SWIFT independent assessment – have you booked yours?
The SWIFT independent assessment regime will kick in later this year. Have you booked in your assessment? If not, Fox Red Risk has some availability to carry out assessments. Remember the SWIFT payments attacks a few years back? As a reminder In 2015 & 2016, a series of cyberattacks using the SWIFT banking network, which resulted in the successful theft of millions of dollars were perpetrated. The attacks were perpetrated by a hacker group known as APT 38. APT 38 is a financially-motivated threat group that is backed by the North Korean regime and were also believed to be behind the Sony attacks. The attacks exploited vulnerabilities in the systems of member banks, allowing the attackers to gain control of the banks’ legitimate SWIFT credentials. The thieves then used those credentials to send SWIFT funds transfer requests to other banks, which, trusting the messages to be legitimate, then sent the funds to accounts controlled by the attackers. As you can imagine, as a result of the attacks, SWIFT began to take their security programme a LOT more seriously. SWIFT now have a significant customer security programme and from July 2020 customer will now be required to conduct annual SWIFT independent assessments.
What is SWIFT?
The SWIFT international payment network is one of the largest financial messaging systems in the world. Every day, nearly 10,000 SWIFT member institutions send tens of millions of messages on the SWIFT network. Prior to SWIFT the most common means of sending a payment message was Telex. So, how does it work? Let’s say an HSBC customer in London wants to send money to their mate who banks at Barclays in Dubai. The London customer can walk into their branch with his friend’s account number and Barclay’s unique SWIFT code for its Dubai branch. HSBC will send a payment transfer SWIFT message to the Barclays branch over the secure SWIFT network. Once Barclays receives the SWIFT message about the incoming payment, it will clear and credit the money to the Dubai friend’s account.
Is SWIFT secure?
It’s a lot more secure these days than it was a few years ago. That is in part down to the Customer Security Programme. The key principles behind SWIFT’s approach to information security are:
- Learn – know the enemy and understand our exposure;
- Prevent – make enemies’ lives inherently more complicated, prevent cyber-attacks;
- Plan – never underestimate the enemy, and seek to detect attacks that could overcome our prevention;
- Manage – assume breach. Prepare for the worst, be ready to respond, contain and recover from attacks.
They read like a modern-day cybersecurity Sun Tzu Art of War
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
…well, nearly. Not much in the SWIFT approach about knowing themselves…but you get the drift. Essentially, they have ‘learned’ that they need to take cybersecurity VERY seriously. This awakening for SWIFT has also had the side-benefit of compelling SWIFT members to re-assess their security controls too – win-win for cybersecurity!
Customer Security Programme
A significant component of SWIFTs information security strategy is the understanding that their customers (namely a lot of big financial institutions) form an integral part of their attack surface. Essentially, hackers don’t necessarily need to go after SWIFT directly but can compromise SWIFT members instead. This is essentially what happened in 2015/2016. These attacks exploited vulnerabilities in the systems of member banks, allowing the attackers to gain control of the banks’ legitimate SWIFT credentials. The thieves then used those credentials to send SWIFT funds transfer requests to other banks, which, trusting the messages to be legitimate, then sent the funds to accounts controlled by the attackers. SWIFT quickly realised they needed to support their organisations in their security programmes or risk undermining trust in the SWIFT network altogether. Enter the Customer Security Programme. Now, I am not going to rehash all the details of the CSP but you can read more about the SWIFT controls here. Essentially, the controls are split into mandatory controls and advisory controls which SWIFT has published in the current Customer Security Controls Framework (CSCF) v2020 (at time of publishing)
SWIFT independent Assessment – Stepping things up.
For a while now, members have been required to self-attest against SWIFT’s mandatory security controls but as of later this year, SWIFT will now require an independent assessment. From July 2020, all SWIFT users will be obligated to carry out an independent assessment when self-attesting. These can be done through either:
• An internal assessment carried out by the company’s second- or third- line of defence such as the users’ internal compliance, internal risk of internal audit departments (independent from the first line of defence function submitting the attestation); or
• An external assessment carried out by an independent external organisation with cybersecurity assessment experience and individual assessors who have relevant security industry certification.
SWIFT independent Assessment – want to pay expensive Big-Four fees for your assessment?
There is no doubting that there aren’t many people who are knowledgeable in regards to the SWIFT payments network infrastructure. The main players are typically big consultancy firms…and of course, Fox Red Risk!
Fox Red Risk can carry out a specifically scoped external assessment or, provide an internal assessment as part of our awesome Virtual CISO service. Why not get in contact to see if we can provide you with a competitive quote for your SWIFT independent assessment. Call us on 020 8242 6047 or contact us via the website to discuss your SWIFT Independent Assessment needs.
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing controls frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301 22301:2019 27001:2013 article 25 awareness bcms breach change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPIA DPO DSAR GDPR incident management information security leadership management Outsourced DPO Privacy processor resilience risk risk appetite risk management ROI security security as a service small business strategic strategy Subject Access Request tools transparency vciso virtual ciso vulnerability scanning