Compliance with SWIFT’s Customer Security Controls Framework

As of 2016, the Society for Worldwide Interbank Financial Telecommunication (SWIFT) has a program in place for its clients which aims to improve the security of the entire ecosystem of institutional financial services, reducing the risk of IT attacks and minimizing the impact of fraudulent transactions.

Within this program, SWIFT has laid out a framework of security checks with which all financial institutions must certify their compliance: from 2021, this certification must be supported by an independent assessment.

What does the framework require? And how must the compliance of financial institutions be certified?

SWIFT is a cooperative based in Belgium which has developed a series of services to support international financial transactions since the 1970s. Although they are provided by a private company, SWIFT’s services have become a de-facto standard for international financial transactions.

SWIFT provides financial institutions with a standardized infrastructure which allows the exchange of international payment messages in a secure and reliable manner. SWIFT has developed the following for this purpose:

• The SWIFTNet network with associated communication protocols
• A set of standards which define the syntax of the messages relating to financial transactions
• A set of software and services for the exchange of messages within SWIFTNet (with the possibility for clients to use third-party software certified by SWIFT)

Within the SWIFT system, each financial institution is identified by a unique code, known as the BIC or SWIFT code, defined by the ISO 9362 standard.

Infrastructure of this type is undoubtedly highly critical and subject to potential attacks and fraud attempts which, should they be successful, could cause significant financial and reputational impacts. The events of February 2016 are well known, when cybercriminals, who have never been identified, made fraudulent use of the SWIFT infrastructure and some accounts of operators of the Bank of Bangladesh, sending 25 payment instructions totaling 1 billion dollars.

Following this episode, SWIFT found how, although the standards and protocols used were designed with the clear goal of protecting the security of the information, the security of the entire financial system is necessary a responsibility shared between all clients and providers of SWIFT services (service bureaus). For this reason, SWIFT created the Customer Security Program (CSP) for its clients; this is a multi-year, global and manifold initiative which aims to transform the institutional financial services ecosystem, increasing the level of security, reducing the risk of IT attacks and minimizing the impact of fraudulent transactions.

The CSP, as well as providing for methods and tools for sharing information within the SWIFT community, for responding to incidents and managing risk, provides the “Customer Security Controls Framework”, which establishes a series of security checks designed to help clients protect their local environments and promote a more secure financial ecosystem.

The Customer Security Controls Framework lists 31 types of controls (of which 22 are mandatory and nine optional), which allow three goals to be met.

• Making the environment secure
• Knowing and controlling access
• Identifying and responding

These goals are, in turn, supported by seven principles, according to the following scheme:

As shown in the figure, the controls of the security framework apply to:

• Local SWIFT infrastructure, in other words all the specific hardware and software for the SWIFT environment, including the network and security equipment used for the segmentation of the SWIFT environment and the physical environment where the hardware is located
• The data exchange flow between the local SWIFT infrastructure and the back-office software
• The server component of the middleware used, where applicable
• The operators (users and administrators) who interact directly with the SWIFT infrastructure and the PCs used to connect to the infrastructure

In order to assist the client in identifying the scope, SWIFT has identified some types of reference architecture. The client must identify which of the reference architectures best corresponds to their own in order to determine which components fall within the scope. Moreover, depending on the type of architecture implemented, some security controls may or may not be applied.

The mandatory controls represent a baseline for the entire community of companies in the financial sector, and must therefore be implemented by all SWIFT clients. The optional controls represent best practice recommended by SWIFT to all its clients.

For each security control the framework, as well as indicating whether it is a mandatory or optional control, specifies for which SWIFT architecture it is applicable, what the goals are, the architectural components to which it applies, the risks addressed, and a guide to implementation.

Verification of compliance with the mandatory controls (and, where applicable, the optional ones) occurs through an annual self-attestation performed by all clients and subsequently submitted to SWIFT between July 1 and December 31 each year.

The Customer Security Controls Framework is updated annually by SWIFT. With each new version, new security controls may be added, some optional controls may become mandatory, and new components may be inserted within the scope.

The 2021 version of the framework lists some new items and introduces a new reference architecture. It is also destined to have a certain impact for SWIFT clients. As of July 2021, indeed, the self-attestation alone will no longer be sufficient. It must necessarily be supported by an independent assessment, based on objective evidence, carried out by an internal auditing structure or an external organization with experience in performing technological assessments, for example relative to standards such as PCI-DSS, ISO 27001, NIST SP800-53, NIST Cybersecurity Framework.

Within the scope of the independent SWIFT assessment, for each of the applicable controls all available evidence must be gathered to demonstrate that the control itself has effectively been implemented, and any recommendations must be provided whenever the control is found not to be (fully) implemented.

SWIFT’s Customer Security Controls Framework is extremely extensive and covers numerous security aspects of the SWIFT IT environment, from the network and users, through to the procedures in place. Due to this complexity and in consideration of the new requirement for an independent assessment of framework compliance, it may occur that the organizations’ internal audit structures are unable to provide the attestation of compliance with SWIFT standards.