SWIFT - Mandatory Customer Security Requirments

If you’re a bank or a financial institution then you are already aware of the current onslaught of cyber security attacks being launched and the success of some, such as with Bangladesh central bank which has lost 81 million. SWIFT responded on September 27th with their Customer Security Program (CSP) https://www.swift.com/ordering-support/customer-security-programme-csp/. The SWIFT’s Customer Security Program (CSP) has been established to support customers in the fight against cyber-attacks.

There is a lot of uncertainty around the new mandatory standard which SWIFT have notified customers of and this is why we are here to demystify some of it. The standards will be mandatory for all Customers with self-attestation starting in the second quarter of 2017. The full draft controls will be available by the end of Oct and will be followed by a two-month period of customer validation starting on the 1st of November. The final set of controls will be formalized and released in Q1 of 2017 giving customers less than 6 months to formally confirm and submit their compliance status at the end of Q2 2017.

Inspections and enforcement will begin from the 1st of January 2018 and anyone found to be not compliant with not only face censor from SWIFT but SWIFT have confirmed they will release their findings to the central bank which the institution reports into. While this in itself is a highly motivating factor to ensure compliance the customer KYC registry which all counterparties will have access to will also list each customers compliance level allowing additional charges to institutions if they are not compliant. CSP incorporates five strategic initiatives, from facilitating better information sharing to creating new audit frameworks.

Core security standards are based on the following areas:
  • 3 overarching objectives
  • 8 principles
  • 16 mandatory Controls
  • 11 advisory Controls
Enigma - SWIFT Enigma - SWIFT

The above controls are represented and replicated within a number of other security frameworks and standards but like all the rest they do have areas that are unique to themselves. To implement some of the security controls will be difficult and cumbersome as they cross multiple departments and functions and cannot simply be foisted onto a likely already overload security, cyber and/or IT department.

A cross sectional team or contributors will be required to properly confirm and submit compliance, needing people from Internal audit, compliance, operation risk, treasury etc etc. With 8 month to reach compliance a lot of organizations will find themselves scrambling to submit a true and accurate audit status and the true cost of not preparing properly will only be realized in 2018.