SWIFT’s Customer Security Programme A Good Initiative?
By François Masquelier, Head of Corporate Finance and Treasury, RTL Group, and Honorary Chairman, EACT
These days, IT security is a must, especially around payments, which are crucial for all companies. SWIFT, a key player in this landscape, has recently launched a new initiative aimed at detecting whether users of the SWIFT network are compliant with basic security controls. But is this taking things a step too far for corporates?
SWIFT has recently launched the Customer Security Programme (CSP), a new initiative based on a self-assessment questionnaire to determine whether a SWIFT user is or is not ‘secured’ and therefore respecting best practices in terms of security. On paper, this looks like a sound initiative. But is it a good idea in practice? After all, as the British would say: “if it ain’t broke, don’t fix it”.
At its heart, the CSP is dedicated to supporting financial institutions to reinforce the security of their SWIFT-related infrastructure. A Customer Security Control Framework (CSCF) was published in April 2017, partly as a result of the consequences of the cyberattacks faced by SWIFT. This Framework defines a set of mandatory and advisory controls that should be implemented in SWIFT customers’ operating environments.
Road to the CSP
According to SWIFT, there are two main milestones users should observe. And in fact, the first has already passed – all financial institution SWIFT Bank Identifier Codes (BICs) were expected to submit (by the end of last year) to SWIFT a self-attestation around their level of compliance versus the mandatory controls. SWIFT reserves the right to report to Supervising Institutions any BICs that have not completed their attestation.
Then, by the end of 2018, all SWIFT BICs must comply with mandatory controls and update their attestations. Similarly, SWIFT then reserves the right to report to Supervising Institutions any BICs (i.e., companies/banks) that do not attest their compliance with all mandatory controls.
As I said, the CSP seems interesting and useful. Claiming that a breach around these services could lead to significant disruptions and financial losses is true to some extent. But are we certain that all these controls are necessary for corporates? In our view, as treasurers, it maybe goes a bit too far.
Aiming for full compliance is great but isn’t it more of an issue for banks than for corporates, especially those using SWIFT service bureaus? Being based first on a self-assessment, the exercise is difficult and the results are not easy to compare. We will need some time to further clarify up to which level we should be compliant and further elaborate best practices.
Fig 1 - Customer Security Programme at a glance
Growing cyberattacks and increasing IT risks
The growing threat of cyberattacks has never been more pressing. We all know of, and some have even faced, recent instances of payment fraud in our customers’ local environments. It certainly demonstrates that there is a need for industry-wide cooperation to fight against IT and systems’ threats. It is important to note that while SWIFT’s network or services have not been compromised as such, incidents have taken place after a customer suffered security breaches within its own infrastructures.
What this highlights is that everyone is responsible when we talk about IT security and must make sure their environment is secured and safe. In my view, security is something that belongs to all of us - to a certain degree. SWIFT is a cooperative structure, belonging to banks and is therefore (and fortunately) committed to playing an important role in safeguarding security. The payment and banking information ecosystem is wide and vital.
It needs to be perfectly protected and risks mitigated as much as possible.
This huge security programme launched by SWIFT is dedicated to enhancing information-sharing throughout the user community. We need a solid customer security control framework and no-one can question this. The idea of sharing best practices to better detect or prevent fraud attempts is also an excellent objective.
Nevertheless, IT security is expensive and although each individual measure is good in itself, the cost can sometimes be too great compared with what it can achieve. We must keep the IT risk/return in mind while investing in security. A corporate is neither a market infrastructure nor a financial institution, and its costs must remain reasonable. Corporates have seen an increase in costs related to payments and security, even though automation and technology were supposed to reduce them. It is a kind of paradox we just have to accept.
Security requires a three-tiered approach
This ambitious programme has been formulated around three complementary areas. As explained by SWIFT on its website, the customers will first need to protect and secure their local environment (us); it is then a question of preventing and detecting fraud in the commercial relationships (our counterparts) and continuously sharing information and preparing defences against future cyber threats (our whole community). And it is right that security is a collective duty and for there to be a joint effort if we claim to succeed.
This new programme consists of 16 compulsory control measures and 11 optional (i.e., voluntary) ones. Customers and members may be called upon to present additional evidence of their compliance.
What should corporates do in order to be compliant?
Numerous corporates have started their self-assessment exercise by themselves, and some have done so with the support of advisors. The advantage of a joint exercise or at least a gap analysis is that it gives corporate users a bit of a benchmark. Otherwise, who could claim he/she knows precisely what should be implemented or not and how to assess it?
It is a tricky review, since it can have serious consequences as a SWIFT user. It must be taken very seriously. Advisors then try to define measures taken and milestones achieved to protect its informational assets and risks around disclosures of non-authorised data and its legitimacy in a regulated and legal context that has become stricter over years. Figure 2 lists the numbers of objectives and principles of the CSC Framework, which led to the 27 compulsory or voluntary controls mentioned above, including compliance with international standards ISO 27002, Payment Card Industry Data Security Standard (PCI-DSS) and so on.