SWIFT Customer Security Programme: audit and recommendations

SWIFT Customer Security Programme: audit and recommendations
By S. Etienne 11/03/2022
Banking, Insurance & Fintech
Health & Life Sciences
Defense & Space
Technology & Software Providers
Energy, Logistics & Industry

“Our missions go far beyond mere compliance”

The financial sector must increasingly comply with very strict security requirements. This is particularly the case with the Customer Security Programme (CSP) of SWIFT (Society for Worldwide Interbank Financial Telecommunications). SWIFT is a communication platform between financial institutions (banks, large companies, etc.) with sensitive data passing through this network. As a result, there are risks associated with cyber threats. This interbank platform, which is an essential part of the global economy, publishes an annual framework of security controls that all financial institutions with a BIC code must comply with. Since the launch of the CSP programme, EBRC has been active in providing support to SWIFT clients, especially with a SWIFT compliance audit, and becoming one of their partners. Aline Moyret, GRC (Governance, Risk and Compliance) Lead Advisor, and Laurent Crozier, Senior Consultant, tell us more.

What does SWIFT's Customer Security Programme consist of?

Aline MOYRET:  SWIFT launched this programme in 2017 with the aim of helping financial institutions that have a BIC code ensure that their defence systems against cyber-attacks are effective and up-to-date. In order to certify their level of compliance, users are required to compare their security measures with those detailed in the Customer Security Control Framework (CSCF) programme on an annual basis. The CSCF includes both mandatory and optional security controls. Every year, SWIFT improves its framework by adding control points or making previously optional controls mandatory. Our role specifically involves helping SWIFT's financial institution clients verify that they are compliant with the programme requirements.   

What gives EBRC legitimacy as regards auditing the SWIFT Customer Security Programme?

Laurent CROZIER: We have been assisting our clients since the beginning of this programme.

In 2020, thanks to our certifications and our skills in the field of information security management, we became partners of the SWIFT programme. Each year, three of our consultants renew their CSCF certification. This partnership has a double advantage for EBRC. Not only are we listed in the SWIFT directory of assessment service providers, but we also have access to all SWIFT documentation and webinars. This ensures that we are always informed of the latest developments in the programme. Finally, we can use the templates provided by the programme to facilitate communication with SWIFT if the client wishes so.

In concrete terms, what variants of SWIFT support do you offer?

LC: We offer three levels - each level encompassing the previous one - depending on the client's needs.

Support for the Independent Assessment Framework

Since 2021, the SWIFT programme has required institutions to go beyond a self-assessment questionnaire and to undergo an independent assessment to verify the accuracy of controls. Thanks to our experience and our partnership with the SWIFT programme, we can carry out this independent assessment.

Control maturity analysis and recommendations for improvement

In the second offering, we go a step further by providing what I call "assistance" in assessing the maturity of controls. In other words, we help the clients analyse each of their controls in detail and suggest improvement areas.

Testing the robustness of controls against cyber-attack risks

The third offering adds risk analysis. This analysis, recommended but not imposed by the SWIFT programme, consists of testing the robustness of controls against high risks of cyber-attack. If we find any weaknesses, we provide the client with an action plan containing proposals intended to reduce these risks.

You are not the only one on the market to offer support for SWIFT’s Customer Security Programme of SWIFT. What are the advantages of choosing EBRC over its competitors?

AM: We can mention four advantages.  

Software specialised in protecting sensitive information and anticipating cyber risks

For our missions, we use a specialised software for cyber risk management, EGERIE Risk Manager. This software, which we also use for our own needs, contains predefined scenarios and allows us to industrialise the risk analysis as much as possible, which brings even more added value to our clients.

SWIFT CSP compliance audit: detailed points for improvement

For each of our offerings, apart from the independent assessment, we draw up a detailed and precise report at the end of the mission which explains in a clear and comprehensible manner what the strong points are and what needs to be improved.  

Field expertise for a pragmatic approach

Another aspect that sets us apart from the competition is our pragmatic approach. All of our consultants are senior experts with extensive field experience and knowledge of production constraints. The expertise they offer is as concrete as possible.

Adapting to your way of working

LC: I would add the importance given to dialogue. When we enter into a relationship with a client, we examine with them whether their operating mode corresponds to the type of architecture predefined by SWIFT. The type of SWIFT architecture deployed determines the scope of application and the controls applicable for each organisation. There are four architectures for the deployment of SWIFT services: from A1 - where the messaging and communication interfaces are hosted in the local environment - to B - where no SWIFT-specific infrastructure components are used in the local environment - through the intermediate levels A2, A3 and A4.

In addition, we attach great importance to the assessment of each of the controls. We are not satisfied with the answers given by the client and always look for more. In the end, it is our responsibility and our reputation that are at stake as we are in charge of validating, through an official letter of completion, the client's compliance with the SWIFT programme requirements.

What are your ambitions for the future?

AM: We already have solid references in Luxembourg and Switzerland, and we want to expand our SWIFT offerings to other clients. We aim at supporting financial institutions that are not yet at the level of the large international banks and to which we can provide assistance adapted to their context. And not only in the countries we already serve - Belgium, France, Luxembourg, Switzerland - but also - why not? - even further afield.  

5 reasons to choose EBRC for the Swift CSP audit

  1. SWIFT partner since 2020
  2. Three levels of offer adapted to each client's context
  3. A risk-oriented approach
  4. Clear, useful, and accurate reports
  5. Numerous references in Luxembourg and Switzerland