SWIFT publishes mandatory controls for customers

In April 2017, the Society for Worldwide Interbank Financial Telecommunications (SWIFT) published a final version of its Customer Security Controls Framework (the "Framework"), as part of its Customer Security Programme which launched in June 2016. SWIFT is a messaging network that allows more than 11,000 banking and securities organisations to securely send information and instructions through a standardised system of codes.

The new Framework comprises 16 mandatory and 11 advisory controls, designed to reflect good security practice and support SWIFT's three overarching security objectives: "Secure your Environment"; "Know and Limit Access"; and "Detect and Respond".

Mandatory controls: Since April 2017, SWIFT's customers have been expected to evaluate their compliance with the mandatory controls and will need to self-attest their compliance with the Framework from July 2017 – to be completed by customers by the end of this year. Enforcement by SWIFT, which will include inspection from internal and external auditors, is then set to begin in January 2018.

The mandatory controls to be implemented by SWIFT's customers with immediate effect include:

• Restrict internet access – ensure the protection of the user's local infrastructure and control the allocation of administrator-level operating system accounts
• Reduce attack surface and vulnerabilities – ensure internal data flow security, apply mandatory software updates and perform system hardening
• Physically secure the environment – prevent unauthorised access to sensitive equipment, hosting sites, storage, etc.
• Prevent compromise of credentials – implement and enforce a password policy and multi-factor authentication
• Manage identities and segregate privileges – implement logical access control
• Detect anomalous activity to system or transaction records – protect local infrastructure against malware and record and detect anomalous actions
• Plan for incident response and information sharing – provide regular staff training and ensure a consistent approach for the management of cyber incidents

Advisory controls: SWIFT's advisory controls recommend additional security measures such as implementing a regular vulnerability scanning process, identifying security gaps through penetration testing and evaluating the risk and readiness of the organisation based on hypothetical cyber attack scenarios.

The Financial Conduct Authority's Executive Director, Nausicaa Delfas, also touched on payment networks during a speech on the current threat landscape made to the Financial Information Security Network on 24 April 2017. In particular, Delfas referred to the 2016 compromise of Bank of Bangladesh and the SWIFT network – highlighting the risk that one member's vulnerabilities can pose to an entire global payments network. Delfas called for "due diligence of third party suppliers [to] include a review of their cyber resilience" and concluded with a more general warning that firms must "expect the unexpected" when it comes to matters of cyber security.

Click here to read more about SWIFT's Customer Security Controls Framework.

Click here to read the FCA speech – "Expect the unexpected" – cyber security – 2017 and beyond.