Regulatory authorities that govern financial services have long been aware of an impending breakdown of digital operations due to potent cybersecurity threats. In fact, in the past year, several cyber-attacks have been suffered by the finance industry. To deal with the changing cyber-threat landscape, regulatory authorities are also regularly updating their rules to address risks not only in siloed financial institutions but also in the rest of the supply chain..
The updated rules have made the Society for Worldwide Interbank Financial Telecommunications (SWIFT) the center of their attention. Failure to ensure flawless security of SWIFT can prove to be severely detrimental to the global market. To put this into perspective, a whopping 6.5 billion financial transactions are completed through SWIFT every year, 85% of which are entirely digital.
SWIFT began its Customer Security Program (CSP) in 2017. The program requires all SWIFT customers to prove that they are compliant with 31 security controls, 14 of which are specifically for scenarios in which a third party acts as the mediator between the primary customer and SWIFT. All potential new customers must submit evidence of compliance to SWIFT if they seek permission to join the SWIFT network. If non-compliance is detected, SWIFT shares the customer information with their respective regulatory bodies. It may even request the customers to submit evaluation reports from further internal or external audits when in doubt.
Customers can also choose to comply with 11 other controls that are voluntary in nature and submit assessment reports obtained through internal or external audits.
Controlled access to databases, strong passwords, and multi-factor authentication methods to prevent unauthorized access.
Thorough understanding of how all data is flowing from one user to another within the organization during business operation.
Regular and efficient evaluation of the vulnerability of data, penetration of risks, and alertness to new risks; risk mitigation response; an examination of various possible threat situations.
Proper training of personnel on security policies, appropriate delegation of responsibilities.
Extensive reporting and audits.
When combined with the various other regulatory compliance requirements, the requirements doled out by the CSP could prove to be challenging for organizations. At the same time, the CSP provides a holistic analysis of an organization’s SWIFT security framework, such as technological controls, risk detection strategies to prevent fraud, and other information security measures. This article aims to convey why it is important to implement the CSP, the requirements of the CSP means, and how to implement the CSP.
Why it is important to implement the CSP.
SWIFT’s CSP was conceived as a contingency plan to thwart the ever-growing cyber threats. Not only are cyber threats growing in number, but also in their sophisticated and innovative approach. Amidst these evolving threats, banks have always been the prime focus of malicious hackers. It is, therefore, important that SWIFT and its customers exercise caution across the entire transaction chain. This is where SWIFT’s CSP comes into play, as a promising approach to improving international financial transactions' security. SWIFT has acknowledged that it must function in conjunction with its customers and their regulators to improve customer security.
However, the industry's poor dedication to implementing the CSP, including new security-related technology, has been a deterrent to improving the security of the SWIFT network. One of the reasons for lack of interest could be that many organizations only see SWIFT as a telecommunications system, not a payment system. Also, since SWIFT does not have the power that regulatory bodies do, organizations would much rather follow bona fide regulatory authorities' instructions than those of SWIFT. Additionally, larger organizations that already have extensive security controls in place may think that the controls listed in the CSP are redundant with their existing policies.
Still, there are several arguments in favor of strengthening the security of SWIFT through the CSP:
The volume of financial transactions that are completed through SWIFT’s messaging system is immense. The number was 25 million per day back in 2016 and is sure to have increased now. Improved protection is needed because SWIFT transactions have a predictable format that makes them more vulnerable to security risks
Around 15% of transactions through SWIFT have to be processed manually, which increases security risks. It is important to update current technological controls so that the reliance on manual processing can be eliminated
Transactions conducted through SWIFT are managed by first-line operators. Information security personnel such as the chief information security officers (CISOs) are not involved in most organizations as SWIFT may not be considered a vulnerability greater than or even equal to the other financial transaction systems. However, to ensure adequate security, it is important that all lines of defense be involved in addressing the cyber threats faced by SWIFT.
SWIFT has north of 11,000 customers in over 200 countries. Weak security in any one of these customer’s operations can topple the entire SWIFT security framework
Requirements of the CSP
The CSP aims to address the following five priorities set by SWIFT:
1. Improved communication: SWIFT wishes to establish a more robust two-way communication with its customers so that information on suspicious transactions, risk mitigation measures or developments in the world of cybersecurity and cybercrime can be shared effectively.
2. Enhance consumer-level controls: SWIFT wants to improve the security controls at the level of the consumers initiating financial transactions. This means controls such as multi-factor authentication, data encryption, stronger passwords, and better logging in the software used for transactions.
3. Minimal security control requirements: SWIFT customers must fulfill some minimal security control requirements in order to be granted permission to conduct any transactions. The minimal requirements include controls to prevent unauthorized access and delegation of security and compliance-related responsibilities.
4. Novel technological tools: SWIFT wants to bring in new technological tools to automatically detect transaction patterns, ease the communication of fraudulent transactions by customers to SWIFT and to detect any transaction irregularities.
5. Create a secure third-party network: SWIFT aims to tie together all necessary third-party vendors, such as those providing organizations with software packages or hardware for security systems, intrusion detection systems, external auditors, security training etc.
SWIFT wishes to establish a more robust two-way communication with its customers so that information on suspicious transactions, risk mitigation measures, or developments in the world of cybersecurity and cybercrime can be shared effectively.
Author: DeshCyber Security Engineer
September 10, 2020