Fighting cyber-security threats on all fronts
SWIFT continues to support its customers in reinforcing the security of their SWIFT-related infrastructure
As in Geneva, detection and prevention of cyber-security attacks will continue to be a high priority for delegates attending Sibos 2017 in Toronto, with the emphasis firmly on protecting the integrity of users’ SWIFT infrastructures via the Customer Security Programme (CSP).
Launched in 2016, the CSP is designed to secure and protect banks’ own SWIFT connectivity environment, to prevent and detect counterparty cyber-security risks via proactive relationship management, and to encourage sharing of information on threats and best practice across the SWIFT community.
SWIFT rolled out the guidelines and resources needed to support users’ compliance with CSP’s objectives, principles and controls during the first half of 2017. Now, the focus is on meeting its baseline security standards and attesting compliance before the end of the year.
Issued in April, the Customer Security Controls Framework sets out in detail the CSP’s three objectives (‘Secure your Environment’, ‘Know and Limit Access’, and ‘Detect and Respond’), eight principles and 27 controls (16 mandatory, 11 advisory). This is complemented by the Customer Security Controls Policy (issued in May), which explains the self-attestation process, including procedures governing access to consenting counterparties’ attestations.
Since July, banks and other SWIFT users have been able to submit self-attestation documentation via SWIFT’s KYC Registry Security Attestation application. SWIFT users that have not self-attested ahead of the December 2017 deadline may be reported to local regulators from January 2018. Relevant information will also be made available to other member banks, helping counterparties to make more informed relationship management and due diligence decisions. “By increasing the standards and transparency of individual banks’ cyber-security and risk management policies and procedures, we can improve the defences of the whole community against cyber-criminals,” says Stephen Gilderdale, head of the Customer Security Programme, SWIFT.
By increasing the standards and transparency of individual banks’ cyber-security and risk management policies and procedures, we can improve the defences of the whole community against cyber-criminals.
Stephen Gilderdale, head of the Customer Security Programme, SWIFT
Alongside the CSP compliance and attestation process, SWIFT has been working on several other fronts to help banks continually upgrade their information security capabilities against the evolving and increasing threat of cyber-crime. Key priorities include enhancing the security features of existing products and services, expanding SWIFT’s suite of security-focused solutions, and providing a forum for cyber-risk information-sharing and analysis.
To minimise security risks when interacting with counterparts, SWIFT continues to invest in its core Relationship Management Application to prevent unauthorised receipt of transactions over the SWIFT network. As outlined in the accompanying compliance article, Payments Controls and Daily Validation Reports provide banks with the information and control to quickly identify and block attempts by cyber-criminals to initiate or interfere with payment flows. In parallel, SWIFT is helping banks to strengthen security through sound market practice, for example by publishing a recent white paper, ‘Mitigating fraud risk through strengthened payment operations’.
To stimulate better understanding of the fast-changing nature of cyber-security attacks, SWIFT has launched its Information Sharing and Analysis Center (ISAC). The portal enables SWIFT users to review and share information derived from investigations by SWIFT’s dedicated customer security intelligence team into customer incidents. Published on an anonymized basis, information Including the modus operandi and indicators of compromise relating to previous attacks can contribute to the ongoing improvement and updating of SWIFT users’ own controls and procedures. In addition to ISAC, SWIFT users can discuss incidents and best practice with the intelligence team via a 24/7 hotline.
Moreover, as Gilderdale notes, Sibos 2017 itself represents an opportunity to share and compare experiences. “As well as talking to peers and attending the many sessions dedicated to tackling cyber-security threats, I would encourage delegates to seek out the presentations aimed at explaining SWIFT’s current and future plans for CSP. SWIFT is dedicated to protecting its network and its members, and contributing to the industry-wide fight against cyber-crime,” he says.