Other parts of this series:
Find answers to important questions about the new requirements.
All SWIFT customers are required to complete independent assessments as part of the Customer Security Programme (CSP), which helps SWIFT customers fight cyber-attacks. As of 2021, to be considered compliant, these assessments must be done by an independent organization.
Here are answers to four common questions about the assessments.
1. What’s behind the change?
Broadly, the importance of cybersecurity is driving this change. The CSP has evolved considerably since its launch in 2017. This new phase is the latest chapter in SWIFT’s digital security efforts and evidence of the growing focus on cybersecurity across market infrastructures and regulators.
2. What’s new about the CSP in 2021?
The biggest changes expand the scope of both the security controls and the assessments. Specifically, Community Standard Assessments performed by an independent group are now mandatory. Self-attesting remains available but is now considered non-compliant. SWIFT also reserves the right to seek an independent external assessment from users to verify the accuracy of their attestation. Refusal to perform a SWIFT mandated assessment is reportable.
Institutions engaging with third parties which host and/or operate part of their own SWIFT infrastructure in full or in part, like service bureaus and cloud providers, must now also obtain reasonable comfort from third parties that the outsourced activities or externally hosted components are protected as required by the security controls
3. How should financial institutions comply with the new requirements?
Finding the right partner to perform your assessment will make a huge difference in complying with the new CSP requirements and, ultimately, maintaining strong cybersecurity. Of course, this is easier said than done.
The security of the payments stack is only as strong as the weakest application in the end-to-end flow. Assessing the security of the stack should not be a “tick box” exercise. It should be comprehensive and cover not only SWIFT but also payments, infrastructure security and technology.
When selecting an assessor, take into account the qualifications, skills and depth of knowledge across their organization.
It’s also worth noting that, while SWIFT customers have until the end of the year to finish their assessments, the assessments themselves can take a surprising amount of time. Starting early is smart, as is allocating skilled resources and budget to the project.
4. Do all financial institutions need the same kind of assessment?
Financial institutions will need different levels of support in carrying out their assessments. This depends on many factors, which include the scope and complexity of their operations as well as the size and expertise of their internal teams. Some financial institutions will need a second opinion on the work they have already carried out, while others will need end-to-end guidance on complying with the new CSP requirements and strengthening their payments cybersecurity.
Whatever your needs, Accenture is here to help you prepare – we will work with you throughout this important journey. You can find more about our capabilities, expertise, and approach here, or simply get in touch if you are interested in discussing this issue.