21 February 2018

Moving Ahead with the Attestation Framework: People Risks in Cyber Security

Insider threats have been a major risk to governments and organisations around the world for many years - ENISA Threat Landscape Report 2017

We were pleased to report the significant number of SWIFT customers who had attested their level of compliance with the mandatory security controls by the 31 December 2017 deadline.  While the near total level of completed attestations demonstrates the seriousness with which the financial industry is taking the cybersecurity threat, and its willingness to provide transparency on cybersecurity, this is just a first step.

All SWIFT customers should now be working both to absorb this information from their counterparts and build it into their risk assessments, as well as to address any gaps in their own compliance with the mandatory controls. All customers will have to re-attest against the controls by the end of this year, confirming their compliance with all mandatory controls. 

SWIFT cyber security

Compliance is not a silver bullet in ensuring you are cyber resilient.  Customers need to consider detection and response in addition to securing and protecting their environment.  These best practices should be applied not only to the SWIFT infrastructure but the full end-to-end transaction eco-system within their firms, including payments, securities trade and treasury.

SWIFT continues to share insights on Modus Operandi and Indicators of Compromise, but we also continue to see the same basic patterns.  Firstly the customer’s local environment is compromised, and second valid operator credentials are obtained and used.  In protecting against these critical first two steps, customers must consider both insider as well as outsider threats – the attacks will not necessarily be perpetrated by remote outsiders, malicious insiders present just as much risk.

The Controls help address this risk: a lack of user privilege segregation (Control 1.2); missing transaction business controls (Control 2.9A); poor password policies (Control 4.1); inadequate logical access controls based on need-to-know, least privilege, and segregation of duties (Control 5.1); or shortcomings in personnel vetting (Control 5.3A).  These controls should apply throughout organisations, ensuring that no access permissions or privileges are unintentionally granted to persons or business areas.

The SWIFT Institute, in conjunction with market leaders, have published a number of research papers on this topic which can be found at http://www.swiftinstitute.org/papers/

Once they have obtained valid credentials, attackers (or insiders) can then submit fraudulent messages and subsequently attempt to hide the evidence.  Here users need to implement measures for prevention and detection.  This includes transaction business controls (Control 2.9A) like RMA and reconciliations which could leverage Daily Validation Reports (DVR) and the Payment Control Services which will launch later this year.  Ensuring you have implemented appropriate back office data flow security (Control 2.4A) and that you have integrated with your back office core banking system, treasury system or the like are also key to prevention and detection. 

Finally, and as indicated above, users should be incorporating their counterparties’ attestation data into their risk management and business decision-making processes – alongside other risk considerations such as KYC, sanctions and AML. Use of the KYC Registry Security Attestation Application (KYC-SA) creates an opportunity for organisations to be transparent about their attestation status, which should increase the trust and confidence for their counterparts.  The transparency provided by this counterparty data exchange system is driving attestation and compliance with the controls, as institutions seek to demonstrate their cybersecurity to their counterparties.




Excellent community response to SWIFT’s Customer Security Controls Framework

Overwhelming majority of SWIFT customers meet the 31 December 2017 security control attestation deadline.

Extended reading


Customer Security Programme (CSP)

Reinforcing the security of the global banking system.

Our Solutions

Financial Crime Compliance

Breakthrough solutions to complex and costly challenges.


SWIFT Institute

This organisation funds and publishes a broad range of cutting-edge research, encouraging collaboration between thought leaders in finance and academia

SWIFT Insights

  • Discover the latest trends in financial services
  • Keep up with our news updates
  • Read thought-provoking industry reports
  • Explore global events and webinars
Read more