Professional Documents
Culture Documents
Reinforcing
the security
of the global
financial
community
In 2016, SWIFT introduced its Customer Security
Programme (CSP) – a dedicated programme to
While each individual
40% Cyber is the
second most
support customers in reinforcing the security of their
SWIFT customer is increase in
SWIFT-related infrastructure. The CSP addresses responsible for the cyber-attacks reported
three key aspects: the security and protection of security of its own
targeting economic
customers’ local environments, preventing and environment, the
financial crime affecting
detecting fraud in their counterparty relationships, security of the global
and working together as a community to prevent community can only be institutions organisations
ensured collectively. It
future cyber-attacks. This programme includes
requires a collaborative in 2016
the introduction of mandatory customer security
41%
approach between
controls, new services to help customers prevent SWIFT, its customers,
and detect fraudulent activity, and community-wide overseers and third
information sharing initiatives to strengthen defences party suppliers. SWIFT of financial
is fully committed to
through the exchange of intelligence information.
leading the community institutions
While there is no indication that SWIFT’s network or
effort required to consider cyber
core messaging services have been compromised,
keep global banking
safe, and deploying
as one of the
as a global cooperative, SWIFT is committed to its knowledge and top three risks
playing a significant role in support of its customers expertise to help affecting their
customers in the fight
and community.
against the persistent
institution over
threat of cyber-attacks. the next two
Gottfried Leibbrandt years
CEO, SWIFT
2 3
CSP Objectives
You Your Counterparts Your Community
A fundamental message of the CSP is Even with strong security measures in The financial industry is global, and
for your organisation to secure its own place, attackers are very sophisticated so are the cyber challenges it faces.
local environment, including the physical and it is vital to manage security risks in Attackers can rapidly scale and replicate
set-up of your local SWIFT-related your counterparty relationships so that fraud worldwide, so constant vigilance
The CSP is articulated around three mutually infrastructure. It is also about putting in
place the right policies and practices to
you can minimise the risk if your own, or
your counterparty’s institution is breached.
is of the highest importance. We remind
all customers that it is vital to share all
reinforcing areas. Customers first need to secure avoid cyber-related fraud. Breaches in Strong prevention and detection relevant information and to inform SWIFT
local infrastructure have been a common measures are necessary alongside the if there is a problem linked to your SWIFT-
and protect their local environment (You), prevent starting point for known cyber-attacks. foundations of good security practices in related infrastructure – this is a contractual
your organisation. obligation for all SWIFT users.
and detect fraud in their commercial relationships
(Your Counterparts) and continuously share
information and prepare against future cyber-
threats in collaboration with others (Your
Community).
You
The sooner you contact us, the more SWIFT provides anonymised
likely we may be able to help to minimise information on known attacks, including
the community-wide impact of an attack. indicators of compromise and modus
If you have concerns, you can contact our operandi. We make this available to all
Your Community
Your Counterparts customer support teams worldwide, 24/7. users via the SWIFT ‘Information Sharing
and Analysis Center’ (ISAC) global portal.
www.swift.com/contact-us/support www2.swift.com/isac
4 5
SWIFT Customer Security Controls Framework
You To create a security baseline for the global financial community, SWIFT has introduced a
set of core security controls that all users must meet to secure their local SWIFT-related
infrastructure. Detailed security controls (16 mandatory and 11 advisory) have been
Secure and Protect published, and documentation is available in the CSP section of the User Handbook on
swift.com. All controls have been defined by SWIFT and industry experts and are articulated
around three overarching objectives: ‘Secure your Environment’, ‘Know and Limit Access’,
and ‘Detect and Respond’. The control definitions are in line with existing information
security industry standards, and are product-agnostic.
6 7
Customer Security Controls Framework and Attestation Process Key Milestones
What practical steps should your What is the purpose of the customer What about viewing the compliance
2017 2018
organisation take to comply with the security attestation process? status of my own counterparts?
mandatory security controls? Through the attestation process, SWIFT is You are free to submit requests to view H1 H2
Please read and take time to understand increasing the overall level of transparency the attestation data of your counterparts.
the SWIFT Customer Security Controls on cyber security among users of the Customer Security Controls
Framework documentation and the SWIFT network. This information can help you determine if Framework Customer Security Controls Framework operational
Customer Security Controls Policy that you are comfortable doing business from
outlines the related attestation process. Your organisation needs to self- a cyber risk management perspective,
attest its level of compliance with the and to identify any additional measures
Throughout 2017, SWIFT is conducting mandatory security controls by 31 you may want to put in place to enhance
Community Engagement
customer security work sessions December 2017. the security of that business relationship.
Customer Security Work Sessions
and webinars worldwide to support
customers in understanding the You should already be preparing to use
How do you get started? this information in your organisation’s
requirements of the Framework and
In July, SWIFT opened the KYC Registry daily risk management processes.
related Attestation Process.
Security Attestation Application (KYC-SA) Self-Attestation
as the place to submit your attestation Follow-up actions by SWIFT Via KYC-SA Initial Self- Attestation On-going
You can also follow SWIFTSmart training
information. All SWIFT users can submit To support the effectiveness of the
modules related to the Framework.
their attestation data in this application. Customer Security Controls Framework,
You do not need to be a current user of SWIFT reserves the right to report to
SWIFT strongly encourages you to start
the KYC Registry. supervisors or others, as applicable,
a project to assess your current level of Right to inform local supervisors
compliance with the mandatory controls the names of users that fail to complete Of any supervised institution that has
A representative from your organisation their self attestation or fail to comply Inform local supervisors
that apply to your organisation. failed to submit an attestation
will be assigned to manage the process with all mandatory security controls by
of contributing your data. That assigned the relevant deadlines. Reporting to
Identify any gaps and create an action user will have access to further training to supervisors will start in 2018, and will
plan to close them as fast as possible ensure your data is submitted correctly. continue on an annual basis.
to help mitigate security vulnerabilities. Each organisation will also need to assign
an approver of the data – this should be a –– From January 2018, SWIFT
SWIFT Tools The aim of this upgrade is to continue
reserves the right to report users
8 9
There are a number of actions you can take to help manage security risk in your
relationships with your counterparts that will help prevent and detect fraud.
Your Counterparts
RMA Daily Validation Reports Market practice Payment Controls
A basic starting point is Consider subscribing to Daily Market practice has an SWIFT has announced it
to check that you are only Validation Reports. This service important role to play in will launch a new Payment
doing business with trusted is designed to help institutions handling counterparty Controls service to
10 11
Your Community
The financial industry is global, and so are
the cyber challenges it faces. What happens Steps to take
to one organisation in one location can be
replicated by attackers elsewhere, so it is
12 13
Get in touch with SWIFT
14 15
About SWIFT
SWIFT is a global member-owned
cooperative and the world’s leading
provider of secure financial messaging
services.
© SWIFT 2017
57303 - October 2017