What are you doing to safeguard the SWIFT community against cyber attacks?

Cyber crime is on the rise; technology is evolving by the day. With newspaper headlines filled with stories of institutions hit by sophisticated attacks, security of payment messaging platforms such as SWIFT is increasingly paramount. The Bank of Bangladesh heist is an uncomfortable reminder, and when we talk to our clients, both big and small, there is something about that story that resonates with each of them. That bank heist remains one of the biggest in living memory.

Who will be the next target?

For many, it brought into question the integrity of their own security environment. Could we be a target for the next attack? And even if I am taking this seriously, what should I be doing to raise awareness of the importance of security within my own organisation? Some have felt the heat from the regulator on the back of it. How can I demonstrate to the regulator that we are taking security seriously? And how can we further prove to the SWIFT community that we are doing our part in securing the payment environment?

After all, the vulnerabilities derived from how SWIFT clients connect into the SWIFT infrastructure, and not from the infrastructure itself. An ecosystem is only as secure as its weakest link, and with a network of its size, an attack impacting one SWIFT customer has the potential to impact all SWIFT customers, as well as the wider ecosystem of financial services and beyond. Security standards at each entry point must be maintained, and it is therefore no surprise that the SWIFT Customer Security Programme (“CSP”) was launched in 2017.

Sharing the responsibility; increasing confidence

Both regulators and SWIFT community members have welcomed the CSP and the associated guidance, gaining some confidence from the setting of minimum security standards. However, the framework has had to evolve as the threat landscape evolves, and so it is not enough to see this as a tick box exercise. Organisations need to get on the front foot and consider what the risks are, how they’re evolving, and what controls will adequately mitigate the risks. As threats evolve, so will the suite of controls that are mandated by the framework.

As a run-up to the 2017 and 2018 self-attestation cycle, we have worked with a range of SWIFT customers globally to support them to assess, improve, and remediate their control framework. This has been in the form of controls gap analyses, maturity assessments, internal audits focused on the CSP framework, and now independent assurance. In particular, the demand for formal assurance over the security of an organisation’s SWIFT environment is on the rise; whether this be by internal audit or an independent assurance provider.

The journey to formal assurance over the control environment

Why is this the case and how can it work for you? Obtaining a formal assurance opinion establishes and bolsters confidence in the security of the payments processing environment. This not only helps to demonstrate compliance, but also sends a strong message to the market that you are committed to continuously raising the bar to meet the evolving cyber security challenge. And given independent assurance will now be mandated from 2020, the time is now to start that journey.

For more on how we can help and who to contact, go to www.pwc.co.uk/swift.