SWIFT – the application backbone of global financial transactions at many financials and corporates - is increasingly being targeted by cyber criminals, as the recent SWIFT cyber hacking sprees have made abundantly clear. The last two years witnessed several cyber-attacks targeting the financial sectors, and SWIFT messaging system was a prime target for multiple attacks which resulted in an $81 million heist at the Bangladesh Central Bank, $4 million at Akbank in Turkey, $9 million at Banco del Asturo in Ecuador and attempted $1.1 million at TP Bank of Vietnam.
In response, Society for Worldwide Interbank Financial Telecommunication (SWIFT) has announced a Customer Security Program (CSP). This program aims to improve information sharing throughout the community, enhance SWIFT-related tools for customers and provide audit frameworks.
SWIFT Assurance Framework
As part of the CSP, SWIFT introduced a mandatory assurance framework for all its 11,000 customers. The framework conceives 3 main objectives spread among 8 principles and is achieved through the appropriate implementation of the 16 mandatory and 11 advisory security controls.
SWIFT believes that applying this framework will raise the security maturity bar for its customers and supports customers in their efforts to prevent and detect fraudulent use of their infrastructure. Implementation of the framework standards will also increase security awareness and education in the on-going fight against cyber-related wire fraud. SWIFT assurance framework has not been finalized yet. SWIFT expects to publish the final version by the end of Q1, 2017.
Are you ready?
Starting Q2 2017, SWIFT expects all its members, including those who connect through service bureaus, to provide a detailed self-attestation against the published mandatory controls. SWIFT further states that a sample of clients will be selected to inspect their compliance with the mandatory controls, in 2018. Selected SWIFT members will require to provide additional assurance either from their internal or their external auditors.
How can KPMG help you?
After the introduction of the SWIFT Customer Security Program, KPMG has identified SWIFT security as a strategic growth topic for KPMG globally. For this purpose, KPMG has developed a SWIFT security risk assessment framework. The KPMG SWIFT security risk assessment framework focuses on SWIFT specific security controls and its underlying infrastructure in accordance with international standards and frameworks such as SWIFT assurance framework, COBIT, NIST, SANS, and PCI-DSS. In addition to the standard IT assurance and cyber security controls, the KPMG SWIFT security risk assessment framework covers:
KPMG will update the framework with the final security framework of SWIFT as soon as it is formalized in April 2017.
Should you have any questions or inquiries, KPMG would welcome the opportunity to further explain how it can assist you through its service suite.