These days, IT security is a must, especially around payments, which are crucial for all companies. SWIFT, a key player in this landscape, has recently launched a new initiative aimed at detecting whether users of the SWIFT network are compliant with basic security controls. But is this taking things a step too far for corporates?
SWIFT has recently launched the Customer Security Programme (CSP), a new initiative based on a self-assessment questionnaire to determine whether a SWIFT user is or is not ‘secured’ and therefore respecting best practices in terms of security. On paper, this looks like a sound initiative. But is it a good idea in practice? After all, as the British would say: “if it ain’t broke, don’t fix it”.
At its heart, the CSP is dedicated to supporting financial institutions to reinforce the security of their SWIFT-related infrastructure. A Customer Security Control Framework (CSCF) was published in April 2017, partly as a result of the consequences of the cyberattacks faced by SWIFT. This Framework defines a set of mandatory and advisory controls that should be implemented in SWIFT customers’ operating environments.
Road to the CSP
According to SWIFT, there are two main milestones users should observe. And in fact, the first has already passed – all financial institution SWIFT Bank Identifier Codes (BICs) were expected to submit (by the end of last year) to SWIFT a self-attestation around their level of compliance versus the mandatory controls. SWIFT reserves the right to report to Supervising Institutions any BICs that have not completed their attestation.