SWIFT Customer Security Program: Implementation considerations

The 2016 Bangladesh Bank cyber-attack and multiple other cyber events connected to the Society for Worldwide Interbank Financial Telecommunication (SWIFT) have brought renewed attention to the effectiveness of SWIFT security and fraud controls.

SWIFT’s Customer Security Program (CSP)1 is a set of core security standards intended to help mitigate specific cybersecurity risks that SWIFT clients face due to the cyber threat landscape.  The CSP, which is based on three objectives, eight strategic security principles, and a common set of 27 security controls (16 mandatory and 11 advisory), is aimed at reducing these fraud and cyber incidents. All SWIFT customers must comply with the mandatory controls under the CSP and provide a detailed annual attestation with respect to their compliance, the first of which is due in December 2017.

In order to implement the CSP framework, SWIFT customers should consider the following factors:

  • Governance – Establish a governance and operating model to provide oversight and direction during implementation, and monitor compliance of correspondent counterparties
  • Framework applicability – Identify infrastructure, applications, and end-user components that are in-scope for compliance with CSP
  • Alignment with ongoing initiatives – Integrate with ongoing regulatory and information security initiatives within the organization to better leverage synergies
  • Compensating controls – Identify alternate/compensating controls where CSP controls are not cost-effective to implement
  • Funding for control enhancements – Allocate funding to mitigate controls gaps via process or technology solutions
  • Sustainable compliance – Confirm ongoing compliance with the CSP controls and monitor compliance by Service Bureaus and third parties managing the SWIFT infrastructure

SWIFT dependency poses significant liquidity, operational, cyber, and financial risk, and Deloitte is well-positioned to support companies in their efforts to address SWIFT dependency.

Impact Assessment – Deloitte can conduct initial SWIFT risk assessment and provide a prioritization framework and a review of current controls and processes

Risk Mitigation Planning – Deloitte can develop a remediation strategy and a roadmap for implementation of improvements/enhancements to address identified gaps in controls and processes

Testing – Deloitte can assist in establishing a testing framework and conducting testing to meet CSP requirements

Implementation Support – Deloitte can assist with governance establishment, implementation, and war gaming.

As further developments occur, Deloitte will issue additional updates as appropriate.


Vikram Bhat
Principal | Deloitte Risk and Financial Advisory
Deloitte & Touche LLP

Roy Ben-Hur
Managing Director | Deloitte Risk and Financial Advisory
Deloitte & Touche LLP

1Society for Worldwide Interbank Financial Telecommunication, “Customer Security Program,” available at https://www.swift.com/myswift/customer-security-programme-csp.

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP.  Please see www.deloitte.com/us/about for a detailed description of our legal structure.  Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2017 Deloitte Development LLC. All rights reserved.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s