The 2016 Bangladesh Bank cyber-attack and multiple other cyber events connected to the Society for Worldwide Interbank Financial Telecommunication (SWIFT) have brought renewed attention to the effectiveness of SWIFT security and fraud controls.
SWIFT’s Customer Security Program (CSP)1 is a set of core security standards intended to help mitigate specific cybersecurity risks that SWIFT clients face due to the cyber threat landscape. The CSP, which is based on three objectives, eight strategic security principles, and a common set of 27 security controls (16 mandatory and 11 advisory), is aimed at reducing these fraud and cyber incidents. All SWIFT customers must comply with the mandatory controls under the CSP and provide a detailed annual attestation with respect to their compliance, the first of which is due in December 2017.
In order to implement the CSP framework, SWIFT customers should consider the following factors:
SWIFT dependency poses significant liquidity, operational, cyber, and financial risk, and Deloitte is well-positioned to support companies in their efforts to address SWIFT dependency.
Impact Assessment – Deloitte can conduct initial SWIFT risk assessment and provide a prioritization framework and a review of current controls and processes
Risk Mitigation Planning – Deloitte can develop a remediation strategy and a roadmap for implementation of improvements/enhancements to address identified gaps in controls and processes
Testing – Deloitte can assist in establishing a testing framework and conducting testing to meet CSP requirements
Implementation Support – Deloitte can assist with governance establishment, implementation, and war gaming.
As further developments occur, Deloitte will issue additional updates as appropriate.
1Society for Worldwide Interbank Financial Telecommunication, “Customer Security Program,” available at https://www.swift.com/myswift/customer-security-programme-csp.
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Copyright © 2017 Deloitte Development LLC. All rights reserved.