Cyber-attacks are becoming more sophisticated all the time, and financial institutions are under enormous pressure to protect their customers and networks from this threat. SWIFT’s Customer Security Programme (CSP) is designed to ensure that financial institutions keep up with the controls they need to address cyber threats. With 23 mandatory controls and 9 advisories in the 2022 control framework, it’s no wonder that some banks struggle to stay on top of them.
According to Accenture Security analysis, there was a 125% year-on-year increase in cyber–attacks in 2021, with banking targeted by 10% of all incidents.
Banks are required to complete an assessment every year using SWIFT’s Independent Assessment Framework and then to submit an attestation. Our team helps organizations with this compliance work, and we see certain problems that come up frequently. Here are six mistakes we often encounter that can cause problems with your assessment.
Common mistakes in CSP assessment compliance
- Being unaware that an assessment is necessary: Clearly, if you don’t realize you need to complete an assessment every year, you’re unlikely to comply. Keeping up with current CSP controls and understanding what’s required of your business is the first step in avoiding problems. Your SWIFT compliance team should stay on top of the requirements because they change annually.
- Taking the assessment too lightly: The required assessment is not a simple check-the-box exercise. If you expect this process to be straightforward you will probably begin too close to the deadline, and end up rushing through it. Although the assessment is due at the end of the calendar year, you should begin working on it several months earlier. As of 2021, the assessment must be performed by an independent assessor. You will need to book their time to work on your assessment and prepare all of the documentation they need to complete it on schedule.
- Not implementing controls properly: There are currently 32 controls in total, and 23 of them are mandatory. If you don’t understand what’s involved in implementing these controls properly, you may incorrectly assume that you have complied with them. You may need to seek external advice to ensure you have correctly implemented everything you need to, paying particular attention to any new controls or ones that have recently become mandatory.
- Missing required documentation: You might assume that your organization has good documentation on its processes and procedures and that it’s all available for the assessment. When you review the documents, you may discover unexpected gaps that you must quickly try to fill. This is one of the reasons it’s important to start the assessment early. If you have documentation gaps, it’s a good idea to immediately put measures in place to ensure that you have closed those gaps for the following year’s assessment.
- Not involving all key groups: The assessment cannot be completed by the SWIFT support team alone. You will need cooperation (and time) from a number of other business units, which may come as a surprise to them if the assessment isn’t on their radar. Some of the teams you may need to involve include networking, business operations and system administrators.
- Forgetting third-party vendors: Do you use third-party suppliers to host your infrastructure or provide other support or functionality? They must be included in the assessment process, which involves getting documentation from them and ensuring that they are also compliant. This can take significant time, especially if the vendor is not familiar with the assessment and its requirements. Talk to these third parties about your assessment needs well ahead of time to ensure they provide you with everything you need without a last-minute panic.
Tips for avoiding these mistakes
- Prepare early: Keep all the documentation you will need ready, well before you begin the assessment. Keep your previous years’ results on hand as well, so that you can easily see what you’re missing and what has changed in the past year. Contact the stakeholders from various business units who need to be involved, and encourage them to set aside time to help you complete the assessment on schedule.
- Use an external independent assessor: You can use an external provider to muster the skill sets needed for the assessment that may not be available within your organization. They can either complete the assessment themselves or provide experts and auditors to support your organization’s risk, compliance or internal audit department in completing the assessment.
Contact our SWIFT CSP team to help you understand what the most recent changes mean for your organization and get the support you need to stay compliant.
Learn more