In 2016, SWIFT established the Customer Security Programme (CSP) to promote cybersecurity within the SWIFT community and to drive industry-wide collaboration in the battle against cyber threats. Users (members) are responsible for the security of their infrastructure, and to support this, the CSP has been designed to help combat end-point security threats and cyber fraud. The core component of the CSP is the Customer Security Controls Framework (CSCF), a common set of security controls revised annually. This framework helps users secure their local environments and, in turn, the SWIFT community at large.
In response to increasingly sophisticated and coordinated global fraud and cybersecurity attacks, SWIFT revisions to Security Program (CSP) and the Customer Security Controls Framework (CSCF). The CSCF version 2021 is based on three overarching objectives and is supported by eight principles, from which emanate 22 mandatory and 9 advisory controls. The SWIFT CSP requires all users to implement the 22 mandatory controls within their local SWIFT secure zone and obtain an Independent Assessment, leveraging either internal or external assessors, against the CSP requirements. Institutions are required to submit their attestation on their compliance by December 31st, 2021.
To meet the December 31, 2021 deadline for submitting the attestation and avoiding counterparty restriction and reporting to local regulators on noncompliance, institutions must first understand how their control environment measures up against the updated SWIFT CSCF mandatory controls. Consider the following steps:
- Perform a Readiness Assessment –Perform an initial assessment of the control environment to identify compliance with the SWIFT CSCF and any gaps within the mandatory control implementation category of the framework through the first line of defense.
- Remediate Gaps – Resolve any findings or observations by engaging appropriate stakeholders and/or implementing new processes and technologies to meet the specified control objectives.
- Determine the Proper Independent Assessment Approach – This independent assessor may be an organization’s own second or third line of defense (or equivalent) or an external assessor. Organizations should determine the appropriate path forward, either by confirming internal capabilities or engaging a third party to support.
- Build A Sustainable Program – The SWIFT CSP prescribes assessments and attestations be performed annually. As such, organizations would be best served to develop repeatable and sustainable processes enabling with the program every year. This includes developing processes to identify new control objectives, implement new solutions to meet said objectives, as well as performing independent assessments and finally the annual attestation with as little disruption to the organization as possible.
What’s the Impact?
Many financial institutions will likely find similarities with existing security control assessments, although consideration should be given to control differences across geographies (the assessment/attestation is Bank Identifier Code (BIC) specific). While some control enhancements may be identified, particularly in the CSCF advisory controls, the majority of the attestation effort should leverage the existing compliance activities and adopted security frameworks.
Protiviti’s Cybersecurity & Privacy professionals have deep knowledge and experience in application of regulatory requirements within the financial services industry. Our extensive expertise helping clients transform and optimize their security and compliance programs, implement industry leading security products, and adopt the latest cyber defense techniques and capabilities make us uniquely qualified to assist your organization with the understanding, implementation, and integration of the CSCF controls into the broader cybersecurity program.
Protiviti’s Security & Privacy practitioners can perform a readiness assessment of your institution’s SWIFT control environment against the CSCF requirements to help you understand the effort needed to reach compliance within a week of notice. We will design a customized, actionable, and realistic remediation plan to be executed by either your team or with Protiviti’s assistance. Finally, Protiviti can serve as an external service provider to perform the required annual assessments that will aide your institution’s attestation process.
We pride ourselves on taking a business centric approach to security by presenting pragmatic and innovative solutions to help organizations withstand the evolving cybersecurity and privacy threats.