Latest attestation data shows that, five years on, the Swift Customer Security Programme (CSP) is continuing to deliver significant results.
The Swift Customer Security Programme (CSP) is a non-commercial programme helping Swift-connected organisations strengthen their cybersecurity frameworks and offering free cybersecurity intelligence.
Launched in 2016, the CSP is now well established, continuing to innovate, and deliver value and tangible results. It’s one of the largest programmes of its kind in the world, particularly in financial services, and is one of only a few mandatory global cybersecurity programmes.
With five years of consistently high attestation and compliance rates, the CSP reflects a community of highly engaged users committed to stopping cyberattacks in their tracks. And, as the cyber threat landscape evolves, so too does the CSP.
2021 in figures
By last year’s attestation deadline, 89% of our customers, representing over 99% of Swift traffic, attested to their compliance with the cybersecurity controls mandated by the Customer Security Controls Framework (CSCF).
This was along with over 94% of attested customers who also submitted an independent assessment for the first time, helping to ensure the veracity of attestations. This requirement, under the Independent Assessment Framework, (IAF) became effective in 2021.
“Despite the additional effort with the introduction of the Independent Assessment Framework, we saw the community pull off a tremendous sprint in 2021 to reach similar levels to last year’s attestation rates,” says Frank Versmessen, Head of Customer Security and CSP Programme Director at Swift.
Five years of attestation excellence
Attestation figures over the last five years have consistently been around 90%.
This level of engagement results in a clear opportunity for financial institutions to use their counterparties’ attestation data to help them assess the way they interact and do business with those counterparties.
Download our free ebook to learn how you can use your counterparties’ CSP attestation data to strengthen your cyber-risk management.
Delivering results
Over the last five years, the CSP has facilitated a number of significant developments, including:
- Mature and enforced controls framework – Organisations must adhere to underlying principles common to other standard industry guidelines. These include the Payment Card Industry Data Security Standard (PCI DSS), National Institute of Standards and Technology (NIST) framework, or the ISO/IEC 27001 model.
- Independent Assessment Framework – Ensures the veracity of security attestation through the requirement for independent assessment which became effective in 2021.
- Detection and recovery from a compromise – Through the CSP, Swift also helps customers detect and recover from cyber-crime, providing tools for real-time monitoring, and alerting and blocking of fraudulent payments.
- Fostering transparency – A facility for entities to share their cybersecurity attestation level with their counterparts, enabling effective counterparty risk management and fostering transparency in the financial community.
- A unifying force – The CSP has partnered on major initiatives with bodies such as the World Economic Forum (Carnegie/WEF five-year cyber-strategy), and supervisory authorities, to make cybersecurity more accessible to organisations.
- Threat intelligence data (ISAC) accessible via MISP – A web platform that contains information related to cyber threats potentially impacting Swift customers. This Information Sharing and Analysis Centre includes bulletins with detailed Indicators of Compromise now also accessible via MISP, the de facto standard for synchronisation of threat events between servers for an automatic threat feed.
- The KYC-SA application – You can now also check the real-time compliance status of your entities in the KYC-SA application (in the ‘My entities’ view). This view is also available to your counterparties and supervisors. For further details, please refer to the KYC-SA user guide.
“Many industries are looking with admiration at the Swift ecosystem,” says Versmessen. “It’s fantastic how we’ve been able to work together to agree on a single framework, show multilateral accountability and, most importantly, bring cyber hygiene to much higher levels in a relatively short period of time.”
Remember to attest in 2022
There’s once again a requirement to attest and provide an independent assessment against the CSCF v2022 by year end, 31 December 2022. Independent assessment can be completed, either internally, by a second or third line of defence (e.g. risk, compliance, or internal audit), or externally, by a third party. Note that, under some conditions documented in section 2.2 of the Independent Assessment Framework, the 2021 independent assessment can be reused in 2022.
The assessment should include a review of existing controls and their efficiency, and a confirmation that they support the customer’s compliance with the CSP control objectives. The requirement is limited to an assessment and is not an audit, so it involves less cost and time.
