What does SWIFT's Customer Security Programme consist of?
Aline MOYRET: SWIFT launched this programme in 2017 with the aim of helping financial institutions that have a BIC code ensure that their defence systems against cyber-attacks are effective and up-to-date. In order to certify their level of compliance, users are required to compare their security measures with those detailed in the Customer Security Control Framework (CSCF) programme on an annual basis. The CSCF includes both mandatory and optional security controls. Every year, SWIFT improves its framework by adding control points or making previously optional controls mandatory. Our role specifically involves helping SWIFT's financial institution clients verify that they are compliant with the programme requirements.
What gives EBRC legitimacy as regards auditing the SWIFT Customer Security Programme?
Laurent CROZIER: We have been assisting our clients since the beginning of this programme.
In 2020, thanks to our certifications and our skills in the field of information security management, we became partners of the SWIFT programme. Each year, three of our consultants renew their CSCF certification. This partnership has a double advantage for EBRC. Not only are we listed in the SWIFT directory of assessment service providers, but we also have access to all SWIFT documentation and webinars. This ensures that we are always informed of the latest developments in the programme. Finally, we can use the templates provided by the programme to facilitate communication with SWIFT if the client wishes so.
In concrete terms, what variants of SWIFT support do you offer?
LC: We offer three levels - each level encompassing the previous one - depending on the client's needs.
Support for the Independent Assessment Framework
Since 2021, the SWIFT programme has required institutions to go beyond a self-assessment questionnaire and to undergo an independent assessment to verify the accuracy of controls. Thanks to our experience and our partnership with the SWIFT programme, we can carry out this independent assessment.
Control maturity analysis and recommendations for improvement
In the second offering, we go a step further by providing what I call "assistance" in assessing the maturity of controls. In other words, we help the clients analyse each of their controls in detail and suggest improvement areas.
Testing the robustness of controls against cyber-attack risks
The third offering adds risk analysis. This analysis, recommended but not imposed by the SWIFT programme, consists of testing the robustness of controls against high risks of cyber-attack. If we find any weaknesses, we provide the client with an action plan containing proposals intended to reduce these risks.
You are not the only one on the market to offer support for SWIFT’s Customer Security Programme of SWIFT. What are the advantages of choosing EBRC over its competitors?
AM: We can mention four advantages.
Software specialised in protecting sensitive information and anticipating cyber risks
For our missions, we use a specialised software for cyber risk management, EGERIE Risk Manager. This software, which we also use for our own needs, contains predefined scenarios and allows us to industrialise the risk analysis as much as possible, which brings even more added value to our clients.
Detailed points for improvement
For each of our offerings, apart from the independent assessment, we draw up a detailed and precise report at the end of the mission which explains in a clear and comprehensible manner what the strong points are and what needs to be improved.
Field expertise for a pragmatic approach
Another aspect that sets us apart from the competition is our pragmatic approach. All of our consultants are senior experts with extensive field experience and knowledge of production constraints. The expertise they offer is as concrete as possible.
Adapting to your way of working
LC: I would add the importance given to dialogue. When we enter into a relationship with a client, we examine with them whether their operating mode corresponds to the type of architecture predefined by SWIFT. The type of SWIFT architecture deployed determines the scope of application and the controls applicable for each organisation. There are four architectures for the deployment of SWIFT services: from A1 - where the messaging and communication interfaces are hosted in the local environment - to B - where no SWIFT-specific infrastructure components are used in the local environment - through the intermediate levels A2, A3 and A4.
In addition, we attach great importance to the assessment of each of the controls. We are not satisfied with the answers given by the client and always look for more. In the end, it is our responsibility and our reputation that are at stake as we are in charge of validating, through an official letter of completion, the client's compliance with the SWIFT programme requirements.
What are your ambitions for the future?
AM: We already have solid references in Luxembourg and Switzerland, and we want to expand our SWIFT offerings to other clients. We aim at supporting financial institutions that are not yet at the level of the large international banks and to which we can provide assistance adapted to their context. And not only in the countries we already serve - Belgium, France, Luxembourg, Switzerland - but also - why not? - even further afield.
5 reasons to choose EBRC for the Swift CSP audit
- SWIFT partner since 2020
- Three levels of offer adapted to each client's context
- A risk-oriented approach
- Clear, useful, and accurate reports
- Numerous references in Luxembourg and Switzerland