any outstanding points or shortcomings before the results of the final assessment are communicated. This ensures optimum operational efficiency of the controls performed and the resulting SWIFT conformity.