0% found this document useful (0 votes)

12 views12 pages

Cybersecurity

Uploaded by

seadevilfish

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

12 views12 pages

Cybersecurity

Uploaded by

seadevilfish

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 12

Cybersecurity assurance

and the SWIFT Customer

Security Program

kpmg.com
© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and
logo are registered trademarks or trademarks of KPMG International. NDPPS 853458
The financial sector continues to be a prime
target for highly sophisticated, customized
attacks. In particular, several financial
institutions around the globe have had
their SWIFT platforms hacked by cyber
thieves resulting in the loss of hundreds
of millions of dollars. In response, the
Society for Worldwide Interbank Financial
Telecommunications (SWIFT) introduced a
Customer Security Program (CSP) in 2017
that requires all member organizations who
use the interbank messaging network to
implement core security standards as well as
a related “assurance framework.” SWIFT has
published an assurance framework (Customer
Security Control Framework—CSCF) that
requires SWIFT members to self-attest their
compliance with the mandatory controls on
an annual basis.

The growing threat of cyberattacks has never been

more pressing, SWIFT customers are responsible for the
security of their own environments; but the security of the
industry as a whole is a shared responsibility requiring full
collaboration within financial services.

—Alain Desausoi,
Chief Information Security Officer (CISO), SWIFT
Source: Sibos conference, London (Nov. 23, 2018)

The v.2019 of the SWIFT CSCF now comprises 19 Mandatory controls to which members must
self-attest compliance and 10 Advisory controls. These changes provide SWIFT’s response to
the ever‑changing cyber threat landscape and provides their user community with an enhanced,
standardized assurance framework.

CSP secure and protect—customer security controls framework v.2019

Security controls
CSP security controls framework

1. Restrict internet access

3 2. Segregate critical systems from general
Secure your IT environment
Objectives environment
3. Reduce attack surface and vulnerabilities
4. Physically secure the environment
8 Know and 5. Prevent compromise of credentials
Principles limit access 6. Manage identities and segregate privileges
7. Detect anomalous activity to system or
Detect and transaction record
respond 8. Plan for incident response and
29
Controls information sharing
—— 19 controls are mandatory—3 advisory promoted:
–– 2.6 Secure operator sessions
–– 2.7 Yearly vulnerability scanning
–– 5.4 Physical and logical password storage
—— 10 controls are advisory—2 new ones: 1.3A Virtualization
platform protection and 2.10A Application hardening
—— Full compliance against mandatory ones by end of 2019
Source: SWIFT (August 10, 2018)

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and
logo are registered trademarks or trademarks of KPMG International. NDPPS 853458
With the introduction of v.2019 of the CSCF, SWIFT has also published a timeline for members.
This provides a schedule for the introduction of changes to the framework and the reporting
requirement. SWIFT member organizations will be expected to assess and implement these
changes in accordance with the published timeline.

CSP update secure and protect—CSCF v2019 (aka v2) timeline

2018 2019 2020 2021

SWIFT Customers Customers

writes budget implement Latest date for
v2019 v2019 v2019 controls customer to
v2019 v2019
controls self-attest full
Version reg reg
v2019 reporting reporting compliance
of security against v2019
v2019 mandatory controls
controls v2019 controls v2019 attest Cust attest Updates/ attest
doc published window opens v2019 corrections window
in KYC-SA closes In
KYC-SA

SWIFT Customers Customers

writes budget implement
v2020 v2020 v2020 controls Latest date for
controls v2020 v2020
Version customer to
reg reg
self-attest full
v2020 reporting reporting
compliance
of security v2020 against v2020
controls v2020 controls v2020 attest Cust attest Updates/ attest mandatory
doc published window opens v2020 corrections window controls
in KYC-SA closes In
KYC-SA

Source: SWIFT (August 10, 2018)

SWIFT reporting requirements:

All SWIFT members are required to self-attest to their conformity with the CSCF’s 19 mandatory controls
and have the option to self-attest to the 10 advisory controls on an annual basis (i.e., no later than
December 31).
Additionally, as mentioned in SWIFT’s Q4 newsletter, SWIFT has begun requesting a select number of
members to arrange for an independent external assessment to validate the members’ self-attestation.
These assessments will need to be performed by independent specialists that possess the necessary
technical capabilities to undertake the work. If the assessments highlight that the members’ current
implementation does not match that self-attestation recorded in the SWIFT tool, then a new selft-attest
will need to be performed.

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member Cybersecurity assurance and the
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and
SWIFT Customer Security Program 3
logo are registered trademarks or trademarks of KPMG International. NDPPS 853458
KPMG’s point of view
With the changes noted in the preceding, and the increase
in pressures from counter-party requests for greater security
transparency and a higher level of assurance, automation in
trading and payments systems, the broad array of interconnected
platforms, and the increased speed of executed transactions, there
is a heightened demand on SWIFT members’ ability to consume
these change drivers while simultaneously maintaining an
effective, rigorous cybersecurity controls framework.

By design, the SWIFT CSP will continue to change over —— Integration and standardization is key:
time as the threat landscape and attack vectors evolve. Many organizations are faced with multiple security
The most effective management of risk takes the view frameworks—some imposed by their regulators and
of incorporating the SWIFT controls into an ongoing others imposed by their counterparties or business
governance, risk, and compliance strategy within the relationships. Implementing and maintaining these
organization and not a one-time, “check-the-box” activity. frameworks can be a costly and time-consuming
Below are some of the better practices we have assisted burden. A key component in addressing the SWIFT
clients with in meeting their SWIFT requirements. CSCF, often times overlooked, is integrating it into
the organization’s enterprise governance, risk, and
—— Risk identification: Understanding the types of
compliance (GRC) model. Integration into an
transactions, data flows, and systems used to process
effective GRC program provides clarity on roles and
transactions is a critical first step for organizations.
responsibilities, consistent risk assessment and
By identifying and documenting the end-to-end
change processes, a streamlined library of controls to
transaction chain and the accompanying infrastructure,
reduce redundancy, and coordination of reporting and
management can understand the relevant risk points
monitoring of control effectiveness. This integration
and design a well-structured security and risk framework
provides organizations with an enhanced ability to
in accordance with the SWIFT CSCF requirements.
achieve compliance and operational performance goals
—— Documentation will ease compliance pain. as well as reduce costs and increase the sustainability
With SWIFT set out to enforce compliance against its of compliance.
framework, it is critical for SWIFT users to understand
—— Compliance automation: With technology changes, the
their IT control environment and to clearly document
evolving nature of cyber threats, updates to the CSCF
how processes and controls implemented address
Implementation Guide, and changes associated with
the mandatory controls to alleviate the stress of
new business strategies and processes, organizations
going through the compliance process. Complete
are looking at automation solutions to reduce
and accurate data flow diagrams that provide an end-
compliance costs, increase efficiencies, and better
to end transaction flow across multiple systems and
understand complex risks that can impact their
interfaces will help to accurately identify key risk points
business. Automation can be used to extract textual
and control gaps and increase the assurance of proper
information from non-machine-readable documents
SWIFT CSCF control coverage.

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and
logo are registered trademarks or trademarks of KPMG International. NDPPS 853458
to review transaction activity, analyze source documentation,
aggregate test results for a more holistic view of risk, and assist
with proactive identification and escalation of compliance failures.
Automation can provide greater risk coverage and consistency
and help identify more meaningful patterns in transactional data,
ultimately providing stakeholders with improved insight into the
organization’s compliance practices.
In the shift toward automation, organizations are focused on
automating the following top compliance activities:

56% 40%
Compliance risk assessment Regulatory change processes

34% 40%
Monitoring and testing Policy management

39% 27%
Due diligence Data and analytics

Source: KPMG’s Compliance Automation Survey (2018)

—— Independent attestation has additional benefits: SWIFT

has already started requesting some of its members to hire an
independent third party to validate the members’ self-attestation
as a part of SWIFT’s Quality Review Program. An independent,
objective attestation of the member organization’s adherence
to the SWIFT CSCF controls helps SWIFT members provide
their counterparties and correspondents with a higher,
globally recognized vehicle of assurance around their SWIFT
infrastructure while reducing the burden on internal resources.
The independent attestation report could also be used to satisfy
a SWIFT quality audit or regulatory request. Additionally, an
independent, globally recognized third party can provide SWIFT
members with a broader industry perspective and better practices
through a readiness assessment that may lead to a more efficient
and effective way of addressing their SWIFT CSP requirements.

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member SWIFT customer security program
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and 5
logo are registered trademarks or trademarks of KPMG International. NDPPS 853458
KPMG’s approach
KPMG recognizes participating in a trusted SWIFT
network, supported by the SWIFT CSP, is a strategic
imperative for clients in the financial services
industry. Since the inception of the SWIFT CSCF in
2017, KPMG has assisted clients globally in assessing
their current-state SWIFT controls framework to
identify gaps and provide practical, actionable
recommendations for addressing those gaps in
accordance with SWIFT CSCF criteria. Additionally,
KPMG has also provided independent attestation
services under recognized standards to clients in
accordance with the SWIFT CSCF that provides
those clients with a globally recognized standard of
assurance and a reduction of effort for their critical
in-house resources.

KPMG brings a cross-functional team of professionals from the disciplines of

IT Audit and Assurance and Cybersecurity who have experience in the financial
services industry to deliver readiness assessments and/or attestation services
tailored to the clients’ needs and in accordance with the SWIFT CSCF criteria.
KPMG has developed a SWIFT security assessment framework and
standardized reporting formats for the execution of SWIFT engagements that
provides:
—— A consistent, holistic approach to assessing cybersecurity frameworks for
the latest iteration of the SWIFT CSCF
—— Globally recognized reporting standards (ISAE 3000, AT-C 205, SOC 2+,
or dual reporting)
—— Entity-wide processes related to SWIFT
—— Domain-specific controls
—— Security and IT industry better practices

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and
logo are registered trademarks or trademarks of KPMG International. NDPPS 853458
© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member SWIFT customer security program
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and 7
logo are registered trademarks or trademarks of KPMG International. NDPPS 853458
Security frameworks and standards
SWIFT
customer SWIFT audit
security NIST COBIT SANS PCI-DSS ISO
guidelines
framework

KPMG SWIFT security assessment framework

Components Review by domain

Security governance Change management Security awareness

SWIFT alliance General
access (SAA)
Network security Logging and monitoring Incident management

SWIFT alliance — Physical security — Physical security

gateway (SAG) — Logical access — Logical access
— Vulnerability, patch management, — Network access restrictions
anti-malware Server End user — Vulnerability, patch management,
SWIFT web — Logging and monitoring environment workstation anti-malware
platform (SWP) — Hardening
— Hardening
Scenario
Specific risk
SWIFT alliance assessment
workstation — Configuration Message(s) flow — Configuration management
security — Logical access
Interface Application
— Message integrity, confidentiality, — Segregation of duties
CREST/CREST and authentication (In transit and — Operations management
bridge at rest)
— Message integrity and
— Session management and security monitoring
— Logging and monitoring

KPMG has an established global footprint in security risk management and assurance services.
KPMG is investing heavily in cyber consulting services and our global leadership position was
confirmed by Forrester Research who named KPMG as a market leader in 2017. KPMG’s capabilities
are also recognized by SWIFT. As a member of SWIFT’s partner ecosystem, KPMG’s specialists are
up to date on the latest SWIFT standards.

Number of SWIFT CSP

25+
assessments and attestations
performed in the US and

56+ The number of countries with available

KPMG resources (Cyber, Audit, Swift)
globally since SWIFT
CSP inception

180+ Number of SWIFT CSP practitioners and

SWIFT SME’s in KPMG’s global network

Cyber Security
Reputation
3.200+ professionals
available from our
global Cyber team
KPMG is a listed Global
Consultancy Partner for SWIFT

Aleksandr Lembrikov
Partner, Advisory
T: 917-774-7274
E: [email protected]

Tim O’Rourke
Director, Advisory
T: 404-222-3470
E: [email protected]

Some or all of the services described herein may not be permissible for
KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or
entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as
of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate
professional advice after a thorough examination of the particular situation.