What is the Customer Security Program (CSP)?

 In 2016, the biggest robbery in the banking history was organized by cyber attackers by breaking into the system of the Bangladesh Central Bank. The total amount of transaction instructions was $951M and the Federal Reserve Bank of New York processed the $101M of that amount. Upon this incident, SWIFT took the action in 2017 and published that Customer Security Program (CSP) to help their customers fortify their cyber security systems and defence mechanisms against the cyber attacks. The aim is to ensure that the security measures applied by the member financial institutions are up to date, effective and strong enough. The Customer Security Control Framework (CSCF) was introduced together with the Customer Security Program (CSP) in 2017. The customers are expected to take CSCF as the reference when implementing the security measures and finally they are required to attest their level of compliance yearly.

Together with the evolvement of the cyber world and threats, the CSP and CSCF have evolved accordingly over the years.

The evolution of the Customer Security Programme (CSP)

 When the CSP was first introduced in 2017, it involved 16 mandatory and 11 optional controls to which the SWIFT customers were expected to self-attest annually. The scope of the CSCF has improved with the introduction of new controls, definitions and clarifications. The v2021 of the Customer Security Controls Framework (CSCF) was released in July 2020 and it includes 22 mandatory and 9 optional security controls.

Additionally, SWIFT introduced a new requirement for 2021 which is the fulfillment of the annual attestation that is to be performed either by an independent 3rd party externally which holds a valid experience in the field of cybersecurity evaluation or by the licensed 2nd or 3rd line of defence internally such as compliance office, risk office or internal audit. If the SWIFT customers fail to achieve the independent assessment, SWIFT is entitled to notify the counterparts and report it to the regulators.

v2021 vs. v2020: Customer Security Controls Framework (CSCF)

 The 2020 version of the SWIFT Customer Security Controls Framework (CSCF) was originally planned to be implemented in 2020; however, due to the COVID-19 outbreak, it was postponed to the 2021. Therefore, the CSCF v2021 was created by making additions and small changes to the v2020 so that the SWIFT customers have an easier transition from the previous CSCF versions to the latest one. There are four main alterations made which are listed as follows:

• Upgrading of control 1.4: Restriction of Internet Access was changed from being an optional (advisory) control to a mandatory control.
• More clear definition of the guidelines and scope especially for the connectors
• Introduction and identification of a new architecture type A4: Mainly separating the users that depend on the SWIFT connectors from the ones relying on the customer connectors
• Implementations based on user suggestions have been integrated under the controls of 1.1; 2.9A; 6.1; 6.5A and 7.4.

Introduction of a New Architecture Type: A4

Before the introduction of architecture A4 in 2021, the users of SWIFT were classified under the architecture B if the applications they used depended on the connectors related to SWIFT namely having the SWIFT footprint, such as MQ server, SFTP server, customer API end point and etc. As of 2021, these cases fall under the new architecture type A4. Some users may still be categorized as architecture B if they use a Graphical User Interface (GUI) application to access to the SWIFT messaging services or, if their back-office applications use APIs client or a middleware client to communicate directly to each other.

3 Main Points to Elaborate on for a Successful SWIFT CSP Compliance

1. Independent assessment: When choosing the external 3rd party to perform the independent assessment of the compliance with the SWIFT’s CSP, it is crucial to analyze your institutions’ internal sources well and select the external party based on your needs as well as their level of expertise and experience on the matters of cybersecurity controls. Upon clarifying that, it is possible to incorporate an external party either for operating the whole assessment independently by taking the assessment report templates prepared by SWIFT, ISAE3000 or a corresponding one or for supporting the internal teams of risk management, compliance or internal audit with the necessary information or experts.

2. Architecture of your institution: Analyze and review the architecture of your institution and determine whether your CSP implementation is to be categorized as architecture A4 or B.

3. Timing of the assessment: The deadline set by SWIFT for attestation and independent assessment is 31 December 2021. There are still almost two quarters available to complete the assessment and compliance (Q3 and Q4). The institutions that use this time wisely and conduct a gap assessment, will be able to take the advantage of acting timely and ensuring compliance with the results of their independent assessments.

Conclusion

The Customer Security Programme (CSP) of SWIFT has contributed to the fight against cybercrime to a great extent since 2017. CSP and CSCF are supporting the financial institutions to strengthen their cybersecurity measures even though the requirements for remaining compliant with them seem to become more demanding and challenging as we reached 2021. The new requirements introduced in CSCF v2021 actually aim to protect the institutions remaining vulnerable to the cyber attacks as the threats in the cyber world evolve everyday. It is essential for the SWIFT customers to plan ahead and take the necessary actions in time for the implementation process of CSCF v2021 as well as perform the independent assessment which is mandatory for 2021.

Necati Yavaş, Sales and Business Development Director