SWIFT Unveils Mandatory Customer Security Requirements and an Associated Assurance Framework

  • Security and Compliance
  • 29.09.2016 12:15 pm

SWIFT announces the introduction of a set of core security standards and an associated assurance framework for its customers. The standards will be mandatory for all customers, who will be required to demonstrate their compliance annually against the specified controls set out in the assurance framework.

The core security standards are based on three overarching objectives which address major areas of attention for customers’ SWIFT-related environments. Under SWIFT’s new assurance framework, customers will be required to provide self-attestation against 16 mandatory controls on an annual basis. Self-attestation will start in the second quarter of 2017 when the standards will be made applicable to all customers connected to SWIFT, including those connected through service bureaus.

SWIFT CEO Gottfried Leibbrandt, said: “While customers remain responsible for protecting their own environments, SWIFT is fully committed to helping strengthen customers’ security and helping them improve their security measures and our aim in setting out this framework is to support customers by helping to drive awareness and improvements in the industry’s overall security. We will do this by maintaining a dynamic assurance approach, evolving the framework in line with the changing threat landscape, and making sure it complements emerging regulatory guidance.”

Inspections and enforcement will begin on 1 January 2018, when customers’ compliance status will be made available to their counterparts, ensuring transparency and allowing firms to assess risk of counterparts with whom they are doing business.

From January 2018, SWIFT will report the status of any non-compliant customers to their regulators, and randomly select customers who will be required to provide additional assurance either from their internal or their external auditors. This quality assurance process will not preclude customers from independently requesting additional assurance from their counterparts. In addition, customers will also be able to choose to disclose their compliance with a further 11 advisory controls that will supplement the 16 mandatory controls.

SWIFT Chairman Yawar Shah said: “We recognise that this will be a long-haul, and will require industry-wide effort and investment, as well as active engagement with regulators. The growing cyber threat requires a concerted, community-wide response. This is also why the SWIFT board unanimously approved the framework and remains fully engaged in overseeing and driving the further development of SWIFT’s Customer Security Programme.”

The detailed objectives and controls will be made available to SWIFT customers at the end of October 2016. During a two-month validation period, SWIFT will engage with nominated security contacts at SWIFT National Member Groups to collect community feedback before the final standards are published at the end of March 2017.

George Rice, senior director, payments for HPE Security-Data Security:

“SWIFT’s announcement of a mandatory data security framework is a positive step towards protecting sensitive data in financial systems. As the SWIFT framework will likely establish, multiple cybersecurity strategies must be implemented in order to truly protect sensitive data from loss and fraudulent use.

Techniques such as Format-Preserving Encryption tokenization are widely used in other areas of the worldwide financial system and considered highly effective when implemented properly. In doing so, sensitive data such as log-in credentials, transactional records, PCI and PII data may be protected in a way that maintains usability for the business but removes their value to unauthorized users that may gain access to data environments.

As well, numerous identity and access management tools are available that can detect fraudulent use of stolen data.”

Shane Stevens, director of Omni-Channel Identity and Trust Solutions for VASCO Data Security:

“We applaud their efforts in taking the steps to address the processes and controls around cybersecurity. The caution comes into play as to the balance required to address their mandatory security controls as banks are already addressing so many compliance mandates today. Banks are already allocating more money than ever before to address their security needs. 

Now I would question SWIFT in what they are doing to protect their network that can provide assurances to the banks and their users?  SWIFT needs to lead by example and take authentication controls to the next level within their own organization.  A holistic and synchronized approach across all compliance mandates and guidelines for banking will be needed to help banks focus on far more effective means of authentication available today than the 30-year old technology of passwords that have been proven easy to defeat for many years already. 

Banks realize that the most signification protection starts upfront with simple and intelligent authentication.  Once that is addressed, they can move to further optimize other areas of underdeveloped cyber security controls.  We see great potential with new technologies that support our efforts to stop breaches and prevent fraud attacks. All within the financial services industry need act with true social responsibility to address cybersecurity.”

Mark Wilson, director of product management at STEALTHbits Technologies:

“With a combination of increased risk of breach and tighter compliance regulations such as EU GDPR, mandatory security controls are the only way forward.

All it takes is one chink in the armor and a bad actor can gain accesses to your credentials and data. If data is transferred or shared between organizations, the attack surface grows exponentially. Therefore it makes absolute sense that all links in the data chain should be mandated to comply with a strict, compliant, code of practice.

I see SWIFT as leaders here and as usual, the leaders are often criticized because it feels as though they are imposing their practices on others.  There is also a tendency to feel singled out unfairly, as with the Bank of Bangladesh.

Let's see where we are in 12 months,2 years, 5 years down the line.  I'm positive this practice will permeate across most verticals.

For example, in the UK all public sector organizations have to adhere to a 'code of connection' to access centralized infrastructure.  So surely it's of no surprise for this practice to be seen in finance, pharmaceuticals, defense etc.”

Related News