Cybersecurity guide made available as 94% of SWIFT customers meet attestation deadline
SWIFT today publishes a new guide to assist financial institutions in assessing levels of cybersecurity risk in their counterparties and incorporating this into their risk management frameworks. The publication comes as 94% of all SWIFT customers, representing 99% of SWIFT’s traffic, met the 31 December deadline to submit their self-attestations against SWIFT’s Customer Security Controls Framework and sets out guidance for customers looking to consume their counterparty’s attestation data.
In addition to encouraging users to protect their own environments, a major focus of SWIFT’s Customer Security Programme is helping companies to assess the risks posed by counterparties and take appropriate mitigating action. This guide gives an overview of how users, particularly those with limited numbers of counterparties, can go about doing this within their existing cybersecurity risk management frameworks and allows them to put their counterparts’ attestation data to practical use within their own organisations.
The publication, Assessing Cybersecurity Counterparty Risk - A Getting Started Guide, is the latest product of SWIFT’s Customer Security Programme (CSP), through which the co-operative aims to promote best practice in security among SWIFT’s thousands of users worldwide.
Though relevant to all financial institutions, the guide is primarily intended for use by small and medium sized organisations with relatively few counterparties, and correspondent banks that act as intermediaries between originating payers and end beneficiaries.
The guide provides a series of practical, but non-binding information and recommendations, including on how to:
- Establish a governance model
- Establish a cybersecurity risk management framework
- Adopt cybersecurity risk countermeasures
“Through the CSP, we work to promote strong cybersecurity standards in the financial services industry – asking our users to consider their own organisations, their counterparties and the wider community. The launch of this guide is a natural continuation of those efforts”, said Brett Lancaster, Global Head of Customer Security, SWIFT.
The guidance will assist customers in incorporating counterparties’ cybersecurity attestations against SWIFT’s Customer Security Control Framework (CSCF). The CSCF establishes a security baseline of mandatory and advisory controls for the entire user community, against which SWIFT users are required to self-attest their compliance on an annual basis. The controls are reviewed every twelve months, and customers had until 31 December 2018 to attest their compliance against the applicable controls – a deadline which 94% of customers met.
Attestations are published and managed through the KYC-Security Attestation (KYC-SA) application provided by SWIFT, a tool through which customers are able to exchange attestation data with their counterparties by mutual agreement through ‘requesting’ and ‘granting’ access. This allows institutions to assess counterparty risk, and then make counterparty risk decisions based on the attested compliance levels. This attestation data is rich in information and a unique source of cybersecurity counterparty risk data.