SWIFT has announced that 91% of customers, representing over 99% of SWIFT’s traffic, have attested to their compliance with controls mandated by SWIFT’s Customer Security Controls Framework (CSCF) v2019, a key aspect of the Customer Security Programme (CSP).
A cornerstone of the SWIFT community’s cyber defences, the CSCF defines mandatory and advisory controls for customers to implement in their local environments to protect against existing and emerging cyber threats.
The framework, introduced in 2017, aims to continuously raise the bar on security across the SWIFT community. The 2019 version was the most stringent to date, articulating 19 mandatory and 10 advisory controls. It also marked the second year that customers were required to attest to their compliance. For those customers that did not attest, or did not fully comply with all of the mandatory controls, SWIFT reserves the right to report the customer to their local regulator.
“We would like to thank our community for their hard work in implementing the controls set out in the CSCF v2019,” said Brett Lancaster, head of the Customer Security Programme at SWIFT. “We recognise it’s not easy, but it is vital for our community to continue to stand strong against the growing and evolving cyber threat. We look forward to continuing to work closely together as we further strengthen cyber defences with the implementation of CSCF v2020.”
Designed to support all types of customers, the CSP is designed to help the community to secure itself. Its focus is threefold: customers must protect and secure their local payments environment; they must work to prevent and detect fraud in commercial relationships; and continuously share threat information to defend against future cyber-threats.
Looking forward, the CSCF v2020 has a number changes from v2019 and includes 21 mandatory and 10 advisory controls. Two controls, 1.3 and 2.10, listed as advisory in 2019 have been elevated to mandatory. They aim to protect and reduce potential vulnerabilities on critical interface components as well as critical systems where virtualisation is being used more frequently.
The CSCF v2020 will become effective in the KYC-SA, the online repository for customer attestations, in July 2020.
Furthermore,to enhance the overall integrity of attestations across all customers, all submitted attestations for CSCF v2020 must be supported by an independent assessment, either by a second or third line of defence of an internal department (e.g. risk, compliance or internal audit) or by external third-party. SWIFT says it is in the stages of enhancing the Cyber Security Service Provides directory of suitable external assessors.
Attesting compliance against the CSCF v2020 will be mandatory by the end of 2020.
Like this item? Get our Weekly Update newsletter. Subscribe today