The 2019 Update to the SWIFT CSP Customer Security Programme: Key Facts and Requirements
Cyberattacks on financial institutions are growing and count billions in financial losses. To adapt to the changing threat environment and stay ahead of cybercriminals, SWIFT (the Society for Worldwide Interbank Financial Telecommunication) recently published an update to the SWIFT Customer Security Programme (CSP) and its Security Controls Framework.
The deadline for member institutions to comply with the updated framework is the end of 2019. Considering that SWIFT serves more than 11,000 financial institutions (FIs) from over 200 countries, the original SWIFT cybersecurity framework and ensuing 2019 update will go a long way to strengthening defenses against attacks such as the Bangladesh Bank Cyber Heist.
History and Highlights of the SWIFT CSP
Cybercriminals are looking for vulnerabilities in the security of every financial institution, and FIs must constantly stay ahead or risk falling victim to a similar fate as Bangladesh Bank. In the 2016 attack, malware was used to hack the bank’s SWIFT-related applications, harvest employee credentials, and steal $81 million through fraudulent money transfers.
In this attack, criminals managed to send sham instructions through the SWIFT payments network, proving just how serious a vulnerability can be in the security setup of a SWIFT member institution. This is especially significant considering that member institutions connect to the SWIFT network daily to send messages such as instructions for international payments and funds transfers. Last year, they averaged 31 million SWIFT messages per day.
Concerned with this hack and aware that similar attacks will grow in numbers, SWIFT introduced the Customer Security Programme (CSP) in 2016. The goal of the SWIFT CSP is to help members secure the systems they use to connect to the SWIFT network. Member organizations had to self-attest to compliance with SWIFT CSP requirements by the end of 2018 – and 94% did.
Here is how Gottfried Leibbrandt, SWIFT CEO, puts it: “While customers remain responsible for protecting their own environments, SWIFT is fully committed to helping strengthen customers’ security and helping them improve their security measures.”
SWIFT CSP and SWIFT CSCF v2019 Requirements
The SWIFT CSP aims to ensure the security and integrity of the systems that connect to the SWIFT network. It addresses a range of aspects:
- The security and protection of members’ local environments
- Preventing and detecting fraud in counterparty relationships
- Working with members of the financial services industry to prevent future cyberattacks
Within the program, the Customer Security Controls Framework outlined 16 mandatory and 11 advisory security controls. Customers must self-attest their compliance annually basis, with the first deadline already behind us. In addition, all organizations applying to become part of the SWIFT network need to comply, and SWIFT enforces these controls with random audits.
These controls are the result of a thorough review of the market situation, analysis of current cyber threats, and discussions with users and industry experts. The controls are divided into three groups:
- Secure Your Environment
- Know and Limit Access
- Detect and Respond
An important part of the requirements is the need to prevent credential compromise by enforcing an effective password policy and requiring multi-factor authentication (MFA, requirements 4.1 and 4.2). The framework allows the use of hardware tokens. However, it requires that the FI properly manage and track the tokens (requirement 5.2) during issuance, use, and storage in order to prevent unauthorized access to the SWIFT system. FIs can achieve compliance through the use of a management interface that facilitates assigning and tracking of each individual token.
In the Security Conformance Requirements, SWIFT provides additional guidance:
“The messaging interface must support (either embedded or by external software) multi-factor authentication for its end-user login. The authentication factors presented are individually assigned and support individual accountability of access to the messaging interface.”
In our opinion, the scope of the CSP security framework covers access to all SWIFT services, whether or not they have been subject to a cyber-attack in the past. It means that SWIFT’s customers need to consider MFA and other security requirements for access to infrastructure connecting with any of the SWIFT services.
The original Customer Security Controls Framework contained 16 mandatory and 11 advisory security controls. However, SWIFT reserved the right to edit the framework due to the evolving threat landscape and changing industry standards.
In August 2018, SWIFT published an update to the framework as well as a change management plan for future amendments. The update provides additional guidance and clarification on the implementation guidelines and includes changes to the scope of the mandatory and advisory controls. The deadline for self-attestation of compliance with the extended framework is the end of 2019.
The range of mandatory security controls now includes:
- 2.6 Operator Session Confidentiality and Integrity: Protect the confidentiality and integrity of interactive operator sessions connecting to the local SWIFT infrastructure.
- 2.7 Vulnerability Scanning: Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results.
- 5.4 Physical and Logical Password storage: Protect physically and logically recorded passwords.
There are also two new voluntary best practices:
- 1.3A Virtualisation Platform Protection: Secure virtualisation platform and virtual machines (VM’s) hosting SWIFT related components to the same level as physical systems.
- 2.10A Application Hardening: Reduce the attack surface of SWIFT-related components by performing application hardening on the SWIFT-certified messaging and communication interfaces and related applications.
Multi-factor Authentication (MFA) under the SWIFT CSP
4.2 Multi-factor Authentication: Prevent that a compromise of a single authentication factor allows access into SWIFT systems, by implementing multi-factor authentication.
SWIFT clearly understands that static passwords are a relic of the past and an easy target for cybercriminals. Industry experts, including OneSpan security experts, discourage the use of passwords as part of the authentication process.
By requiring multi-factor authentication to access its messaging service, SWIFT has taken an important step to prevent future cyberattacks. Multi-factor authentication leverages two or more independent factors in the authentication process. These factors can be divided into three types:
- Something you know (e.g., a PIN)
- Something you have (e.g., a hardware token or mobile device)
- Something you are (e.g. fingerprint scan or other biometric)
Authentication methods that depend on two or more factors are more difficult to compromise than single-factor methods. Therefore, MFA should be a common practice not only in the end user-facing services, but also in the internal systems, especially those involved in transferring funds or making payments.
A Few Words on the SWIFT Cybersecurity Counterparty Risk Guide
The SWIFT Customer Security Programme is much broader than the SWIFT Security Controls Framework. It is a comprehensive initiative that aims at securing payments from multiple angles, and is in part a platform that provides access to counterparty self-attestation of compliance. This platform assists FIs in assessing levels of cybersecurity risk in their counterparties, but it also puts them under the scrutiny of their respective partners.
SWIFT recently released a guide, Assessing Cybersecurity Counterpart Risk, promoting best practices in security. This guide provides hands-on recommendations on how to establish a governance model and a cybersecurity risk management framework, as well as how to adopt cybersecurity risk countermeasures. Among these recommendations, SWIFT mentions “fraud detection capabilities that look for anomalies or outliers that do not represent the normal pattern of behavior.” It is good to remember that the main goal of the CSP is to protect the payments. This requires continuous monitoring of transactions – with capabilities to detect and stop the fraudulent ones. To comply with this recommendation, FIs should include a comprehensive, intelligent fraud detection tool that will be able to spot anomalies and detect current and emerging fraud patterns in real time.
A secure authentication solution, as well as a comprehensive fraud detection system, have become obligatory weapons in the fight against fraud. We welcome the fact that recommendations or requirements for these solutions are included in more and more security best practice guidelines, as well as in regulations. FIs need to be aware that it is not enough to secure end-user interactions. In the efforts to combat fraud, internal systems also need to be protected. Cyberattacks targeting internal banking infrastructure have shown that there is still plenty of room for improvement.
When evaluating vendors, we recommend you look for one that provides secure and user-friendly MFA solutions that include both server- and client-side authentication products, with both hardware and software tokens. This allows financial institutions to provide the best user experience in all use cases and ensures a fallback mechanism.
Similarly, look for a versatile fraud detection solution that answers multiple challenges, use cases, and requirements from different organizations, not only SWIFT CSP but also those included in regulations like PSD2.