SWIFT Customer Security Program (CSP) launched in 2016 in response to the sophisticated cyber attacks on SWIFT users, the Customer Security Program (CSP) seeks to pragmatically ‘raise the bar’ of cyber-security hygiene across all users, reduce the risk of cyber-attacks, and minimize the financial impact of fraudulent transactions. The CSP establishes a common set of security controls known as the Customer Security Controls Framework (CSCF) which is designed to help customers to secure local environments and to foster a more secure financial ecosystem.
The SWIFT CSCF consists of both mandatory and advisory security controls. Mandatory security controls establish a security baseline for the entire community and must be implemented by all users on local SWIFT infrastructure.
Financial institutions or organizations with a BICS must:
- Attest compliance against the mandatory (and optional advisory) security controls. SWIFT requests users to submit an attestation into the KYC Security Attestation (KYC-SA) application. By the end of each year (12/31), users must attest compliance against the mandatory (and optional advisory) security controls as documented in the CSCF effective at that time. Generally, a new version of the CSCF is published in July, listing the mandatory and advisory controls users must attest against (as of July of the following year when implemented in the KYC-SA). That is, users must attest between July 2022 and December 2022 against the security controls listed in the CSCF v2022 published in mid-2021.
- Conduct an independent assessment. The assessors can be:
- internal assessors, provided by the user’s second or third line of defense function (such as compliance, risk management, or internal audit) or its functional equivalent
- external assessors, provided by an independent external organization which has existing cyber security assessment experience, and individual assessors who have relevant security industry certification(s). Those assessors can be selected from the directory of CSP assessment provider
- a mixed assessors team composed of internal or external assessors is also an option.
However, are you aware that you may be able to use an independent assessment for up to 2 years? Knowledgebase Article 5022902 indicates that when re-attesting in KYC-SA application, you can still refer to an existing assessment (this is to reduce the costs for the attestation process) This re-use is under the following conditions:
(i) The assessor agrees on still referencing the assessment they have performed
(ii) The customer footprint under assessment has not undergone significant changes that invalidate the conclusions of the previous full assessment
(iii) The new CSCF does not include (i) new mandatory controls or (ii) changes to the controls that are not covered in the assessment
(iv) The full independent assessment is not older than two years (i.e. date of the completion of the assessment + 2 years; e.g. a review completed on the 30 June 2020, could be potentially reusable till 30 June 2022.
If condition (i) or (iv) is not met, then a full re-assessment is required.
If condition (ii) or (iii) is not met, then assessors can still conduct a ‘delta assessment‘ covering only changes to the components in scope of the assessment or to controls that have changed or been added since the last assessment. You will record only the start date and end dates of this delta assessment in the KYC Security Attestation.
Recommendations to perform your SWIFT CSP assessment efficiently and effectively includes:
- Ensuring all components for architecture in scope are clearly defined and inventories
- Include all back-up and disaster recovery environments
- Identify all individuals in scope for the assessment (e.g. Specific IT personnel in charge of end point protection, personnel that process SWIFT messages, cyber security personnel in charge of awareness and training, monitoring, etc.)
- Ensure current and accurate architecture diagrams are documented and available
- Once scope if fully defined, for each control in scope, evaluate the control in terms of the scope only and for each item in the scope where applicable
- If have limited time or budget only do mandatory controls
- Use the testing templates provided by SWIFT and at a minimum the high level test plan
If you are running out of time and need a helping hand Elevate can be your partner. We are found in the SWIFT registry of approved assessment providers and have performed many of these assessments for all architecture types.