The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a global membership cooperative that provides secure financial messaging services for banks and financial institutions. To this end, it provides the technical infrastructure as well as standardized message formats for message transfer. Extremely high security and availability are central to the provision of these services.
In response to the cyberattack on Bangladesh Bank, SWIFT published the Customer Security Programme (CSP) in 2017. At its core, the SWIFT Customer Security Controls Framework (CSCF) includes mandatory and advisory controls that SWIFT members must regularly demonstrate compliance with.
Questions and answers
To give you a first overview and a quick introduction to the topic, we answer the 7 most important questions about SWIFT Assessments in this article:
1. What is a SWIFT Assessment?
2. Who is required to conduct a SWIFT Assessment?
3. Why is a SWIFT Assessment important?
4. What are the key areas of a SWIFT Assessment?
5. Who can perform SWIFT Assessments?
6. How often does a SWIFT Assessment need to be performed?
7. How can an organization prepare for a SWIFT Assessment?
1. What is a SWIFT Assessment?
SWIFT users are required under the Customer Security Controls Framework (CSCF) to demonstrate compliance with at least all mandatory controls annually through an independent assessment. Such a SWIFT Assessment reviews the security of an organization's SWIFT infrastructure and systems to ensure that they are protected against potential security threats and vulnerabilities.
2. Who is required to conduct a SWIFT Assessment?
All SWIFT users must demonstrate compliance with the mandatory controls defined in the Customer Security Controls Framework (CSCF).
The Independent Assessment Framework (IAF) documents that all SWIFT users must conduct a Community Standard Assessment to further improve the accuracy of their attestations. SWIFT requires that the submitted attestations are independently assessed by either an internal assessment or/and an external assessment. The self-assessment option remains, but is considered non-compliant.
3. Why is a SWIFT Assessment important?
A SWIFT Assessment is important because it helps organizations identify potential security risks and vulnerabilities in their systems and processes and take steps to mitigate or eliminate those risks. This helps protect the organization from potential financial loss and reputational damage.
By helping to improve the security of an organization's systems, the SWIFT Assessment also better protects the financial and personal data of the organization's customers.
4. What are the key areas of a SWIFT Assessment?
The key areas in a SWIFT Assessment are network security, application security, data security, access controls, incident response procedures, and regulatory compliance.
5. Who can perform SWIFT Assessments?
SWIFT Assessments are usually performed by independent security consultants or auditing firms with expertise in SWIFT security, payment security and IT security in the financial sector. Organizations can also have the assessment performed internally by the second or third line of defense. However, it is generally recommended that the assessment be performed by an independent third party to provide a more comprehensive and unbiased assessment.
6. How often does a SWIFT Assessment need to be performed?
SWIFT users must have an independent SWIFT Assessment performed once a year. In addition to the full assessment, the IAF also describes criteria for reusing the results of the previous year's assessment from July 2023.
The duration of a SWIFT Assessment depends on the size and complexity of the organization's SWIFT infrastructure. On average, a security assessment can take several days or weeks.
7. How can an organization prepare for a SWIFT Assessment?
Organizations should decide in good time on the desired type of assessment - by an external auditor or by their internal audit department. If the choice falls on an external auditor, organizations should look for a suitable partner in good time and involve them in the preparation early on.
To adequately prepare for the assessment, organizations can conduct a gap analysis or a short workshop to compare their implemented processes with the security controls required by SWIFT.
Do you have further questions or need support in preparing your SWIFT Assessment? Contact us, we are happy to help.