Fighting Cybercriminals With The Updated SWIFT CSP

In recent years, sophisticated cybercriminals have managed to compromise several banks' computer networks, learn their payment processes, and gain access to the relevant IT credentials—ultimately being able to send fraudulent payment instructions over the SWIFT financial messaging network.

The worst case so far was in 2016, when thieves successfully stole over US$81 million from a South Asian central bank. More banks have unfortunately fallen victims to similar attacks in 2017 and 2018.

This challenging cyber threat landscape has led SWIFT to launch the Customer Security Programme (CSP) which intends to help its user community increase its cyber defences by implementing specific security requirements.

In Luxembourg, the local supervisory bodies have recommended to the members of the local association of SWIFT users to seriously consider the adoption of the CSP and its framework to protect their SWIFT systems.

What are the requirements?

The security requirements to be implemented are set forth in the SWIFT Customer Security Controls Framework (CSCF), which specifies detailed implementation guidelines. At a high level, the requirements can be described as follows:

It should be noted the CSCF has been recently updated ("v2019" published in August 2018) in order to:

raise the bar by (i) making three of the advisory controls mandatory and (ii) creating two new advisory controls provide additional guidance and clarify a number of existing controls align with users' reality by taking into account valid alternative implementations This update will come into force next year, and users will be required to self-attest their compliance for the first time by the end of 2019.

What must a user do to comply?

SWIFT users should perform an annual assessment of their security environment against the CSCF requirements (unless material changes occur). This assessment can be one of the following:

self-assessment advisory review by an external firm advisory review by an internal auditor audit by an external auditor audit by an internal auditor Once the assessment has been completed, SWIFT users need to report their compliance status to SWIFT via the KYC Registry Security Attestation Application; this reporting process is referred to by SWIFT as "self-attestation".

What if a user does not comply?

Failure to submit self-attestation is visible to all counterparties

Details of a user's compliance with individual...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT