Everything You Need to Know About SWIFT's CSP & How to Prepare

After a series of high-profile attacks on the local environments of SWIFT customers, SWIFT responded by implementing the Customer Security Programme (CSP) to advise customers on how to mitigate the risk of fraud. This is a great step in the right direction for SWIFT and the entire community, but it is a lot of information for organizations to absorb. A list of controls, some of which are mandatory and some advisory, multiple deadlines looming…it’s daunting. There’s no need to panic. You’ve got enough on your plate making sure your environment is adequately protected against further attacks, so here is a brief, common-sense explanation of the most important things you need to know about the CSP and what you need to do to prepare. 

Key Objectives 

It’s easy to get bogged down in all of the numbers, between the 16 mandatory controls, 11 advisory controls, all the dates for deadlines etc. The most important number, however, is three. There are only three key customer security objectives for the CSP and if you can keep that in mind, effectively protecting your payments (which is SWIFT’s whole goal) will be easy. 

Objective #1: Secure Your Environment  

Seems a bit oversimplified, but it’s as good a place as any to start, especially for organizations who may be a bit behind with their security strategies. This section of the CSP is broken into three main components:

• Restricting internet access and protecting critical systems from the general IT environment  The goal of this measure is to ensure the protection of users’ local SWIFT architecture from elements of the general IT environment that could have been compromised – something that’s highly likely given the increasing use of phishing schemes to deploy malware. There are two mandated controls, which include SWIFT environment segregation and operating system privileged account controls.
• Reducing attack surfaces and vulnerabilities  Attacks can come from anywhere at any time, so it’s important to eliminate all easy points of access for fraudsters. The CSP calls for three mandatory controls: data flow security, which should ensure the confidentiality, integrity and authenticity of data flows; security updates, in order to minimize known technical vulnerabilities; and system hardening, which will further reduce the attack surface of SWIFT-related components. There are also six advisory controls in this section, which include back office data flow security, external transmission data protection, user session integrity, vulnerability scanning, critical activity outsourcing and transaction business controls.
• Physically secure the environment  This control requires that you prevent unauthorized physical access to all sensitive equipment, environments, sites and storage. 

Objective #2: Know and Limit Access  

Understanding who has access to critical systems and restricting that access to the fewest required people possible is one of the easiest ways to increase the security of your payments. SWIFT’s CSP calls for doing so in two key ways:

• Prevent compromise of credentials There are two mandatory controls for this section that require having and enforcing a password policy (no more PASSWORD or 1234s allowed) and implementing multi-factor authentication, if you haven’t already done so.
• Manage identities and segregate privileges There are two mandatory controls for this section as well. First, in order to enforce the common sense principles of “need-to-know” access, least privilege and segregation of duties, logical access control will need to be employed. Secondly, token management, essential for successful multi-factor authentication, will need to be enforced. In addition to these mandatory controls there are also two advisory controls – personnel vetting process and physical and logical password storage. 

Objective #3: Detect and Respond 

This is, without question, the most important objective of the entire CSP. According to the Internet Crime Complaint Center for the FBI, the industry has seen a 2,370% increase in identified exposed losses as a result of B2B payment fraud since January 2015 and 38% of all banks and payment organizations admit that it’s now very difficult to tell the difference between a legitimate payment and a fraudulent one. The sole focus of your cyber security strategy has got to be stopping fraudulent payments before they happen. To accomplish this, SWIFT has laid out the following:

• Detect anomalous activity This basic first step – spotting the red flags that are indicative of potentially fraudulent activity – takes shape in the form of four mandatory controls. Malware protection is designed to insulate local SWIFT architecture against a potential malware attack. Software integrity is meant to enforce the validity of SWIFT-related software applications. Database integrity focuses on protecting database records for the SWIFT messaging interface. Lastly, logging and monitoring focuses on recording security events to detect anomalous activity within the SWIFT environment. There is one additional advisory control, which is intrusion detection.
• Plan for incident response Cyber-attacks will inevitably happen. Facing that fact directly will make it easier to craft a consistent, effective approach for managing incidents. There are two mandatory controls SWIFT will be auditing for, starting with cyber incident response planning. Since resilience is key to reducing the duration and impact of a cyber-attack, it’s important to make sure you’ve defined and tested an incident response plan. The second mandatory control is security training and awareness. This is often overlooked in many security strategies, but its importance cannot be overstated. It’s critical to perform regular training and awareness activities with all staff at every level of the organization to make sure they understand their responsibilities regarding cyber security. There are two additional advisory controls, penetration testing and scenario risk assessment. The real test comes in January 2018, when SWIFT will begin enforcing compliance with audits.

As you prepare for these deadlines it’s important to remember a few key things:

1. In SWIFT’s own document that provides all of the details of the CSP, they’re very clear that “the controls should not be considered exhaustive or all-inclusive and do not replace a well-structured security and risk framework….” In a nutshell? Your organization can build on the strong recommendations by SWIFT and look for additional opportunities to future proof your organization against payment fraud. As with all security regulations, they’re only meant to enforce minimum security standards. You should use this as an opportunity to do more if you want to future proof your organization against payment fraud.
2. A central protection of the CSP centers around payment monitoring. One of the best ways to both meet this requirement and provide enhanced protection is to proactively monitor the usage of payment applications in real-time, putting you in a position to stop fraudulent transactions before they happen. With audits beginning in January, there’s no time to waste to get this all taken care of. Security is a serious thing, arguably the most important aspect of your business. Take precautions now, before it’s too late!