SWIFT Customer Security Program - Deloitte
SWIFT CustomerSecurity ProgramSince the Bangladesh Bank Heist of 2016, banks have seena steady increase in high-profile cyberattacks on customersusing Society for Worldwide Interbank FinancialTelecommunications (SWIFT).Deloitte can help business leaders navigate the issuesassociated with implementing SWIFT's Customer SecurityControls Framework (CSCF) as well as address SWIFTdependencies and ultimately disrupt through innovation.
The issue: Growing risk from cybersecurity threatsA variety of cyberattacks have prompted banks and regulators to focus increasingly on managing cybersecurity risks50%increase in attacks by banking malware, especiallymobile banking malware, in the first half of 2019compared to the same period in 2018Source: ASEAN Cyberthreat Assessment 2020: Key Insights from the ASEAN Cybercrime Operations Desk 1trillion11%79%ranked cyber threats as atop 5 concern for theirorganizationannual cost of cybercrimein 2019Source: 2019 Global Cyber Risk Perception Surveyreported high degree ofconfidence in their cyberresilience measuresCyberattacks ranked 7th8th2ndmost likely to occurmost impactful riskmost concerning riskfor doing business globally over the next 10 yearsIn 2021, cybercrime damages mayreach 6trillionSource: Global Risks Report 2020
Limiting future cyberattacksYour local environmentsecure your local SWIFT-relatedinfrastructureIn response to recent cyberattacks, SWIFT issuedbaseline security requirements through its CustomerSecurity Controls Framework. While the SWIFT networkitself was not compromised in the attacks, in some caseshackers successfully breached the local operatingenvironment established by SWIFT users.To help limit hackers’ opportunities to exploitweaknesses in SWIFT users' local environments in thefuture, SWIFT created the Customer Security Program(CSP), a framework designed to help users set upcybersecurity controls that they can implementthemselves in their local environments.The CSP’s main components are the Customer SecurityControl Framework (CSCF) and the Customer SecurityControls Policy (CSCP). An Independent AssessmentFramework (IAF) has also been defined to guide theclients while assessing the CSP.CustomerSecurityProgramYour communitycontinuously shareinformation and prepareto defend against futurecyber threats(3 mutuallyreinforcing areas)Your counterpartiesprevent and detectfraud in yourcommercialrelationships
How SWIFT users can protect themselvesAfter its original release, the CSPhas been updated on an annualbasis to improve its coverage andto take into account theevolution of the cyber threatlandscape. Complianceassessment declarations areexpected at the end of each year.SWIFT encourages its users toimplement and monitor thesecustomer security controls aspart of a broader cybersecurityrisk management program,which should be regularlyevaluated and adjusted based onleading industry practices andchanges to the individual users'security position andinfrastructure.CSCF and CSP Policy Evolution2017201827 Controls16 mandatory 11 AdvisorySelf-attestation by31 Dec 2017/2018201929 Controls19 mandatory 10 AdvisorySelf-attestationby 31 Dec 20193 Controls Promoted toMandatory2.6 Operator Session flows2.7 Vulnerability Scanning5.4 Password Storage2 New Advisory Controls1.3A Virtualization Platform2.10A Application Hardening202031 Controls21 mandatory 10 AdvisoryIndependent assessment by31 Dec 20192 Controls Promoted to Mandatory1.3A Virtualization Platform2.10A Application Hardening2 New Advisory Controls1.4A Restrict Internet Access2.11A RMA Controls1 Control with Scope Extension2.4A Back-office data Flow– MQ / Middleware ServerAs of 2020, all SWIFT customersare mandated to support theirself-attestation by anindependent assessment. Self-attestation must becompleted between June andDecember and will then bevalid till the end of thefollowing year. Self-attestation must besupported by an independentexternal/internal assessment. An annual update cycle isforeseen for CSP policy andCSCF updates. User Guide section transferredto KYC-SA documentation
SWIFT's strategic security principlesThe Customer Security Controls Framework is a set of core securitycontrols that are mandatory for SWIFT users. The controls are intendedto help mitigate specific cybersecurity risks that SWIFT users face dueto the cyber threat landscape.SWIFT Customer Security Controls FrameworkObjectivesStrategic Security PrinciplesO1. Secure yourEnvironmentP1. Restrict Internet access and Protect criticalsystems from general IT environmentP2. Reduce attack surface & vulnerabilitiesScope of SWIFT Security ControlsP3. Physically secure the environmentO2. Know andlimit accessP4. Prevent compromise of credentialsO3. Detect andrespondP6. Detect anomalous activity to system ortransaction recordsP5. Manage identities & segregate privilegesP7. Plan for incident response & informationsharingThe framework can be applied to four types of SWIFT user architectures,titled A1, A2, A3, and B. SWIFT users must first identify which architectureapplies to them before identifying and implementing the applicablecontrols.
How different will your declaration be on 31 December 2020?In order to improve the level ofassurance currently provided by theself-attestations, an independentassessment framework (IAF) has beendeveloped by SWIFT and will requireall attestations to be supported by anindependent assessment from theCSCF 2020. The self-assessment willno longer be possible and SWIFTcustomers will now have to rely on anindependent assessment performedeither by their internal second orthird line of defense (e.g., riskmanagement, internal audit, etc.), orby an external third partyorganization.Independent AssessmentFramework preparationCSCF v2020 releaseCSCF v2020 projects Change identifications, suchas advisory controlspromoted to mandatory Implementation ofnew requirements Mandatory controls Improvement ofpreviously identifiedgaps Method: Point in timeevaluation of user’simplementations Gap assessment Projects plan Budget definition Preparation of nextauditReporting analysis Assessments are analyzedby SWIFT Additional evidencerequested by SWIFT Communication to thirdparties and businesspartners
How Deloitte can support your organizationThe SWIFT messaging platform, in particular, has been under concerted attacks sincethe Bangladesh Bank heist in 2016. Faced with highly sophisticated and organizedcyberattacks, global banks need to do more to protect themselves against the rapidlyevolving and adaptable cyber threat landscape.Deloitte offers holistic services that can support your organization as you addressyour SWIFT dependencies, balancing the need to reduce risk with the goal ofmeeting productivity, business growth, and cost optimization objectives:Impact Assessment: Deloitte will conduct initial SWIFT risk assessment, provide aprioritization framework, and review current controlsRisk Mitigation Planning: Deloitte will develop a remediation strategy and aroadmap for implementation for identified gaps in controls and processesTesting: Deloitte will assist in establishing a testing framework and conduct testingto meet CSP requirementsImplementation Support: Deloitte will assist with governance establishment,implementation execution, and war gamingIndependent Assessment: Deloitte will review and validate your compliance withthe SWIFT CSP controls and issue independent assurance reports under recognizedstandards (e.g., ISAE, SOC 2).While Deloitte is prepared to assist you in connection with the SWIFT Customer Security Controls Framework, please note that Deloitte does notrepresent or speak for SWIFT, and the Customer Security Controls Framework is part of the contractual framework between SWIFT and its users.
How Deloitte can support your organizationSWIFT CSP WorkshopTestingControls implementationIndependent assessment Deloitte consultants with deepSWIFT CSP experience will conducta workshop to review your selfattestation and provide you withhigh level opinion on remediationactivities defined by yourorganization. Deloitte can assist you inestablishing a testing frameworkand conduct testing to meet CSPrequirements. Through years of experience withdifferent implementation methods,using all kinds of software andhardware, the Deloitte Cyber teamis exceptionally placed to provideassistance with the implementationof controls in the CSCF. Deloitte team has the depth ofexperience to review and validateyour compliance with the SWIFTCSP controls and issue independentassurance reports under recognizedstandards (e.g., ISAE, SOC 2). Our team will interview your staffand inspect system configurationsand documentation to deliver amanagement report that can beused for the self-attestation.Added values: quick confirmation ofyour self-attestation, confirmation ofyour team understanding of theCSCF, and high level assessment ofyour remediation plan We will conduct initial SWIFT riskassessment, provide a prioritizationframework, and assess yourreadiness to meet new SWIFT CSPrequirements.Added values: review of SWIFTenvironment, assessment of controls,and identification of compliance gaps Our team will design and deployprocess and technology solutions tomitigate control gaps, and developa remediation strategy and aroadmap for implementation foridentified gaps in controls andprocesses.Added values: Deloitte team thatunderstands the CSCF will implementcontrols that will fully mitigate gapswith minimal disruption to yourcurrent environmentAdded values: independentassessment of your SWIFTenvironment by a dedicated teamwith relevant SWIFT cybersecurityassessment experience
Our experience and credentialsSWIFT CSP tailor made methodologyDeloitte has a strong track record of performing operational and security risk assessments based on the SWIFT CSCF. Using that experience, wecreated a tailor made methodology based on SWIFT CSCF and international security standards specific to this type of engagements.Selection of relevant experienceClientRelevant experienceMultilateral development bankin the PhilippinesDeloitte is conducting compliance assessment using the CSCF. This includes a compliance assessment against all mandatorycontrols on their onsite and disaster recovery site.Provider of secure financialmessaging servicesSecurity assessment review program based on SWIFT Customer Security Controls Framework for a global financial messagingprovider. As part of this program, we have assessed more than 100 financial messaging services connectivity providers acrossthe world.Provider of secure financialmessaging servicesDeloitte provided Quality Assurance to the provider of secure financial messaging services with their Customer SecurityProgram (CSP). The goal of CSP is to reinforce the security of clients' wider ecosystem by engaging with its customers to makesure the security of their locally managed infrastructure is up to par. Deloitte helped analyze the attestation data andreported on the findings. Further, Deloitte advised on how to improve the program.Central bank in EuropeReview for self-assessment of the internal controls relevant to the SWIFT environment in place at the bank and their(controls) compliance with the mandatory controls as published by SWIFT in the CSP framework.Several major banks acrossEMEA regionReview of self-assessment related to the internal controls relevant to the SWIFT environment in place at the bank, and theircompliance with SWIFT Customer Security Programme framework.
About Deloitte CyberAs a recognized leader in cybersecurity consulting, DeloitteCyber can help better align cyber risk strategy and investmentswith strategic business priorities, improve threat awarenessand visibility, and strengthen our clients’ ability to thrive in theface of cyber incidents. Using human insight, technologicalinnovation, and enterprise-wide cyber solutions, we managecyber everywhere, so society can go anywhere.Value to our clients Unrivaled depth of technical knowledge and breadthof industry experienceComprehensive suite of solutions from advisory tomanaged security services Ability to develop a cyber risk program in line with theorganization’s strategic objectives and risk appetite Investment in emerging technologies, training,infrastructure, and people Global network of 31 Cyber Centers provideconsistency and high level of serviceCyber is everywhere. So are our services.The ubiquity of cyber drives the scope of our services. Deloitte Cyber advises,implements, and manages solutions across the following areas:Strategy Cyber strategy andtransformation Cyber risk management Cyber training and awarenessApplication Security ERP process, systems, andintegrity controls including SAPS4/HANA & Oracle GRC, CRM, and HR securitycontrols SecDevOps lifecycleEmerging Technology Internet of Things Industrial Control Systems Artificial intelligence RoboticsDetect and Respond Threat intelligence Threat monitoring andanalytics Vulnerability management Incident management andresponse Security automation andresponseCloud Infrastructure Security Core infrastructure security Cloud security Asset management Mobile and endpointsecurity Technical resilienceData and Privacy Strategy Reporting/validation Architecture Privacy ProtectionIdentity Identity governance Advanced authentication Privileged accessmanagement User access governance Identity analytics Digital consumer identity Directory services andcertificate lifecycle
Contact us17,000 Anna PabellonRisk Advisory LeaderDeloitte Philippinesapabellon@deloitte.comTalk to our team in the PhilippinesBel Del CastilloRisk Advisory Manageridelcastillo@deloitte.comAkee PapaRisk Advisory Senior Managerarpapa@deloitte.comCyber practitionersworldwide125Offices across Australia,China, India, Japan,Korea, New Zealand,Southeast Asia, Taiwan26 Years providing cyber riskservices30 Cyber Intelligence CentresStrength in numbersWhat sets Deloitte Cyber apart from thecompetition is the know-how. Deloitte has theexperience in dealing with many of the world’stoughest cyber issues, helping clients solve themost complex business challenges. We have a teamthat doesn’t quit; we have the experience you candepend on; and we have a commitment that westand behind. Why trust anyone else?Managed security services - a global partner witha local approachCyber Intelligence Centres (CICs) provide a highadded value to our managed security services andact as front offices and last mile of delivery forclients. We tailor our offering to the needs of theclient in each location.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organization”).DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each otherin respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provideservices to clients. Please see www.deloitte.com/about to learn more.Deloitte Asia Pacific Limited is a company limited by guarantee and a member firm of DTTL. Members of Deloitte Asia Pacific Limited and their related entities, each of which areseparate and independent legal entities, provide services from more than 100 cities across the region, including Auckland, Bangkok, Beijing, Hanoi, Hong Kong, Jakarta, Kuala Lumpur,Manila, Melbourne, Osaka, Seoul, Shanghai, Singapore, Sydney, Taipei and Tokyo.About Deloitte PhilippinesIn the Philippines, services are exclusively and independently provided by Navarro Amper & Co., a duly registered professional partnership in the Philippines.This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms or their related entities(collectively, the “Deloitte organization”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that mayaffect your finances or your business, you should consult a qualified professional adviser.No representations, warranties or undertakings (express or implied) are given as to the accuracy or completeness of the information in this communication, and none of DTTL, itsmember firms, related entities, employees or agents shall be liable or responsible for any loss or damage whatsoever arising directly or indirectly in connection with any personrelying on this communication. DTTL and each of its member firms, and their related entities, are legally separate and independent entities. 2020 Navarro Amper & Co.
SWIFT's strategic security principles. The Customer Security Controls Framework is a set of core security controls that are mandatory for SWIFT users. The controls are intended to help mitigate specific cybersecurity risks that SWIFT users face due to the cyber threat landscape. The
SWIFT Fidelity Integrity Assessment [SWIFT-FIA] v.1.3 for SWIFT Partner Schools rev. January, 2016 1 Purpose of SWIFT-FIA SWIFT Fidelity Integrity Assessment (SWIFT-FIA) is a s
Openstack Swift Object Store Cloud built from the grounds up David Hadas Swift ATC HRL . Swift Architecture M D 5 Swift Proxy Swift Proxy Swift Proxy Load Balancer Client PUT PUT PUT Extensions Extensions Extensions Swift Storage Node . Micr
This book describes Swift 5.5, the default version of Swift that's included in Xcode 13. You can use Xcode 13 to build targets that are written in either Swift 5.5, Swift 4.2, or Swift 4. When you use Xcode 13 to build Swift 4 and Swift 4.2 code, most Swift 5.5 functionality is available. That said, the following changes are available
Swift 4 1 Swift 4 is a new programming language developed by Apple Inc for iOS and OS X development. Swift 4 adopts the best of C and Objective-C, without the constraints of C compatibility. Swift 4 makes use of safe programming patterns. Swift 4 provides modern programming features. Swift 4 provides Objective-C like syntax.
XaaS Models: Our Offerings @DeloitteTMT As used in this document, "Deloitte" means Deloitte & Touche LLP, Deloitte Tax LLP, Deloitte Consulting LLP, and Deloitte Financial Advisory Services LLP. These entities are separate subsidiaries of Deloitte LLP. Deloitte & Touche LLP will be responsible for the services and the other subsidiaries
Deloitte & Touche South Africa is referred to throughout this report as Deloitte South Africa, and Deloitte Pan African Trust is referred to throughout this report as Deloitte Africa. Deloitte Africa holds practice rights to provide professional services using the Deloitte name which it extends to Deloitte entities within its territory,
Sep 30, 2021 · D) SWIFT MT940/MT950 Send Message (Send the statement to customer via SWIFT per customer request) CNY 600 per account per month / equivalent Based on adjusted market price Corporation E) SWIFT MT942 Send Message (Send the statement to customer via SWIFT per customer request)
Easily build API composition across connectors SAP Cloud Platform Integration SAP Cloud Platform API Management SAP Workflow Services SAP Data Hub SAP Cloud Platform Open Connectors Simplifying integration and innovation with API-first approach in partnership with Cloud Elements
