With a three-fold drop in funds targeted by attackers recorded in the past four years, the SWIFT Customer Security Programme (CSP) continues to deliver significant results. But the fight’s far from over. From attesting your CSP compliance to organising an independent assessment, here’s what you need to do to keep your systems safe in 2021.
By last year’s December 31 deadline, 89% of our customers, representing over 99% of SWIFT traffic, attested to their compliance with the cybersecurity controls mandated by the Customer Security Controls Framework (CSCF), a key aspect of our Customer Security Programme.
“We are grateful to our community of over 11,000 institutions for implementing the controls set out in CSCF v2019,” said Brett Lancaster, Head of the Customer Security Programme at SWIFT. “The 89% attestation rate is an amazing achievement, especially when you consider that due to the Covid-19 pandemic many institutions were forced to focus on business continuity and, in some cases, put IT and other process changes on hold.”
A cornerstone of the SWIFT community’s cyber defences, the CSCF defines mandatory and advisory controls for customers to implement in their local environments to protect against existing and emerging cyber threats. The framework, introduced in 2017, aims to continuously raise the bar on security across the SWIFT community.
And it’s working.
“Over the past four years, we have been blown away by how the community has come together to stand strong against the growing and evolving cyber threat through our Customer Security Programme,” said Lancaster.
The programme is delivering tangible results as the annual figure for funds targeted by attackers dropped by a factor of three in 2020 compared to 2016, and we now recover the vast majority of funds targeted by attackers.
“That said, this journey will never be over, so it’s vital that all customers continue to work closely with SWIFT as we strengthen our cyber defences further with the implementation of CSCF v2021 and independent assessments.”
What you need to do in 2021
The CSCF v2021 has a number of additional requirements and includes 22 mandatory and nine advisory controls to which customers need to attest. These were announced in 2020 for attestation and compliance by end of 2021.
Two controls, 1.3 and 2.10, listed as advisory in 2019, were already elevated to mandatory in CSCF v2020. For CSCF v2021 one additional control, 1.4, was promoted to mandatory. These additions aim to protect and reduce potential vulnerabilities on critical interface components as well as critical systems where virtualisation is being used more frequently.
The CSCF v2021 will become effective in the KYC-SA, the online repository for customer attestations, in July 2021.
All CSP controls are mapped to top industry standards including the Payment Card Industry Data Security Standard (PCI DSS), National Institute of Standards and Technology (NIST) framework, and the ISO/IEC 27001 model. By aligning with a set of common principles, organisations participating in the CSP can increase efficiency, reduce costs and ensure a robust infrastructure.
New for 2021: Independent assessments required
Furthermore, to enhance the overall integrity of attestations across customers, all submitted attestations for CSCF v2021 must be supported by an independent assessment.
The independent assessment may be performed by internal or external resources, or a team comprising both. An internal independent assessor is typically the second or third line of defence (e.g. risk office or internal audit respectively) or their functional equivalent within a company.
The assessment should include a review of existing controls and their efficiency, and a confirmation that they support the customer’s compliance with the CSP control objectives. The requirement is limited to an assessment and is not an audit, so involves less cost and time.
To help support you, we have created a directory of CSP assessment providers. In listing firms we have taken into account criteria including: cyber security services experience and credentials; strategic focus on cyber security services; and good reputation and commitment to customers in the financial industry. Access the directory on swift.com. Please note that you can opt to contract with other providers that are not featured in this directory.
By when do you have to attest?
The deadline for attesting compliance against the CSCF v2021, and for providing an independent assessment of attestation, is 31 December 2021.