At SWIFT, we have an uncompromising approach to information security which we recognise is a key value driver for our customers and a major differentiator of our services.
Failure is not an option
The essential components of SWIFT’s business, information and cyber security are actively managed throughout the organisation – from Board level, through the CEO and senior management, to operations.
SWIFT’s information security measures are comprehensive. They are designed to cater for extreme situations and aim to prevent any unauthorised physical and logical access which could lead to a loss of confidentiality, integrity or availability. Our measures include physical controls that safeguard our premises as well as logical controls that protect against unauthorised access to data and systems and encompass our detection, response and recovery capabilities.
The physical security of our IT assets and data is ensured by: incorporating the highest levels of protection in the design and construction of our purpose-built data centres; enforcing rigorous controls on access to these sites on a strict business-need basis; and by enforcement of strict controls over the handling of computer hardware and media during the entire lifecycle.
We take a similar approach in the architecture, design, development, maintenance and operations of our services and applications. Using a structured development methodology, we ensure that the highest levels of logical security are embedded into the SWIFT services, applications and technologies that support our customers’ business. Dedicated teams of security specialists, working together with leaders in the field, review all designs and security practices to provide guidance, support, testing and assurance that our offerings are appropriately designed, implemented and operated before being delivered to the customer community.
Risk management is deeply embedded in operational practices at SWIFT, and is underpinned by a very strong risk culture that is captured in the motto: “Failure is Not an Option” (FNAO). Three solid lines of defence underpin and oversee SWIFT’s risk management approach: first, management, which is responsible for developing and implementing strong reliability and security frameworks; second, the risk and compliance functions, responsible for the overall risk frameworks; and third, the audit functions. All of this is supported by a robust 3rd party assurance framework and through reporting by an external security audit firm, in accordance with the requirements in the applicable International Standards on Assurance Engagements.
SWIFT’s overall Enterprise Risk Management framework provides a consolidated view of risk management information across SWIFT, building on and governing other risk management practices within SWIFT, such as Information Security Risk Management. The Information Security Risk Management Framework documents the way security risks are identified, mitigated, tracked and reported up to the Board of SWIFT. This framework is designed to cater for the ongoing evolution of our risk practices which are adapted in line with emerging threats and the cyber arms race.
SWIFT’s internal audit and external security audit complete the information security risk management system by independently and objectively reviewing, assessing and reporting on SWIFT's risk and control functions on an ongoing basis. The Internal Audit team itself is periodically subject to external review, providing assurance to the Board and SWIFT Management that the team operates in line with international auditing standards and practices.
SWIFT takes cyber security very seriously. We actively learn about external cyber incidents, malicious modus operandi and cyber threats from a variety of public, specialised or confidential sources, helping us to drive our continuous investment in prevention, detection and/or recovery. Whenever our comprehensive investigations lead us to believe such threats or vulnerabilities may constitute a risk to the security of our operations, we take appropriate actions in a timely fashion to mitigate such risks and protect our services.
In line with widely recognised standards such as ISO or the NIST cyber framework, we have a history of substantial investment in our cyber strategy and infrastructure, but we acknowledge that there is no room for complacency; we have to live up to our role and reputation as a critical element of the global financial industry’s infrastructure. SWIFT will continue to invest in and focus on security in order to stay ahead of the constantly changing threat landscape. In light of increasing cyber threats, SWIFT maintains a cyber-security roadmap that defines our security focus areas for a rolling three-year period. Our cyber investments are structured in four main dimensions:
- Learn – know the enemy and understand our exposure;
- Prevent – make enemies’ lives inherently more complicated, prevent cyber-attacks;
- Plan – never underestimate the enemy, and seek to detect attacks that could overcome our prevention;
- Manage – assume breach. Prepare for the worst, be ready to respond, contain and recover from attacks.
SWIFT messaging services
SWIFT messaging services are provided within the SWIFT environment, which includes all the premises, infrastructure, software, products and services owned and directly operated (and controlled) by SWIFT and its personnel. The SWIFT environment applies strict security, confidentiality and integrity protections to customers’ messages. We have controls and procedures in place to protect message data from unauthorised disclosure, to guarantee message origin, to protect against unauthorised changes to messages, and to detect corruption of messages; furthermore content validation features can be used to ensure that only validated messages are processed and delivered in the relevant sequence to the intended recipient.
We commit to the availability of our messaging services, and we ensure confidentiality and integrity of messages and related customer data and privacy rights within the SWIFT environment.
Message data* sent by our customers is authenticated using advanced security and identification technology. State of the art encryption is added before the messages leave the customer's** environment and enter the SWIFT environment. They remain in the protected SWIFT environment, subject to all SWIFT’s confidentiality and integrity commitments, throughout the transmission process and until they are safely delivered to the receiver. All customer messages are encrypted when stored on SWIFT systems.
SWIFT’s messaging services are designed to be available 24 hours a day, 365 days a year, with some limited planned downtime. We maintain multiple operating centres (OPCs) providing full site redundancy. Within each OPC, the central systems are designed to eliminate single points of failure by means of multiple local computer floors. In 2014, SWIFT’s state-of-the-art Operating Centre in Switzerland became fully operational. This new IT facility has the capability to support global messaging flow. SWIFT has an ultimate capability to restore messaging in the unlikely, extreme case all other resiliency measures and backups are inadequate.
We protect customer data from unauthorised disclosure. Our security measures provide robust controls around physical and logical access, including physical measures that protect premises as well as logical controls that restrict access based on business needs. All customer messages are encrypted with state of the art technology when stored on SWIFT systems or when leaving SWIFT data centres. Additionally, customer messages are processed and stored in OPCs located in geographical zones best matching customer expectations on data privacy regulations.
SWIFT-specific public keys, digital certificates and digital signatures are variously used to authenticate senders and to validate the integrity of the messages sent. SWIFT verifies signatures to confirm message integrity and validates certificates to authenticate the senders. SWIFT ensures that messages are delivered to the intended recipient in the appropriate sequence and offers end-to-end security, allowing senders to apply signatures for their receivers, enabling receivers to verify the message integrity and authenticate the senders. Thus, the data in messages can be issued and controlled exclusively by the sending and receiving institutions and message originators are able to provide message recipients with the means of verifying that the message has not been modified during transmission.
SWIFT’s messaging services are critical to the seamless operation of financial markets across the world and we therefore place particular focus on the resiliency of our messaging services. Our infrastructure is designed, built and tested to remain available in the event of stresses, disturbances, malfunctions or malicious acts and to meet specified recovery time objectives.
A sustained failure of our messaging services is unlikely because of the highly resilient nature of our infrastructure. Since its inception SWIFT has been a pioneer in the area of highly-available IT services, and this commitment to resilience continues today. SWIFT has used its experience in designing and implementing highly resilient architectures in accordance with documented resilience principles.
We maintain multiple operating centres (OPCs) to provide full site redundancy and our OPCs are situated in geographically diverse locations, which were selected after careful consideration of potential man-made and natural hazards. Within each OPC, the system architecture is designed to eliminate single points of failure. The systems and networks at each OPC are designed and configured to meet the processing and storage requirements of the SWIFT user community in the concerned zone(s).
The OPCs are highly secure, and access to them is strictly controlled. Each operating centre has local redundancy for items of critical importance, from servers to cooling devices and power supplies. Message data is always stored in two geographically independent operating centres before delivery.
To cater for the extreme scenario in which multiple operating centres should fail simultaneously, a completely separate disaster recovery infrastructure can be activated to keep our messaging services running. Service continuity testing plans, based on defined scenarios and expected outcomes, are executed in accordance with a published and audited plan. SWIFT tests its disaster site takeovers within expected timeframes at least once a year.
SWIFT is well prepared for the rare event that its messaging services are affected by an incident: every year we carry out hundreds of business continuity exercises, which can variously involve staff at all levels, local authorities, and customers, and cover different scenarios including cyber-related events. Specific cyber business continuity plans have been developed. Our post-test reviews ensure that relevant improvement actions are taken.
The resilience of SWIFT’s services is subjected to regular internal and external audits and included in the scope of the external audit report.
Independent assurance provided through External Audit
SWIFT’s external security auditor performs an annual independent external audit of our messaging services. This audit is conducted in accordance with the requirements in the applicable International Standards on Assurance Engagements. The resulting reports provide independent assurance on the security and reliability of SWIFT’s services in scope. Reports covering calendar years up to 2015 were prepared under the ISAE 3402 standard and contained the Independent Security Auditor’s opinion that they have obtained reasonable assurance that SWIFT has adequate and effective controls in place to meet the stated control objectives in the areas of Governance, Confidentiality, Integrity, Availability, and Change Management. As of 2016, reports are produced under the ISAE 3000 standard. Aligned with CPMI-IOSCO’s Expectations for Critical Service Providers, they cover the areas of Risk Management, Security Management, Technology Management, Resilience and User Communication. Both ISAE 3402 and ISAE 3000 are international standards which enable service providers such as SWIFT to provide independent assurance on their processes and controls to their customers and their auditors.
The FIN & SWIFTNet ISAE 3000 report and the Lite2 ISAE 3000 report are made available to customers upon request, as well as to potential customers subject to appropriate confidentiality arrangements.
Click here to request an electronic copy of the 2016 FIN & SWIFTNet ISAE 3000 report and/or the 2016 Lite2 ISAE 3000 report.