In 2016 attackers compromised systems at the Bangladesh Central Bank and sent payment instructions totalling USD $951m, of which $101m were processed by the Federal Reserve Bank of New York. This remains the biggest bank heist in history.
Since this time, SWIFT's payments community continues to suffer from a number of cyber-attacks and breaches. While all SWIFT customers remain primarily responsible for protecting their own environments, SWIFT aims to support its community in the fight against cyber-attacks with the development of their Customer Security Programme and have identified mandatory and optional security controls that their 11,000 customers worldwide must comply with.
SWIFT’s customers have to attest compliance to all mandatory controls on an annual basis*. Furthermore, SWIFT has introduced a requirement that mandates an independent assessment for all customers' attestations. This comes into force in 2021.
SWIFT CSP Development
[*] COVID-19 Update: Given the global COVID-19 situation SWIFT has published updated guidelines on 18 June 2020 regarding changes to the CSP self-attestation and independent assessment requirements for 2020. SWIFT has announced that in 2020, customers can self-attest against the 2019 version of the SWIFT CSP and can optionally support the self-attestation with an independent assessment. In 2021, independent assessment will be a mandatory requirement and customers will be required to attest against the 2021 version of the CSP framework.
How are PwC positioned to help with this?
< Back
< Back
[+] Read More
Why PwC?
PwC will leverage inhouse accelerators and our extensive SWIFT CSP expertise to ensure that your needs are met ahead of SWIFT's required independent assessment due on 31 December 2021.
Proven CSP Assurance Experience
We have performed numerous SWIFT CSP assurance engagements across multiple territories and industries.
Cohesive team who understand SWIFT
We understand SWIFT like no other as we performed an annual review of SWIFT under the internationally recognised ISAE3000 standard for over 10 years.
Technical expertise and knowledge
We are the only ‘Big-4’ firm with a professional Certified Cyber Security Consultancy certificate from the NCSC. We are unique in our ability to leverage threat intelligence to build and simulate realistic cyber-attack scenarios.
Adapting to your requirements
PwC will leverage inhouse accelerators and our extensive SWIFT CSP expertise to ensure that your needs are met ahead of SWIFT's required independent assessment due on 31 December 2021.
PwC will provide industry insight that is relevant to your market segment and geographical segment, as well as a balanced view on how to prioritise any associated actions.
SWIFT customer security programme: FAQs
- 1) What is the SWIFT CSP?
- 2) When is the deadline for SWIFT CSP compliance?
- 3) What form does the SWIFT required independent assessment need to take?
- 4) What are the 22 SWIFT CSP mandatory controls?
- 5) What happens if you attest non-compliance?
- 6) What happens if I suspect my organisation has been targeted or breached?
1) What is the SWIFT CSP?
SWIFT's customer security programme (CSP) aims to prevent and detect fraudulent activity through a set of mandatory security controls, community-wide information sharing initiatives and enhanced security features on their products.
2) When is the deadline for SWIFT CSP compliance?
SWIFT's customers are required to submit their attestations on an annual basis to SWIFT's KYC portal by 31st December.
In 2020*, customers can attest compliance to either CSCF v2019 or CSCF v2020. In 2021, an independent assessment is required alongside the customer's attestation.
3) What form does the SWIFT required independent assessment need to take?
There are two forms in which a SWIFT customer can gain an independent assessment:
- An internal assessment. This is similar to an internal audit, carried out by the internal audit function of the customer and independent from the function submitting the attestation.
- An external assessment. This is similar to an external audit, carried out by organisations such as PwC who will provide an independent assessment against the CSP controls.
4) What are the 22 SWIFT CSP mandatory controls?
There are 22 mandatory controls focussed on, securing your environment, limiting access, detecting and responding.
5) What happens if you attest non-compliance?
SWIFT reports all cases of non-compliance and where members have not attested at all to local regulators. In addition SWIFT will select a sample of attestations for validation each year.
6) What happens if I suspect my organisation has been targeted or breached?
It is vital that you share all relevant information and let SWIFT know there is a problem as soon as possible, in order to protect other organisations in the network.
Related content
Follow us
