SWIFT Customer Security Programme – what’s in it for the banking community?

    In recent years, cases of cybersecurity breaches have grown in both frequency and sophistication.  Of all the affected industries, the financial sector remains particularly vulnerable. According to a report by the Boston Consulting Group, banking and non-banking financial firms are 300 times more likely than other institutions to experience cyberattacks.

    As cybersecurity breaches continue to grow in both frequency and sophistication for all industries, and the financial sector remains particularly vulnerable. Banking and Non-Banking Financial firms are 300 times more likely than other institutions to experience them, according to a report by the Boston Consulting Group.

    Also with the banks being interconnected through payment networks like SWIFT, the threat of loss is greater. A report published by the Federal Reserve Bank of New York in January 2020, stated that the interconnectivity of banks brings about a massive spillover effect of cyberattacks within the banking network. The report mentions that a cyberattack on any of the five most active U.S. banks could affect 38% of the network and that cyberattacks on six small banks with less than $10 billion in assets could threaten the solvency of one of the top five U.S. banks.

    The SWIFT network, for several decades, has been working towards making transactions secure by providing a secure network to more than 10,000 financial institutions in 212 different countries to send and receive transaction information among each other. Despite all the measures taken by SWIFT to make transactions in the network secure, several cases of cyberattacks have been reported in the network.

    A timeline of cyberattacks on financial institutions in the SWIFT network

    Date Financial InstitutionMethod of Cyber AttackValue of Theft
    May 2018Banco de ChileDestructive software as cover for a fraudulent SWIFT transfer$10 million
    March 2018Malaysian Central BankAttempted use of fraudulent SWIFT transactions$390 million
    February 2018City Union Bank, IndiaA SWIFT transfer to a Chinese institution$1 million
    January 2018Bancomext, MexicoFraudulent SWIFT transactions$110 million
    October 2017Far Eastern International Bank, TaiwanMalware planted in the company’s systems to access a SWIFT terminal and make fraudulent transactions$14 million
    July 2016Union Bank of IndiaAttempted use of fraudulent SWIFT transactions$170 million
    July 2016Nigerian BankAttempted use of fraudulent SWIFT transactions$100 million
    February 2016Bangladesh Central BankFraudulent SWIFT transfer requests to the Federal Reserve Bank of New York$1 billion
    Early 2015Ecuadorian Banco del Austro, EcuadorCompromised payments systems to make SWIFT transfers to 23 Hong Kong-registered companies$12 million

    Source: carnegieendowment.org

    In 2019 and 2020, cyberattacks on SWIFT users continued at a similar rate as in previous years. SWIFT does not foresee the rate of the cyberattacks slowing down!

    As an initiative to combat such cyberattacks and breaches in the global banking system, SWIFT established the Customer Security Programme (CSP) in 2016. The program is planned such that it improves information sharing in the community, enhances SWIFT-related tools and strengthens end-point security to combat cyber fraud.

    So, how will this work?

    SWIFT has defined 22 mandatory controls and 10 advisory controls applicable to all SWIFT users.

    Mandatory Controls

    1. SWIFT Environment Protection
    2. Operating System Privileged Account Control
    3. Virtualisation Platform Protection
    4. Restriction of Internet Access
    5. Internal Data Flow Security
    6. Security Updates
    7. System Hardening
    8. Operator Session Confidentiality and Integrity
    9. Vulnerability Scanning
    10. Application Hardening
    11. Physical Security
    12. Password Policy
    13. Multi-Factor Authentication
    14. Logical Access Control
    15. Token Management
    16. Physical and Logical Password Storage
    17. Malware Protection
    18. Software Integrity
    19. Database Integrity
    20. Logging and Monitoring
    21. Cyber Incident Response Planning
    22. Security Training and Awareness

    Advisory Controls

    • Back-Office Data Flow Security
    • External Transmission Data Protection
    • Vulnerability Scanning
    • Critical Activity Outsourcing
    • Transaction Business Controls
    • RMA BusinessControls
    • Personnel Vetting Process
    • Intrusion Detection
    • Penetration Testing
    • Scenario Risk Assessment

    As a SWIFT user, your role is simple. All you’d need to do is reinforce control in three ways.

    1.   Protection and secure your local environment

    2.   Prevent and detect fraud in your commercial relationships

    3.   Prepare the community to defend against future cyber threats by sharing information

    If you are a banking or a non-banking financial institution in the SWIFT community, here’s what you need to do.

    1.   Submit an annual Security Attestation

    Attest your controls before the expiry date of the current version of controls, confirming full compliance with the mandatory security controls by 31st December every year, and re-attest at least annually thereafter.

    2.      Manage and monitor counterparty risk

    Form commercial relationships with other SWIFT users, with whom you can exchange business messages. To minimise risk and manage these relationships efficiently, be sure to establish and maintain cybersecurity processes for your organisation.

    3.      Enhance the accuracy of your attestation

    Verify that your security attestation corresponds with your actual level of security control implementation. Also, perform a Community Standard Assessment to further enhance the accuracy of your attestations. Starting from 2021, you will also need to submit an Independent Assessment done by an internal or external CSP assessment provider.

    4.      Share and view counterparty attestations

    You can send access requests to your counterparties to view their attestation contents via the KYC-Security Attestation application (KYC-SA). They can accept or reject those requests. Your counterparties can also send you access requests to view your attestation contents via the KYC-Security Attestation application (KYC-SA). You can accept or reject those requests.

    Can you get external help? Yes.

    SWIFT has published a list of CSP assessment providers who can assist you in addressing cybersecurity within your own organisation to ensure you meet the mandatory controls. 

    Such assessment providers, like Birchford, hold SWIFT certification and ISO 27001 LA certification. They will analyse your SWIFT infrastructure under both mandatory and advisory controls.  The scope of their assessment could be in the following areas:

    • Readiness assessment – A Gap assessment of the cybersecurity controls against the CSCF requirements and other frameworks (NIST, FFIEC, COBIT).
    • Remediation plan – Recommendations as remediation actions for missing controls.
    • Program management – Design a governance framework and transformation program to implement required changes.
    • Subsequent annual external assessments requirement – Assist in the implementation of changes and perform the required self-assessment and self-attestation.

    Thereafter you are ready to announce your compliance. You can then submit the results of the analysis on the SWIFT online portal, and your results could be visible to everyone.

    We spoke to Baran Ozer, Director of sales at Birchford, who said

    “The expanding threat landscape of cyberattacks has never been more pressing. Numerous payment fraud instances in local bank environments demonstrate the necessity for industry-wide collaboration to fight back and our certified SWIFT and security professionals can give business leaders a helping hand during this campaign. Our combined know-how of SWIFT and security already produced some innovative and instrumental solutions for banks and financial institutions to comply with some mandatory controls.”

    Birchford houses a team of SWIFT certified consultants.  Their combined expertise of SWIFT and security can help you comply with and cover all aspects of the Customer Security Programme, from assessment to complete implementation. Reach them on birchford.com.

    Previous articleFacebook Dark Mode suddenly disappears with no explanation
    Next articleLeBron James shows up on Instagram wearing the new unreleased Beats Studio Buds