SWIFT is a global member-owned organisations and the world’s leading provider of secure financial messaging services providing messaging platform, products and services which connect financial institutions, banking and securities organisations, market infrastructures and corporate customers worldwide. SWIFT customers are enabled with secure communications and exchanging standardised financial messages in a reliable way. To combat fraud in the financial industry and improve cybersecurity in its user community, SWIFT introduced its Cyber Security Programme (CSP).
All SWIFT customers.
As stated by SWIFT, while customers are responsible for protecting their own environments and access to SWIFT, SWIFT’s Customer Security Programme (CSP) has been introduced to support customers in the fight against cyber fraud.
The CSP is designed to be a collaborative effort between SWIFT and its users to strengthen the overall security of the financial ecosystem. All users must therefore read the controls set out in this document carefully, and prepare for implementation within their own organisation.
SWIFT developed an attestation and compliance process which requires users to self-attest compliance against the mandatory and, optionally, the advisory security controls.
Users must submit self-attestation status information into a dedicated security attestation folder of the KYC Registry. Starting January the 1st 2018, all users must have submitted their self-attestation and users are required to resubmit their attestation on an annual basis thereafter.
Several CSP requirements must be met to address confidentiality, integrity and authenticity (CIA) of data flows between local SWIFT related applications and their respective links to the end-user environment, as well as data flows between back office and/or middleware applications and connecting SWIFT infrastructure components.
If needed, we can help with the design and implementation of control systems and related data exchange processes specific to your environment, to cover the whole end-to-end transaction chain going beyond the respective security controls, and not just in-scope components (these requirements are actually considered as a minimum).
These controls aim at checking file authenticity at the source system, incorporating channel encryption to reduce the risk of message tampering, unauthorised modifications and sending of financial transactions, processing of altered inbound transactions, loss of sensitive data and dealing with unauthorised counter parties.