SWIFT CSP 2022 Portugal Webinar VF 1.1

SWIFT CSP 2022
08 June 2022
Introduction
Banking information is some of the most important information to keep private. That is why
recent high-profile cyber-attacks on customers using Society for Worldwide Interbank Financial
Telecommunications (SWIFT) are so significant. Deloitte can help business leaders navigate the
factors associated with implementing SWIFT's Customer Security Controls Framework (CSCF)
as well as address SWIFT dependencies and ultimately disrupt through innovation.
Agenda
SWIFT CSP compliance Deloitte global benchmark;
Basics of the SWIFT CSP;
Independent assessment and its challenges;
SWIFT CSP trends;
SWIFT-related infrastructure in the cloud;
Q&A.
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A SWIFT Customer Security Program (CSP) 2
Speakers:
João Frade Michal Zavodny

Partner Senior Manager
Deloitte Portugal Deloitte Bélgica
Filipe Silva Filipe Morais

Senior Manager Manager
Deloitte Portugal Deloitte Portugal
SWIFT CSP 2022
SWIFT CSP 2021

Benchmark
SWIFT Customer Security Programme Deloitte benchmark
Results based on more than 500 BICs (A1 – A3)
CSP compliance mandatory controls CSP compliance mandatory controls

Initial Assessment Final Assessment
27,59%
41%
Compliant Compliant
58,62% Non-compliant Non-compliant
72,41%
Results based on more than 500 BICs (A4 and B-Type)
CSP compliance mandatory controls CSP compliance mandatory controls

Initial Assessment Final Assessment
27,78%
33%
Compliant Compliant
Non-Compliant Non-Compliant
67%
72,22%
Results based on more than 500 BICs
Compliancy per control in the Final Assessment for A1-A3 types

60%
1.1 SWIFT Environment Protection
1.2 Operating System Privileged Account Control
1.3 Virtualisation Platform Protection
50% 1.4 Restriction of Internet Access
2.1 Internal Dataflows
2.2 Security Updates
2.3 Systems Hardening
40% 2.6 Operator Session Confidentiality and Integrity
2.7 Vulnerability Scanning
2.10 Application Hardening
3.1 Physical Security
30%
4.1 Password Policy
4.2 Multi-factor Authentication
5.1 Logical Access Control
20% 5.2 Token Management
5.4 Physical and Logical Password Storage
6.1 Malware Protection
6.2 Software Integrity
10% 6.3 Database Integrity
6.4 Logging and Monitoring
7.1 Cyber Incident Response Planning
7.2 Security Training and Awareness
0%
1.1 1.2 1.3 1.4 2.1 2.2 2.3 2.6 2.7 2.10 3.1 4.1 4.2 5.1 5.2 5.4 6.1 6.2 6.3 6.4 7.1 7.2
Non Compliant Minimum Compliant High Maturity Compliant
Results based on more than 500 BICs
Compliancy per control in the Final Assessment for A4/B-types

60%
1.4 Restriction of Internet Access
2.2 Security Updates
2.3 Systems Hardening
50% 2.6 Operator Session Confidentiality and Integrity
3.1 Physical Security
4.1 Password Policy
4.2 Multi-factor Authentication
40%
5.1 Logical Access Control
5.2 Token Management
5.4 Physical and Logical Password Storage
30% 6.1 Malware Protection

6.4 Logging and Monitoring
7.1 Cyber Incident Response Planning
7.2 Security Training and Awareness
20%
10%
0%
1.4 2.2 2.3 2.6 3.1 4.1 4.2 5.1 5.2 5.4 6.1 6.4 7.1 7.2
Non Compliant Minimum Compliant High Maturity Compliant
SWIFT CSP 2022
SWIFT Customer Security Programme evolution
29 controls
19 Mandatory + 10 Advisory
31 controls 31 controls 32 controls
27 controls 21 Mandatory + 10 Advisory 22 Mandatory + 9 Advisory 22 Mandatory + 10 Advisory
16 Mandatory + 11 Advisory Compliance by 31 Dec 2020 Compliance by 31 Dec 2021 Compliance by 31 Dec 2022
2017 2019
2021 2022
2018 2020
Self-attestation of compliance by Self-attestation of compliance by 31 Community standard assessment by 31 Community standard assessment by
31 Dec 2017 Dec 2019 for 2019 and 31 Dec 2020 Dec 2021 31 Dec 2022
in 2020.
• Self-attestation must to be completed • Self-attestation must to be
• In June 2020, SWIFT postponed the between June and December and is completed between June and
need to support the self-attestation then valid till the end of the following December and is then valid till the
by an independent assessment to year end of the following year
2021.
• Self-attestation must be supported • Self-attestation must be supported
• v2019 framework can be used also by an independent external or by an independent external or
for 2020 self-attestation. internal assessment. internal assessment.
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A SWIFT Customer Security Program (CSP) 10 10
SWIFT Customer Security Programme
SWIFT user (BIC owner)

BIC owner must perform self-attestation every year by 31 December
for all mandatory controls.
KYC portal on swift.com is open as of 1 July.
Independent assessment
Assess controls using
framework Self attestation must be supported by an external or internal
independent assessment (independent from 1st level).
Assessment results:
- completion letter
Independent - formal report SWIFT user
assessor Point in time
Self-attestation (and also the supporting independent assessment)
Performs is sufficient as point in time.
self-attestation
Non-compliant self-attestation
In case of self-attestation that is not supported by an independent
assessment or not complying with all controls. This is visible via KYC
or can be requested via KYC (in case of opt-out)
Framework
SWIFT specific framework with 5 architecture types based on SWIFT
related architectures.
SWIFT user must meet the control objectives (taking into account
implementation guidelines).
Scope of the assessment – architecture types
Service provider General Enterprise
B type Back office
SWIFT Operators
Messaging interface
A4 type General operator PCs
Communication interface
client connector
A3 type
General Enterprise
A2 type SIEM
Customer connector
VA Administrators SWIFT operators
A1 type General operator PCs General operator PCs Operating System
Anti-malware
(extended) secure zone
Firewall Identity management Jump server
Switches/routers MFA server Operating System
IDS
GUI
Back office system I Operating System
Back office system II

Midleware Messaging interface Communication interface SWIFTnet
Operating System Operating System Operating System
Back office system III
Virtualization Virtualization
SWIFT connector
In scope
Operating System
In scope
Virtualization
Out of scope
Advisory components
Secondary site
Supporting components
The 2022 SWIFT CSP update and its impact
Changes to the 2022 CSCF version
New control 1.5A

01 The new (advisory) control 1.5A was added to the framework: Customer Environment Protection.
Point of attention – this control will become mandatory in the v2023 CSCF.
Control 2.9 Transaction Business Controls

02
Advisory controls that became mandatory in the v2022 CSCF.
Significant scope change for A4 architecture

“customer connector” is now a mandatory component for A4 architecture type. There is a significant number of controls (1.2; 1.3;
03
1.4; 2.2; 2.3; 2.6; 2.7; 3.1; 4.1; 4.2; 5.1; 5.4; 6.1; 6.3 and 6.4) that need to be assessed for customer connector application level and
underlying operating system and virtual platform.
Changes in the scope of the existing controls

04 In case of 1.2 System Privileged Account Control scope was increased and two components were added - Dedicated Operator PC
and Network devices protecting the secure zone.
01
General Enterprise
Significant scope increase
for architecture A4
Customer Connector Definition: SWIFT Operators
Customer connector includes generic file General operator PCs
transfer solutions or local middleware

systems implementations, such as IBM® MQ Service provider
server, used to facilitate communication with
SWIFT related components offered by a Back office
service provider.
Messaging interface
Additionally, the customer connecter is Communication interface SWIFTnet

now considered as a mandatory in-scope
component for the following controls: Back office system Customer connector
1.2; 1.3; 1.4; 2.2; 2.3; 2.6; 2.7; 3.1; 4.1;
4.2; 5.1; 5.4; 6.1; 6.3 and 6.4. Operating System
In scope
In scope
Virtualization
Out of scope
Advisory components
New control 1.5A – Applicable for A4 architecture

02 The new (advisory) control 1.5 A was added to the framework: Customer Environment Protection. With control 1.1 as basis for this control,
this control focuses mainly on the A4 architecture types in order to improve security of customer connectors used for SWIFT messaging.
Customers are advised to place their customer connector inside an existing secure zone or create a new Customer Secure Zone.
General Enterprise General Enterprise
SWIFT Operators
General operator PCs
Customer protected environment

Firewall Service provider
Switches/routers SWIFT Operators
Dedicated operator Back office
Jump server PCs
Back office system
Messaging interface
Operating System
Virtualization Communication interface SWIFTnet

4.2 - MFA
Back office system Middleware server Customer connector
Back office system
Operating System Operating System
Middleware server 4.2 - MFA In scope
Virtualization Virtualization
In scope
Back office system Operating System
Out of scope
Virtualization Advisory components
SWIFT CSP 2022
Independent
assessment and
its challenges
Keys to successful independent assessments
Delivering an efficient assessment without compromises on quality.
Quality Assurance
Delivering high quality is key for us.
Senior team members will perform QA
reviews.
Constant changes of the CSP perimeter and components

assessment scope List of formally approved SWIFT CSP
perimeter and components in scope
throughout the engagement
Controls type mapping

Inefficient assessment In case new CSP Understanding of controls nature
of controls components are identified (centralized, decentralized,
components based) and adjusted
assessment.
Remediated gaps
Re-testing
Assessment is performed Assessment against control

as audit using checklists objectives
Controls implemented are assessed
against the control objectives of the
framework.
Early gaps notification

Insufficient time for
Key stakeholders are notified about
gaps remediation
any identified gaps against control
Project Management objectives and confirmation process
Giving clients the opportunity is triggered.
to focus on their business.
List of common control failures identified by Deloitte
Below is the list of the most common control failures that we identified during the assessments against the SWIFT CSCF
SWIFT components are placed in one corporate network.

SWIFT subnet was created but enterprise firewall is used to protect.
Re-use of Enterprise Corporate identity management is used

network also for SWIFT components.
Confidentiality, integrity, and Reliance on Firewall protecting the secure zone relies
(authenticity) of data flows not protected. Data flow
corporate identity on enterprise identity management.
protection
SWIFT Tip not considered. systems
Single sign-on to jump server reliant on
enterprise identity management.
Sensitive permissions are not separated to 7 common

prevent by-passing the 4-Eyes principle. 4-eyes pitfalls Different level Same level of controls is not
principles of control applied across all technologies
4-eyes principles not considered for SWIFT
compliance and components.
certificates (security officers).
Incompliant multi-factor Access to secure zone

authentication
Operating systems are accessed
Multi-factor authentication is not directly without a use of jump server
enforced or not at the right stage. (in case of general operator PC).
Multi-factor authentication incorrectly
designed.
SWIFT CSP 2022
SWIFT CSP trends
SWIFT CSP trends
Regulator interest
CSP
Increased importance
Automation
Compliance
Un-isolation
SWIFT Infrastructure
in the cloud
Cloud
Use of cloud based
solutions
SWIFT CSP 2022
CSP Infrastructure
in the cloud
CSP Infrastructure in the cloud
SWIFT CSP 2022
Q&A
Main team contacts
João Carlos Frade João is a partner since 2004, with experience in several Internal Control,
Internal Audit, Sustainability and Enterprise Risk. João leads the IT
Partner Deloitte Portugal
Specialists team in Portugal and are responsible for several projects
+351 966 304 388 with application of risk management models and 27001 standards.
jfrade@deloitte.pt
Bert Truyman Bert is a partner in Risk Advisory with 20 years of experience in the
evaluation of business processes and complex IT environments. Bert leads
Partner Deloitte Bélgica
the Assurance group, which provides IT Audit, Third party assurance, Risk
btruyman@deloitte.com & Controls, and compliance services.
Michal Zavodny Michal is Deloitte’s SWIFT CSP Initiative lead and has led more than 100
SWIFT Customer Security programme assessments across the globe for
Senior Manager Deloitte Bélgica
various clients – Central banks, structurally important banks and
mzavodny@deloitte.com international institutions.
“Deloitte” refere-se a uma ou mais firmas membro e respetivas entidades relacionadas da rede global da Deloitte Touche Tohmatsu Limited ("DTTL"). A DTTL (também referida como
"Deloitte Global") nem cada uma das firmas membro são entidades legais separadas e independentes, que não se obrigam ou vinculam entre si relativamente a terceiros. A DTTL e
cada firma membro da DTTL e entidades relacionadas são responsáveis pelos seus próprios atos e omissões e não das restantes. A DTTL não presta serviços a clientes. Para mais
informação aceda a www.deloitte.com/pt/about.
A Deloitte é líder global na prestação de serviços de audit & assurance, consulting, financial advisory, risk advisory, tax e serviços relacionados. A nossa rede de firmas membro
compreende mais de 150 países e territórios e presta serviços a quatro em cada cinco entidades listadas na Fortune Global 500®. Para conhecer o impacto positivo criado pelos mais de
345.000 profissionais da Deloitte aceda a www.deloitte.com.
Esta comunicação inclui apenas informações gerais e nem a Deloitte Touche Tohmatsu Limited (DTTL), a sua rede global de firmas membro ou entidades relacionadas (coletivamente
rede Deloitte) está a prestar aconselhamento ou serviços através desta comunicação. Antes de tomar alguma decisão ou medidas que o afetem financeiramente ou ao seu negócio
deve consultar um profissional qualificado. Não são dadas garantias (explícitas ou ímplicitas) relativamente à precisão ou detalhe da informação constante nesta comunicação, pelo
que a DTTL, as suas firmas membro, entidades relacionadas ou colaboradores não deverão ser responsabilizados por quaisquer danos ou perdas decorrentes de ações baseadas nesta
comunicação. A DTTL e cada uma das firmas membro são entidades separadas e independentes.
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A

SWIFT CSP 2022 Portugal Webinar VF 1.1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SWIFT CSP 2022 Portugal Webinar VF 1.1

Uploaded by

Copyright:

Available Formats

SWIFT CSP 2022

SWIFT CSP compliance Deloitte global benchmark;

Basics of the SWIFT CSP;

Independent assessment and its challenges;

SWIFT CSP trends;

SWIFT-related infrastructure in the cloud;

João Frade Michal Zavodny

Filipe Silva Filipe Morais

SWIFT CSP 2021

CSP compliance mandatory controls CSP compliance mandatory controls

CSP compliance mandatory controls CSP compliance mandatory controls

Compliancy per control in the Final Assessment for A1-A3 types

Non Compliant Minimum Compliant High Maturity Compliant

Compliancy per control in the Final Assessment for A4/B-types

30% 6.1 Malware Protection

Non Compliant Minimum Compliant High Maturity Compliant

SWIFT user (BIC owner)

(extended) secure zone

Firewall Identity management Jump server

Switches/routers MFA server Operating System

Back office system I Operating System

Back office system II

Changes to the 2022 CSCF version

New control 1.5A

Control 2.9 Transaction Business Controls

Significant scope change for A4 architecture

Changes in the scope of the existing controls

Customer connector includes generic file General operator PCs

transfer solutions or local middleware

Additionally, the customer connecter is Communication interface SWIFTnet

New control 1.5A – Applicable for A4 architecture

General Enterprise General Enterprise

Customer protected environment

Virtualization Communication interface SWIFTnet

Virtualization Advisory components

Constant changes of the CSP perimeter and components

Controls type mapping

Assessment is performed Assessment against control

Early gaps notification

SWIFT components are placed in one corporate network.

Re-use of Enterprise Corporate identity management is used

Sensitive permissions are not separated to 7 common

Incompliant multi-factor Access to secure zone

SWIFT CSP trends

© 2022. Para informações, contacte Deloitte & Associados, SROC S.A

You might also like