About the SWIFT CSP

SWIFT is a global member-owned organisations and the world’s leading provider of secure financial messaging services providing messaging platform, products and services which connect financial institutions, banking and securities organisations, market infrastructures and corporate customers worldwide. SWIFT customers are enabled with secure communications and exchanging standardised financial messages in a reliable way. To combat fraud in the financial industry and improve cybersecurity in its user community, SWIFT introduced its Cyber Security Programme (CSP).

Who is it for?

All SWIFT customers.

As stated by SWIFT, while customers are responsible for protecting their own environments and access to SWIFT, SWIFT’s Customer Security Programme (CSP) has been introduced to support customers in the fight against cyber fraud.

The CSP is designed to be a collaborative effort between SWIFT and its users to strengthen the overall security of the financial ecosystem. All users must therefore read the controls set out in this document carefully, and prepare for implementation within their own organisation.

The framework

SWIFT has published a set of core security controls that every SWIFT customer must meet. These controls reflect good security practice and should apply to all systems and processes within the end to-end transaction chain. The CSCF covers detailed security controls (16 mandatory and 11 advisory) which support three overarching security objectives which address major areas of attention for cyber-security efforts:
  • Secure your Environment
  • Know and Limit Access
  • Detect and Respond

These three objectives are supported by eight principles:
  1. Restrict Internet Access
  2. Protect Critical Systems from General IT Environment
  3. Reduce Attack Surface and Vulnerabilities
  4. Physically Secure the Environment
  5. Prevent Compromise of Credentials
  6. Manage Identities and Segregate Privileges
  7. Detect Anomalous Activity to Systems or
  8. Transaction Records
  9. Plan for Incident Response and Information Sharing

Mandatory security controls establish a security baseline for the entire community, and must be implemented by all users on their local SWIFT infrastructure.

Mandatory attestation

SWIFT developed an attestation and compliance process which requires users to self-attest compliance against the mandatory and, optionally, the advisory security controls.

Users must submit self-attestation status information into a dedicated security attestation folder of the KYC Registry. Starting January the 1st 2018, all users must have submitted their self-attestation and users are required to resubmit their attestation on an annual basis thereafter.

How can we help

Our SWIFT CSP compliance advisory services are comprised of several key parts
  • Review the SWIFT Customer Security Program Framework with the Client, with a Goal to support and produce GAP report
  • Top Level guidance of suitable Remediation of Current Gaps
  • Top Level guidance for Compensating Controls
  • Expertise in the full suite of CSP requirements and controls for Clients

Our assessment process brings a systematic evaluation of an organisations level of compliance to the SWIFT CSCF, which needs to be performed during the securitisation process and at regular intervals. The evaluation covers a multitude of facets including: technical sampling of in-scope SWIFT application and systems, staff interviews, and a final policy review – confirming that the suitable measures have been taken and that appropriate policies have been put into place. 

SWIFT technical solutions & consultancy

Several CSP requirements must be met to address confidentiality, integrity and authenticity (CIA) of data flows between local SWIFT related applications and their respective links to the end-user environment, as well as data flows between back office and/or middleware applications and connecting SWIFT infrastructure components.

If needed, we can help with the design and implementation of control systems and related data exchange processes specific to your environment, to cover the whole end-to-end transaction chain going beyond the respective security controls, and not just in-scope components (these requirements are actually considered as a minimum).

These controls aim at checking file authenticity at the source system, incorporating channel encryption to reduce the risk of message tampering, unauthorised modifications and sending of financial transactions, processing of altered inbound transactions, loss of sensitive data and dealing with unauthorised counter parties.