Hackers abuse banks' security flaws to grab large amounts of money across payment systems and the local infrastructure. It's time to put an end to this, and SWIFT, the international organisation among financial institutions, has set up a Customer Security Programme (CSP). The programme aims at a significant improvement in the security of local SWIFT infrastructures against cyberthreats. Here is how it works, and what banks will need to do about it.
In case you've never heard of it yet, SWIFT stands for Society of Worldwide Interbank Financial Telecommunication and has existed since 1973. It has the task of standardising worldwide transaction and messaging traffic over the SWIFT telecom network. Its ca. 11'000 clients are responsible for the security of their environment and access to SWIFT. The Customer Security Programme will care for a uniformly high and reliable protection of all SWIFT users, such as banks, stock exchanges, brokers, and enterprises in more than 200 countries.
The following ambitious plan is SWIFT's roadmap for the implementation of the programme:
The heart of the CSP is the Customer Security Control Framework, that consists of 3 targets:
These three targets are structured in eight fundamental principles. 27 controls are formulated, of which 16 are compulsory for all SWIFT users and financial service providers; 11 additional controls are recommended. In 2018, a new release of the SIP (Shared Infrastructure Programme) is due; it is expected to harmonise the two programmes, namely the SIP and the CSP. The target is to align controls for those users who do not run a local SWIFT infrastructure, but instead, for instance, are users of SWIFT Service Bureaux, or access SWIFT through their system providers.
The security controls selected by SWIFT are based on the following international security standards:
In this way, the controls cover several issues that are regularly addressed in the context of end-of-year IT audits. Being able to prove compliance with these controls over all of the SWIFT infrastructure, can be a challenge. For instance, businesses are expected to prove that employees receive regular training with explicit reference to SWIFT.
For this purpose, I warmly advise that you do not limit the effort to checking and securing your SWIFT-related infrastructure, but rather extend the scope to the whole internal IT, and bring your infrastructure to the state-of-the-art in all things related to cyber security. The effort does not have to carry large additional costs. Are you wondering how it works? You will find the answers in our handy Cyber Security Guide.
In case of poor compliance and missing self-attestation, in the worst case, SWIFT can alert the local supervisor. Increased transparency is also a target. In the future, all SWIFT users will be able to request mandatory information on their CSP compliance.
Here at InfoGuard, we have wide experience in the field of cyber security in Swiss banks. We can stand by you, as a SWIFT client, in your SWIFT CSP compliance programme including the following items:
Our suggestion: take the chance of the SWIFT CSP to think of a comprehensive solution for cyber security in your enterprise. This means a solution that goes beyond the implementation of the CSP. This is the only way to reach a higher level of security in your business!
You and your enterprise are not alone with this challenge: many other Swiss banks are in the same condition; some have already taken action. Many have put their trust in InfoGuard. If you need more information or details related to your own experience, we are pleased to serve you. Call on us, and take advantage of our experience of many years, and of our wide portfolio of solutions for your security!