Article What SWIFT’s new Customer Security Programme means for you 20 Jan 2017 — 4 min read The Team Barry LewisDaniel LemckeRosie Sperring Lately SWIFT, the global provider of secure financial messaging services, has been on a mission to protect the payment ecosystem. After a series of cyber security incidents and global headlines, it’s clear that the rate of ‘meaningful’ attacks on the payment infrastructure of financial institutions has increased. And these malware attacks are becoming increasingly sophisticated, ‘covering their tracks’ to delay or even prevent someone from finding out the fraud has ever happened. So what are SWIFT doing to help the industry? Introducing: the Customer Security Programme These breaches are impacting the payment ecosystem, with stakeholders questioning the security and robustness of their payment communications. SWIFT, as the custodians of global payment communications, have an extremely important role to play in (in their own words) “reinforcing and safeguarding the security of the global banking ecosystem”. Considering the number of messages they handle – an average of 26 million per day – it’s hard to disagree. They have published 5 key initiatives that aim to keep global banking safe: Improve information sharing. Enhance SWIFT-related tools for customers. Enhance guidelines and provide audit frameworks. Support increased transaction pattern detection. Enhance support by third party providers. All self-explanatory so far, but I hear you asking “what does this mean for me as a part of the SWIFT community?” … How will this affect you? The latest development, announced on 27th September 2016, is a set of 16 mandatory controls that all SWIFT users must adhere to, plus 11 additional advisory controls. Users will be required to demonstrate their compliance against these controls annually, through self-attestation from Q2 2017. This will be supported by a sample of requests for inspection and enforcement by internal and external auditors from January 2018. In the interest of transparency, the results of these self-assessments and inspections will be made available to counterparties, and any non-compliance will be reported to regulators. “With 27 controls to review, implement and attest to, there’s a lot of risk and coordination to navigate… the devil really does lie in the detail!” So what do I have to do? The mandatory controls have been organised into 3 Objectives and 8 Principles: With 27 controls to review, implement and attest to, there’s a lot of risk and coordination to navigate… the devil really does lie in the detail! Now is not the time to dig down into this level of detail, but you can read more about the controls here. Are you ready? Many organisations may already be compliant with several of the controls, but they must still attest to them. Some, however, may be a little bit trickier to implement… Back office data flow security Several controls require a large amount of coordination as they span multiple functions, and back office data flow security is one of them. SWIFT are asking for banks to implement confidentiality, integrity, and authentication mechanisms to protect SWIFT data flows and the link to the user devices. Part of this wider challenge also extends to the management of secure zone segregation control between PCs and communication interfaces. These controls should not be underestimated. We’ve worked with banks around the world – from Tier 1 to the challengers – and every time, we have seen the difficulty they face just in mapping internal data flows, let alone being able to attest to their detailed security standards, structures and potential failings. User account management Here, SWIFT are asking that users grant account access on a ‘need-to-know’ basis, ensuring individuals are given the least privilege possible. This is an important control to ensure you aren’t giving out more information than you need to. How many times have you reviewed access or permission documents within your bank and come across the name of someone who left the group years ago? If you were unlucky enough to detect suspicious malware, would you know what action to take? Cyber incident response planning This control states that the organisation must have a defined cyber incident response plan in place. Hackers are becoming more sophisticated, and are moving a lot quicker than the rest of us in coming up with new ways of intercepting messages and compromising our systems. With fraudsters focused on payment messaging and developing malware which can unravel the financial world, part of the strategy here has to be around the controls in place coupled with contingency planning capability. If you were unlucky enough to detect suspicious malware, would you know what action to take? In conclusion SWIFT are quite rightly responding to the increasing threat of cyber security and taking appropriate steps to try and protect all participants in the payment ecosystem. But, how can SWIFT enforce users to maintain a safe and secure environment to operate in while still maintaining their reliable (and swift!) service for those who rely on them every day? Only time will tell. The Customer Security Programme is an immense but extremely important undertaking – hackers are real, and so is the threat. By leveraging the power of their users (you), SWIFT should be able to successfully transform the future of security for the banking community. For you as the user, this must be more than simply becoming compliant, but rather understanding the risks and subsequent impact if all users do not step up. It’s a huge undertaking as so many people organisation-wide must be involved to get it right. From our experience, it’s critical not to underestimate what SWIFT’s Customer Security Programme means for you in practice. To discuss what this means for you and your organisation in more detail, please contact Barry Lewis, our lead Financial Services Partner.
