Risk Assurance Services
Driving your business forward by providing assurance over controls, systems and processes.
Need for the establishment of a Cybersecurity Program
In 2016 attackers compromised systems at the Bangladesh Central Bank and sent payment instructions totalling USD $951m, of which $101m were processed by the Federal Reserve Bank of New York. This remains the biggest bank heist in history.
Evolution of the Customer Security Programme
Since this time, SWIFT's payments community continues to suffer from a number of cyber-attacks and breaches. While all SWIFT customers remain primarily responsible for protecting their own environments, SWIFT aims to support its community in the fight against cyber-attacks. In 2017, SWIFT published its Customer Security Programme which consisted of 16 mandatory and 11 advisory (optional) security controls which they required their 11,000 customers worldwide to self-attest to on an annual basis.
This has evolved over the years and has now been refined to 22 mandatory and 9 advisory (optional) security controls as per the latest SWIFT Customer Security Controls Framework (“CSCF”) v2021, which was released in July 2020. Furthermore, for 2021, SWIFT has introduced a requirement that mandates an independent assessment for all customers' attestations to be performed either through use of an independent third-party or accredited second line (e.g Compliance) or third line of defense (e.g Internal Audit). This was originally planned to be implemented in 2020, but was delayed due to the COVID-19 pandemic.
Changes in Customer Security Controls Framework (“CSCF”) v2021 vs v2020
The latest SWIFT CSCF v2021 builds incrementally on v2020 and therefore adds to it. Minimal changes were made to ensure that customers have sufficient time to fully implement controls from previous CSCF versions. A brief summary of changes are as follows:
- Promotion of control 1.4 - Restriction of Internet Access from an advisory control to a mandatory control.
- Clarification of a number of guidelines and scope definitions (mainly for ‘connectors’).
- Identification of a new architecture type A4, which differentiates users relying on SWIFT related connectors (or SWIFT footprint), currently designated as A3 from those relying on customer connectors (no SWIFT footprint).
- Some user suggested implementations have also been incorporated under the following controls: (1.1; 2.9A; 6.1; 6.5A and 7.4).
SWIFT CSP - journey so far and the road ahead
Note: As a result of the global COVID-19 pandemic, SWIFT published updated guidelines on 18 June 2020 regarding changes to the CSP self-attestation and independent assessment requirements for 2020 and announced that in 2020, customers had the option to self-attest against the 2019 version of the SWIFT CSP and optionally support the self-attestation with an independent assessment. In 2021, an independent assessment will be a mandatory requirement and customers will be required to attest against the 2021 version of the CSP framework.
How are PwC positioned to help with this?
< Back
< Back
[+] Read More
Why PwC?
PwC will leverage inhouse accelerators and our extensive SWIFT CSP expertise to ensure that your needs are met ahead of SWIFT's required independent assessment due on 31 December 2021.
Proven CSP Assurance Experience
We have performed numerous SWIFT CSP assurance engagements across multiple territories and industries.
Cohesive team who understand SWIFT
We understand SWIFT like no other as we performed an annual review of SWIFT under the internationally recognised ISAE3000 standard for over 10 years.
Technical expertise and knowledge
We are the only ‘Big-4’ firm with a professional Certified Cyber Security Consultancy certificate from the NCSC. We are unique in our ability to leverage threat intelligence to build and simulate realistic cyber-attack scenarios.
Adapting to your requirements
PwC will leverage inhouse accelerators and our extensive SWIFT CSP expertise to ensure that your needs are met ahead of SWIFT's required independent assessment due on 31 December 2021.
PwC will provide industry insight that is relevant to your market segment and geographical segment, as well as a balanced view on how to prioritise any associated actions.
SWIFT customer security programme: FAQs
- 1. What is the SWIFT CSP?
- 2. When is the deadline for SWIFT CSP compliance?
- 3. What form does the SWIFT required independent assessment need to take?
- 4. What are the 22 SWIFT CSP mandatory controls?
- 5. What happens if you attest non-compliance?
- 6. What happens if I suspect my organisation has been targeted or breached?
1. What is the SWIFT CSP?
SWIFT's customer security programme (CSP) aims to prevent and detect fraudulent activity through a set of mandatory security controls, community-wide information sharing initiatives and enhanced security features on their products.
Related content
4 results
Loading...
A brand new way to visualise risk - The Cyber Risk Engine Benchmarking and Evaluation tool
Our Benchmark and evaluation tool allows clients to get a clear view of the key risks to their organisations and how prepared they are to manage them, across a whole range of topics — including cyber security, IT risk and compliance.
Cyber Security: GFSC releases proposed Cyber Security Rules and Guidance Consultation Paper
The Guernsey Financial Services Commission (GFSC) has issued proposed Cyber Security Rules (Rules) and Guidance Consultation Papers applying to all licensees licensed under the GFSC Regulatory Laws. The issuance of the Rules follows on from the Commission’s 2019 Cyber Risk Thematic, which was presented to industry...
Moving to Level 2 in the Jersey Safe Exit Framework: can we embed resilience?
The COVID-19 pandemic demonstrated that no organisation is insulated from disruption in this modern, interconnected world. Risks are entangled, complex supply chains are the norm and events in far off locations have a profound effect.
Loading...
Contact us
Advisory Director, Head of Risk Assurance, PwC Channel Islands
Tel: +44 7797 900015
Follow us
