Customer Security Program -

supporting the community in

strengthening security

September 12, 2017

Juan Martinez, Head of Latin America and Caribbean region - SWIFT

The global
provider of
secure financial
messaging
services
SWIFT
in figures
Industry Change & Challenges
The traditional model is undergoing rapid change, driven by innovation,
cyber security and regulation

Innovation

Cyber
Regulation
Security
 SWIFT is leading 3 initiatives, that combined take correspondent banking to the next level

gpi
Payments
global payments innovation
Innovation

CSP Cyber
Compliance
Customer Security Programme Security FCC
Financial Crime Compliance
Customer Security Programme
(CSP)
CSP | Modus Operandi

Step 1 Step 2 Step 3 Step 4

Attackers Attackers Attackers
compromise obtain valid submit Attackers hide
customer's operator fraudulent the evidence
environment credentials messages

• Attackers are well-organised and sophisticated

• Common starting point has been a security breach in a

customer’s local environment

• There is (still) no evidence that SWIFT’s network and core

messaging services have been compromised
CSP | Programme Overview

You
Secure
SWIFT Tools
and Security Guidelines and Assurance
Protect

Your Your Launched on May 27th 2016, CSP

supports all customer segments,
Community Counterparts whether directly or indirectly
connected, in reinforcing the security
of their SWIFT-related infrastructure

Share Prevent
and and
Prepare Detect
Intelligence Sharing Transaction Pattern Detection –
RMA, DVR and Payment Controls
CSP | You > Security Guidelines and Assurance

Security Controls CSP Security Controls Framework

1. Restrict Internet access
Segregate critical systems from general IT
Secure Your 2.
environment
Environment
3. Reduce attack surface and vulnerabilities
3 4. Physically secure the environment
Objectives
Know and 5. Prevent compromise of credentials
Limit Access 6. Manage identities and segregate privileges
Detect anomalous activity to system or transaction
Detect and 7.
8 records
Principles Respond
8. Plan for incident response and information sharing

• Applicable to all customers and to the whole end-to-end

27 transaction chain beyond the SWIFT local infrastructure
Controls • Mapped against recognised international standards – NIST, PCI-
DSS and ISO 27002
• 16 controls are mandatory, 11 are advisory
• Final version published March 31, 2017
CSP | You > Security Guidelines and Assurance
Scope of the Controls

Out of scope In scope

CSP | You > Security Guidelines and Assurance
Scope of the Controls
CSP | You > Security Guidelines and Assurance
Controls Framework
CSP | You > Security Guidelines and Assurance
Controls Framework
CSP | You > Security Guidelines and Assurance
Controls
CSP | You > Security Guidelines and Assurance
Supporting the Community

Guidance on the SWIFT Support The SWIFT Customer SWIFTSmart

Customer Security Security Controls The SWIFTSmart e-learning
Framework and Security training platform includes a
Controls Framework SWIFT guidance on the Controls Policy portfolio of modules, including
customer security controls Document in-depth modules on each of
framework
the mandatory security
Review the SWIFT controls
Customer security work Customer Security Controls
session Framework and the
Hundreds of work sessions MySWIFT
Security Controls Policy
held in local communities Document. MySWIFT A self-service portal
and via Webinars to share Customers must log in to containing “how-to’ videos,
CSP milestones and mySWIFT with their guidance on frequently asked
deliverables swift.com credentials to questions and Knowledge
access the documents. Base tips.
CSP pages
Visit the CSP pages for
programme news and
updates
CSP | You > Security Guidelines and Assurance
Directory of Cyber Security Service Providers
If customers need assessment or implementation support, they can consult the directory of cyber-security service
providers on SWIFT.com to help find a suitable third-party project partner

− The Directory of Cyber Security Providers is for

SWIFT customers’ reference only
− SWIFT does not endorse or warrant the providers
(or their services) listed in the Directory
− SWIFT users can opt to contract with other
providers that are not featured in the Directory
− SWIFT users must always conduct their own
analysis of the suitability of a Cyber Security
Service Provider for their purposes

Available on SWIFT.com/CSP
CSP | You > Security Guidelines and Assurance
Attestation

Builds on the principles of fostering transparency between users and ensuring customers remain in control.

− Central tool to submit self-attestation status information

− Attesting user remains in control of publication of its data to counterparties
− Any other user must request access to the attesting user to view its data

A central tool
− To share compliance results with
counterparties, as deemed appropriate.
− Creates transparency and allows risk
The KYC management and business decision-
Registry making

Open for data submission and

consumption from July 2017
− You will need to renew or reconfirm your
self attestation on at least an annual basis
CSP | You > Security Guidelines and Assurance
Attestation

Submission of self-attestation

Grant access to counterparties

View your counterparties’ compliance status

Follow-up activities to drive compliance and

improve security
CSP | You > Security Guidelines and Assurance
Attestation Content

Submitter and approver info For each control:

 I comply
Evaluation method (self-assessment, internal audit,  in line with guidance
external audit)  with alternative implementation

 I will comply
 with qualification date field

Type of infrastructure (including hub owner or service  I do not comply

bureau if applicable)
Any mandatory control with a missing
response will default to “Do not comply”

Advisory controls may be left with a blank

Contact information response
CSP | You > Security Guidelines and Assurance
Timeline Summary

2017 2018 2019 …

Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan … Dec Jan … Dec …

Reporting of non-attestation
CSCP Published
KYCR-SA Live Reporting of non-compliance

Window for submitting initial self-attestation Annual renewal of attestation

CSCF Published

─ 31st March, 2017: Publication of SWIFT Customer Security Controls Framework

─ 22nd May, 2017: Publication of SWIFT Customer Security Controls Policy
─ July 2017, KYC Registry Security Attestation application available for data submission and consumption
─ As of end December 2017, all users must have submitted their self-attestation
─ As of Jan, 2018: SWIFT reserves the right to report users that have not submitted a self-attestation
─ As of Jan, 2019: SWIFT reserves the right to report non-attested users and non-compliance
CSP | Programme
Beyond Securing and Protecting
You
Secure
SWIFT Tools
and Security Guidelines and Assurance
Protect

Your Your
Community Counterparts

Share Prevent
and and
Prepare Detect
Intelligence Sharing Transaction Pattern Detection –
RMA, DVR and Pattern Controls
CSP | Your Counterparts
Relationship Management Application - RMA Secure the Future

RMA and RMA plus

Only 40% of
RMA
Poor management of RMAs creates potential security risks
relationships
are actively
Wolfsberg principles suggest that risks of RMA should be used
assessed. Approvals should be controlled and segregated
between customer relationships and non-customers, with
distinct due diligence criteria for each. Due diligence should
consider the scope of message types used.

Unilateral RMA revocation is now easy and is confirmed within 15 minutes

“RMA and RMA Plus: managing your correspondent connections” info-paper provides
details on best practice
CSP | Your Counterparts
Transaction Pattern Detection - DVR Secure the Future
CSP | Your Counterparts
Payment Controls Secure the Future
CSP | Your Community
Intelligence Sharing: SWIFT-ISAC
Secure the Future

Meta-data OpenIOC
search and PDF
External Downloads
references

Help
IOC
details

Bulletin
list
CSP | SWIFT.com
Secure the Future

Customer
Security
Programme
 Secure the Future

?… Feedback,
questions and
open discussion
 www.swift.com

FFIEC - SWIFT CSP