Professional Documents
Culture Documents
08 June 2022
Introduction
Banking information is some of the most important information to keep private. That is why
recent high-profile cyber-attacks on customers using Society for Worldwide Interbank Financial
Telecommunications (SWIFT) are so significant. Deloitte can help business leaders navigate the
factors associated with implementing SWIFT's Customer Security Controls Framework (CSCF)
as well as address SWIFT dependencies and ultimately disrupt through innovation.
Agenda
Q&A.
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A SWIFT Customer Security Program (CSP) 2
Speakers:
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A SWIFT Customer Security Program (CSP) 3
SWIFT CSP 2022
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A SWIFT Customer Security Program (CSP) 4
SWIFT Customer Security Programme Deloitte benchmark
Results based on more than 500 BICs (A1 – A3)
27,59%
41%
Compliant Compliant
58,62% Non-compliant Non-compliant
72,41%
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A SWIFT Customer Security Program (CSP) 5
SWIFT Customer Security Programme Deloitte benchmark
Results based on more than 500 BICs (A4 and B-Type)
27,78%
33%
Compliant Compliant
Non-Compliant Non-Compliant
67%
72,22%
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A SWIFT Customer Security Program (CSP) 6
SWIFT Customer Security Programme Deloitte benchmark
Results based on more than 500 BICs
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A SWIFT Customer Security Program (CSP) 7
SWIFT Customer Security Programme Deloitte benchmark
Results based on more than 500 BICs
10%
0%
1.4 2.2 2.3 2.6 3.1 4.1 4.2 5.1 5.2 5.4 6.1 6.4 7.1 7.2
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A SWIFT Customer Security Program (CSP) 8
SWIFT CSP 2022
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A SWIFT Customer Security Program (CSP) 9
SWIFT Customer Security Programme evolution
29 controls
19 Mandatory + 10 Advisory
31 controls 31 controls 32 controls
27 controls 21 Mandatory + 10 Advisory 22 Mandatory + 9 Advisory 22 Mandatory + 10 Advisory
16 Mandatory + 11 Advisory Compliance by 31 Dec 2020 Compliance by 31 Dec 2021 Compliance by 31 Dec 2022
2017 2019
2021 2022
2018 2020
Self-attestation of compliance by Self-attestation of compliance by 31 Community standard assessment by 31 Community standard assessment by
31 Dec 2017 Dec 2019 for 2019 and 31 Dec 2020 Dec 2021 31 Dec 2022
in 2020.
• Self-attestation must to be completed • Self-attestation must to be
• In June 2020, SWIFT postponed the between June and December and is completed between June and
need to support the self-attestation then valid till the end of the following December and is then valid till the
by an independent assessment to year end of the following year
2021.
• Self-attestation must be supported • Self-attestation must be supported
• v2019 framework can be used also by an independent external or by an independent external or
for 2020 self-attestation. internal assessment. internal assessment.
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A SWIFT Customer Security Program (CSP) 10 10
SWIFT Customer Security Programme
Independent assessment
Assess controls using
framework Self attestation must be supported by an external or internal
independent assessment (independent from 1st level).
Assessment results:
- completion letter
Independent - formal report SWIFT user
assessor Point in time
Self-attestation (and also the supporting independent assessment)
Performs is sufficient as point in time.
self-attestation
Non-compliant self-attestation
In case of self-attestation that is not supported by an independent
assessment or not complying with all controls. This is visible via KYC
or can be requested via KYC (in case of opt-out)
Framework
SWIFT specific framework with 5 architecture types based on SWIFT
related architectures.
SWIFT user must meet the control objectives (taking into account
implementation guidelines).
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A SWIFT Customer Security Program (CSP) 11 11
Scope of the assessment – architecture types
Service provider General Enterprise
B type Back office
SWIFT Operators
Messaging interface
A4 type General operator PCs
Communication interface
client connector
A3 type
General Enterprise
A2 type SIEM
Customer connector
VA Administrators SWIFT operators
A1 type General operator PCs General operator PCs Operating System
Anti-malware
IDS
GUI
SWIFT connector
In scope
Operating System
In scope
Virtualization
Out of scope
Advisory components
Secondary site
Supporting components
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A SWIFT Customer Security Program (CSP) 12
The 2022 SWIFT CSP update and its impact
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A SWIFT Customer Security Program (CSP) 13 13
The 2022 SWIFT CSP update and its impact
01
General Enterprise
Significant scope increase
for architecture A4
Customer Connector Definition: SWIFT Operators
In scope
Virtualization
Out of scope
Advisory components
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A SWIFT Customer Security Program (CSP) 14
The 2022 SWIFT CSP update and its impact
SWIFT Operators
General operator PCs
Virtualization Virtualization
In scope
Back office system Operating System
Out of scope
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A SWIFT Customer Security Program (CSP) 15
SWIFT CSP 2022
Independent
assessment and
its challenges
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A SWIFT Customer Security Program (CSP) 16
Keys to successful independent assessments
Delivering an efficient assessment without compromises on quality.
Quality Assurance
Delivering high quality is key for us.
Senior team members will perform QA
reviews.
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A SWIFT Customer Security Program (CSP) 17
List of common control failures identified by Deloitte
Below is the list of the most common control failures that we identified during the assessments against the SWIFT CSCF
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A SWIFT Customer Security Program (CSP) 18
SWIFT CSP 2022
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A SWIFT Customer Security Program (CSP) 19
SWIFT CSP trends
Regulator interest
CSP
Increased importance
Automation
Compliance
Un-isolation
SWIFT Infrastructure
in the cloud
Cloud
Use of cloud based
solutions
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A SWIFT Customer Security Program (CSP) 20 20
SWIFT CSP 2022
CSP Infrastructure
in the cloud
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A SWIFT Customer Security Program (CSP) 21
CSP Infrastructure in the cloud
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A SWIFT Customer Security Program (CSP) 22
SWIFT CSP 2022
Q&A
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A SWIFT Customer Security Program (CSP) 23
Main team contacts
João Carlos Frade João is a partner since 2004, with experience in several Internal Control,
Internal Audit, Sustainability and Enterprise Risk. João leads the IT
Partner Deloitte Portugal
Specialists team in Portugal and are responsible for several projects
+351 966 304 388 with application of risk management models and 27001 standards.
jfrade@deloitte.pt
Bert Truyman Bert is a partner in Risk Advisory with 20 years of experience in the
evaluation of business processes and complex IT environments. Bert leads
Partner Deloitte Bélgica
the Assurance group, which provides IT Audit, Third party assurance, Risk
btruyman@deloitte.com & Controls, and compliance services.
Michal Zavodny Michal is Deloitte’s SWIFT CSP Initiative lead and has led more than 100
SWIFT Customer Security programme assessments across the globe for
Senior Manager Deloitte Bélgica
various clients – Central banks, structurally important banks and
mzavodny@deloitte.com international institutions.
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A SWIFT Customer Security Program (CSP) 24 24
“Deloitte” refere-se a uma ou mais firmas membro e respetivas entidades relacionadas da rede global da Deloitte Touche Tohmatsu Limited ("DTTL"). A DTTL (também referida como
"Deloitte Global") nem cada uma das firmas membro são entidades legais separadas e independentes, que não se obrigam ou vinculam entre si relativamente a terceiros. A DTTL e
cada firma membro da DTTL e entidades relacionadas são responsáveis pelos seus próprios atos e omissões e não das restantes. A DTTL não presta serviços a clientes. Para mais
informação aceda a www.deloitte.com/pt/about.
A Deloitte é líder global na prestação de serviços de audit & assurance, consulting, financial advisory, risk advisory, tax e serviços relacionados. A nossa rede de firmas membro
compreende mais de 150 países e territórios e presta serviços a quatro em cada cinco entidades listadas na Fortune Global 500®. Para conhecer o impacto positivo criado pelos mais de
345.000 profissionais da Deloitte aceda a www.deloitte.com.
Esta comunicação inclui apenas informações gerais e nem a Deloitte Touche Tohmatsu Limited (DTTL), a sua rede global de firmas membro ou entidades relacionadas (coletivamente
rede Deloitte) está a prestar aconselhamento ou serviços através desta comunicação. Antes de tomar alguma decisão ou medidas que o afetem financeiramente ou ao seu negócio
deve consultar um profissional qualificado. Não são dadas garantias (explícitas ou ímplicitas) relativamente à precisão ou detalhe da informação constante nesta comunicação, pelo
que a DTTL, as suas firmas membro, entidades relacionadas ou colaboradores não deverão ser responsabilizados por quaisquer danos ou perdas decorrentes de ações baseadas nesta
comunicação. A DTTL e cada uma das firmas membro são entidades separadas e independentes.