SWIFT Customer Security Controls Framework – Self-Assessment Required by Year End

The Back Story

Are you one of the 11,000 banks that are a member of SWIFT, the international correspondent banking network? In 2016, a cyberattack successfully stole $81 million from the Bangladesh central bank by exploiting vulnerabilities to obtain legitimate SWIFT credentials. During the cyberattack, other banks sent and processed SWIFT fund transfer requests, because the requests were from a trusted source; however, the reality was that the cyberattackers controlled the accounts.

What is SWIFT?

Behind most international money and security transfers is the SWIFT system, a vast messaging network used by banks and other financial institutions to quickly, accurately, and securely send and receive information such as money transfer instructions. Every day, SWIFT member institutions send nearly 30 million messages on the network. Read more about SWIFT here.

The Customer Security Programme (CSP)

As a result of this cyberattack and others that occurred previously, SWIFT launched the Customer Security Programme (CSP). SWIFT created the program to address the risk and exposure of the trusted network between member banks. As part of the program, all SWIFT member banks are now required to meet minimum-security standards and self-attest to the KYC Registry Security Attestation Application (KYA-SA) by December 31, 2017.

Per the SWIFT website, all controls that are included in the CSP “are articulated around three overarching objectives: 'Secure your Environment', 'Know and Limit Access', and 'Detect and Respond'.” The controls have been developed based on SWIFT's analysis of cyber threat intelligence and in conjunction with industry experts and user feedback.

The three objectives are comprised of eight principles, 16 mandatory controls and 11 advisory controls. The member banks are required to self-attest to the 16 mandatory controls; however, the remaining 11 advisory controls may be required later. All SWIFT users must log in to the KYC-SA and submit self-attestations for each of their live BIC8s by the end of December 2017.

Swift Infographic
Source: https://www.swift.com/sites/default/files/assets/swift_infographic_csp_security_controls.jpg

Source: SWIFT Website

The 16 mandatory controls prescribed by the SWIFT CSP are as follows:

Mandatory Security Controls

1. Restrict Internet Access and Protect Critical Systems from General IT Environment

1.1 SWIFT Environment Protection

Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment.

1.2 Operating System Privileged Account Control

Restrict and control the allocation and usage of administrator-level operating system accounts.

2. Reduce Attack Surface and Vulnerabilities

2.1 Internal Data Flow Security

Ensure the confidentiality, integrity, and authenticity of data flows between local SWIFT-related applications and their link to the operator PC.

2.2 Security Updates

Minimize the occurrence of known technical vulnerabilities within the local SWIFT infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk.

2.3 System Hardening

Reduce the cyberattack surface of SWIFT-related components by performing system hardening.

3. Physically Secure the Environment

3.1 Physical Security

Prevent unauthorized physical access to sensitive equipment, workplace environments, hosting sites, and storage.

4. Prevent Compromise of Credentials

4.1 Password Policy

Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy.

4.2 Multi-factor Authentication

Prevent that a compromise of a single authentication factor allows access into SWIFT systems, by implementing multi-factor authentication.

5. Manage Identities and Segregate Privileges

5.1 Logical Access Control

Enforce the security principles of need-to-know access, least privilege, and segregation of duties for operator accounts.

5.2 Token Management

Ensure the proper management, tracking, and use of connected hardware authentication tokens (if tokens are used).

6. Detect Anomalous Activity to Systems or Transaction Records

6.1 Malware Protection

Ensure that local SWIFT infrastructure is protected against malware.

6.2 Software Integrity

Ensure the software integrity of the SWIFT-related applications.

6.3 Database Integrity

Ensure the integrity of the database records for the SWIFT messaging interface.

6.4 Logging and Monitoring

Record security events and detect anomalous actions and operations within the local SWIFT environment.

7. Plan for Incident Response and Information Sharing

7.1 Cyber Incident Response Planning

Ensure a consistent and effective approach for the management of cyber incidents.

7.2 Security Training and Awareness

Ensure all staff are aware of and fulfil their security responsibilities by performing regular security training and awareness activities.

Source: SWIFT Website

In addition, SWIFT has also provided 11 advisory security controls for consideration as follows: 

Advisory Security Controls

2. Reduce Attack Surface and Vulnerabilities

2.4 A Back Office Data Flow Security

Ensure the confidentiality, integrity, and mutual authenticity of data flows between back office (or middleware) applications and connecting SWIFT infrastructure components.

2.5 A External Transmission Data Protection

Protect the confidentiality of SWIFT-related data transmitted and residing outside of the secure zone.

2.6 A Operator Session Confidentiality and Integrity

Protect the confidentiality and integrity of interactive operator sessions connecting to the local SWIFT infrastructure.

2.7 A Vulnerability Scanning

Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process.

2.8 A Critical Activity Outsourcing

Ensure protection of the local SWIFT infrastructure from risks exposed by the outsourcing of critical activities.

2.9 A Transaction Business Controls

Restrict transaction activity to validated and approved counterparties and within the expected bounds of normal business.

5. Manage Identities and Segregate Privileges

5.3 A Personnel Vetting Process

Ensure the trustworthiness of staff operating the local SWIFT environment by performing personnel vetting.

5.4 A Physical and Logical Password Storage

Protect physically and logically recorded passwords.

6. Detect Anomalous Activity to Systems or Transaction Records

6.5 A Intrusion Detection

Detect and prevent anomalous network activity into and within the local SWIFT environment.

7. Plan for Incident Response and Information Sharing

7.3 A Penetration Testing

Validate the operational security configuration and identify security gaps by performing penetration testing.

7.4 A Scenario Risk Assessment

Evaluate the risk and readiness of the organization based on plausible cyberattack scenarios.

Source: SWIFT Website

Are you prepared to review the mandatory and advisory controls and submit your self-attestation by year-end? The SWIFT website is a recommended starting point to assess your status and begin outlining how the controls apply to your infrastructure. Contact Weaver’s IT Advisory Services team with questions on the program or completion of the KYC Registry Security Attestation.