SWIFT Customer Security Programme

Similar documents
SWIFT Customer Security Controls Framework and self-attestation via The KYC Registry Security Attestation Application FAQ

Building the trust to succeed in digital business

SWIFT Customer Security Program

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

BHConsulting. Your trusted cybersecurity partner

the SWIFT Customer Security

ISO 27001:2013 certification

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Sage Data Security Services Directory

Why you should adopt the NIST Cybersecurity Framework

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Cybersecurity and the Board of Directors

NYDFS Cybersecurity Regulations

SOLUTION BRIEF Virtual CISO

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Customer Security Programme (CSP)

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Cybersecurity for Health Care Providers

REGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES. Dynamic Solutions. Superior Results.

ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015

How to meet SWIFT s operational requirements in 2018

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Gujarat Forensic Sciences University

BHConsulting. Your trusted cybersecurity partner

EU General Data Protection Regulation (GDPR) Achieving compliance

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Strengthening your fraud and cyber-crime protection controls. March 2017

ASSESSMENT LAYERED SECURITY

Cyber Risks in the Boardroom Conference

Cyber Risks, Coverage, and the Board of Directors.

Cybersecurity, safety and resilience - Airline perspective

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

SFC strengthens internet trading regulatory controls

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Secure Access & SWIFT Customer Security Controls Framework

SECURITY & PRIVACY DOCUMENTATION

Safeguarding company from cyber-crimes and other technology scams ASSOCHAM

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

STOPS CYBER ATTACKS BEFORE THEY STOP YOU. Prepare, recognize, and respond to today s attacks earlier with Verizon Security Solutions.

Data Security Standards

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

CYBERSECURITY MATURITY ASSESSMENT

Cybersecurity in Higher Ed

Incident Response Services

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

to Enhance Your Cyber Security Needs

Cybersecurity Protecting your crown jewels

Transforming Security from Defense in Depth to Comprehensive Security Assurance

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

How Secure is Blockchain? June 6 th, 2017

External Supplier Control Obligations. Cyber Security

Cybersecurity The Evolving Landscape

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

CYBER SOLUTIONS & THREAT INTELLIGENCE

MITIGATE CYBER ATTACK RISK

Canada Life Cyber Security Statement 2018

Security Standards for Electric Market Participants

Cybersecurity Overview

PCI COMPLIANCE IS NO LONGER OPTIONAL

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Suma Soft s IT Risk & Security Management Solutions for Global Enterprises

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

CYBER CAMPUS KPMG BUSINESS SCHOOL THE CYBER SCHOOL FOR THE REAL WORLD. The Business School for the Real World

Cybersecurity Auditing in an Unsecure World

Oracle Data Cloud ( ODC ) Inbound Security Policies

Digital Wind Cyber Security from GE Renewable Energy

Improving Cybersecurity through the use of the Cybersecurity Framework

NCSF Foundation Certification

Run the business. Not the risks.

DEVELOP YOUR TAILORED CYBERSECURITY ROADMAP

Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant

DHS Cybersecurity: Services for State and Local Officials. February 2017

Security by Default: Enabling Transformation Through Cyber Resilience

T-SURE VIGILANCE CYBER SECURITY OPERATIONS CENTRE

VANGUARD POLICY MANAGERTM

What It Takes to be a CISO in 2017

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Effective Cyber Incident Response in Insurance Companies

INTELLIGENCE DRIVEN GRC FOR SECURITY

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

POLICY MANAGER VANGUARD POLICY MANAGER (AUDIT/COMPLIANCE)

Will you be PCI DSS Compliant by September 2010?

CONTINUOUS COMPLIANCE. Your next cloud compliance audit could be your last. With LayerV s Continuous Compliance Service you re covered

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

SWIFT Response to the Committee on Payments and Market Infrastructures discussion note:

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

FSOR. Cyber security in the financial sector VISION 2020 FINANCIAL SECTOR FORUM FOR OPERATIONAL RESILIENCE

Data Sheet The PCI DSS

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Contact us What makes us different Dinesh Anand Our offices Forensic Bangalore Kolkata Cutting-edge technology to deliver more efficiently Services

Transcription:

www.pwc.ch/cybersecurity SWIFT Customer Security Programme Mandatory controls: what you have to do to protect your local SWIFT infrastructures

SWIFT Customer Security Programme (CSP) The growing number of cyber-attacks, including those on local SWIFT infrastructures, has prompted SWIFT to define mandatory controls for SWIFT participants to fight cyber threats. In May 2017 the Society for Worldwide Interbank Financial Telecommunication (SWIFT) augmented its Customer Security Programme (CSP) with the publication of a set of Customer Security Controls defining specific requirements to be met by all SWIFT participants. The programme aims to improve the exchange of information within the SWIFT community, ensure a high level of security at local SWIFT infrastructures run by participants, put in place an assurance framework to counter the ever-increasing number of cyber-threats, and strengthen the ability of SWIFT participants to combat cyber-attacks. Recent attacks on the SWIFT network On 4 and 5 February 2016, attackers who had compromised systems at the Bangladesh Central Bank sent a number of payment instructions over its interface with the SWIFT network. These payment instructions totalled USD 951 million, of which USD 101 million was processed by the Federal Reserve Bank of New York. The fraudsters were able to launder USD 81 million of the money (largely through casinos in the Philippines). USD 20 million was recovered after it was diverted to Sri Lanka. This and other recent cyber-attacks show that attackers are not targeting the SWIFT network itself, but exploiting the security weaknesses of an institution s local infrastructure. While customers are responsible for protecting their own IT environments and access to SWIFT, the introduction of the SWIFT CSP is designed to help customers in the fight against cyber fraud. Step 0 Step 1 Step 2 Step 3 Step 4 Cyber attack on a bank s IT environment How does it work? Attackers analyse payment systems and processes Who does what? Attackers analyse the different actors in the payment processes How do I act like them? Attackers obtain valid operator credentials Fraud Attackers submit fraudulent messages 2

Objectives, principles and controls The CSP calls upon all SWIFT participants to implement a control and assurance framework consisting of 16 mandatory and 11 advisory security controls. The controls are based on existing SWIFT security guidelines and are in line with good practice standards such as NIST, ISO/IEC 27002 and PCI-DSS. The mandatory controls establish a security baseline for the entire SWIFT community. SWIFT also recommends implementing the advisory controls to optimally protect local SWIFT infrastructures. Objectives Principles Controls Secure your environment Know and limit access Detect and respond Restrict internet access and protect critical systems from general IT environment Reduce attack surface and vulnerabilities Physically secure the environment Prevent compromise of credentials Manage identities and segregate privileges Detect anomalous activity in systems or transaction records Plan for incident response and information sharing 27 controls: 16 mandatory 11 advisory The applicability to the local SWIFT infrastructure depends on the architecture. Not all controls are applicable to architectures without local, SWIFT-specific components. What action do I need to take? The SWIFT CSP will come into force on 1 January 2018. Before the introduction of the programme, each SWIFT participant must conduct a self-assessment and notify SWIFT of its compliance status in terms of the controls by the end of 2017. From 2018, all participants must confirm their compliance with the controls annually. This confirmation can be provided via a self-assessment (selfattestation), internal audit (self-inspection) or an external audit (third-party inspection). SWIFT will also carry out regular spot-checks of confirmations, by means of internal or external audits, for quality assurance purposes. 3

What happens if I don t comply? If your organisation fails to comply with these new requirements, SWIFT can report this to your local supervisory authority. Failures to submit a self-attestation, or late submission, will be reported starting 2018, and non-compliance with the mandatory controls will be reported from 2019. SWIFT will also report noncompliance to other counterparties if there is no direct local supervisory authority for your organisation. It is therefore crucial to perform the self-assessment as quickly as possible, and to send your self-attestation or confirmation of inspection of compliance every year. Q4 2016 Q2 2017 Q4 2017 January 2018 Comment period SWIFT seeks participants feedback on new guidelines. Control descriptions published Self-attestation SWIFT requires detailed selfattestation from participants. Results sharing begins Attestation results will become available for sharing within the community. Potential inspections or enforcement may be considered. Looking beyond the mandatory controls SWIFT participants should begin now to anticipate the threat class behind the Bangladesh Central Bank cyber-attack, and not wait until they are attacked. Organisations should examine and investigate their current environment beyond the traditional security-log analysis to determine whether they have already been attacked, or at least targeted, by this threat actor. Institutions should also prepare for oncoming attacks as this threat scheme adapts andadditional threat actors attempt to replicate its original success. PwC s threat intelligence service offering helps you maintain an up-to-date view of the threats relevant to your organisation and detect persistent and ongoing intrusions. 4

How PwC can help SWIFT Readiness Assessment We can help make sure you comply with the SWIFT CSP requirements by 1 January 2018 by assessing your current status and highlighting any gaps. Outcome: A complete overview of your implemented controls and the gaps you need to close to become compliant. SWIFT controls implementation and support We can help you implement controls or perform a postimplementation review to enable your organisation to comply with the SWIFT CSP requirements. Outcome: A tailored roadmap to achieving compliance, personalised assistance in the implementation of strategies, processes and technologies, and a security review of your implemented controls. SWIFT compliance confirmation We can assist you with your annual confirmation of compliance with the SWIFT CSP requirements. Outcome: An assessment confirming your compliance with the SWIFT CSP, recognised by SWIFT as a third-party inspection. Threat intelligence and detection We can help you keep an up-to-date view of threats to your organisation and detect persistent and ongoing intrusions. Outcome: Quarterly reports on the cyber-threat landscape specific to your sector, in-person briefings, monitoring and alerts of specific threats, and an incident response retainer. We can also help your organisation with the following services: Data classification, governance, compliance and protection Identity and access management strategy and implementation Incident response and forensics IT security architecture Penetration tests Regulatory compliance Threat and vulnerability management 5

are you ready? For more information, please visit us at www.pwc.ch/cybersecurity or contact us directly: Reto Häni Cyber Security Partner and Leader PwC Digital Services +41 79 345 01 24 reto.haeni@ch.pwc.com Yan Borboën Cyber Security Partner PwC Assurance +41 79 580 73 53 yan.borboen@ch.pwc.com Jens Probst Systems & Process Leader PwC Assurance +41 58 792 29 59 jens.probst@ch.pwc.com Nicolas Vernaz Data Protection and Regulatory Compliance Leader PwC Digital Services +41 79 419 43 30 nicolas.vernaz@ch.pwc.com We ve done this before PwC offers a truly global cybersecurity service, with over 3,200 professionals worldwide, enabling us to tap into a global network and deliver value locally wherever you are operating. Our full range of services includes technical, business and legal expertise to help you navigate the challenges and threats faced by business today at the technical level as well as at board level. 2017 PwC. All rights reserved. PwC refers to PricewaterhouseCoopers AG, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback