Cybersecurity in the financial ecosystem: the evolution and impact of SWIFT’s Customer Security Programme

SWIFT (Society for Worldwide Interbank Financial Telecommunication) is a global member-owned cooperative that provides secure financial messaging services to financial institutions worldwide. It facilitates fast, accurate, and secure communication for transactions, including payments, securities, and treasury operations.

The Customer Security Programme (CSP), launched by SWIFT in response to a wave of sophisticated cyberattacks before 2016, aimed to improve the cybersecurity posture of users worldwide. These complex and diverse cyber threats highlighted the critical need for a unified security approach across the financial sector.

The CSP introduced the Customer Security Controls Framework (CSCF) to establish mandatory and advisory security measures for all SWIFT users. This initiative marks SWIFT’s dedication to strengthening the security and resilience of the global financial ecosystem against cyber threats, ensuring the integrity and reliability of international financial transactions.

A closer look at the CSCF

The CSCF outlines mandatory and advisory security controls for SWIFT users, grounded in industry-standard frameworks like NIST, ISO 27000, and PCI-DSS. Mandatory controls set a security baseline, while advisory controls, based on best practices, are recommended for additional protection.

The CSCF’s design reflects a proactive approach to cybersecurity, as shown in the image below. The security measures are founded on three primary objectives of the framework:

Objective 1: Secure your environment:

• Principle 1: Restrict internet access and protect critical systems from the general IT environment.
• Principle 2: Reduce attack surface and vulnerabilities.
• Principle 3: Physically secure the environment.

Objective 2: Know and limit access:

• Principle 4: Prevent credentials’ compromise.
• Principle 5: Manage identities and separate privileges.

Objective 3: Detect and respond:

• Principle 6: Detect anomalous activity in systems or transaction records.
• Principle 7: Plan for incident response and information sharing.

The CSCF specifies 5 main architecture types that dictate which security controls are applicable based on the SWIFT components and infrastructure an organisation uses. These architecture types, defined by the ownership and deployment of SWIFT-specific infrastructure components, help organisations identify the scope of their required cybersecurity measures within the CSP framework. Here are the outlined architecture types:

• Architecture A1: For users owning both the messaging and communication interface. This setup is where both the messaging interface and the communication interface licenses are owned by the user and reside within their environment.
• Architecture A2: For users owning the messaging interface but not the communication interface. Here, the messaging interface is owned by the user, but a service provider owns the communication interface.
• Architecture A3 (SWIFT connector): It involves the use of a SWIFT connector within the user environment to facilitate application-to-application communication with an interface at a service provider, or with SWIFT services, with no interface on the user’s end.
• Architecture A4 (customer connector): For users who do not have any SWIFT footprint but use a server running a software application within their environment to facilitate an external connection with an interface at a service provider, or directly with SWIFT services.
• Architecture B (no local user footprint): For users who do not use any SWIFT-specific infrastructure component within their environment. This includes users accessing SWIFT messaging services through a Graphical User Interface (GUI) application at the service provider, or whose back-office applications communicate directly with the service provider using APIs, middleware clients, or secure file transfer clients without connecting or independently transmitting business transactions to SWIFT services.

Implementation and compliance

SWIFT users are required to attest compliance with the CSCF’s controls via the KYC Security Attestation (KYC-SA) application. This process underscores the shared responsibility of SWIFT and its users in maintaining a secure network. Despite challenges, the financial community has been successful in implementing these controls, with ongoing dialogue and feedback helping to refine and improve the CSP.

The following table offers a comprehensive summary of all mandatory and advisory security controls (a total of 32), organised by the guiding principle they adhere to and linked to the specific architecture model they apply to: 

The impact of the CSP on the financial industry

The CSP has significantly enhanced the security posture of individual institutions and the broader financial ecosystem. It has led to reduced risks of fraudulent transactions and fostered a culture of transparency.

Despite these improvements, a few security incidents still occurred within the SWIFT system, namely:

• Hanoi-based Tien Phong Bank (TPBank) reported that it interrupted the attempted theft of approximately $1.1 million via fraudulent SWIFT messages. More details can be found here: Vietnam's Tien Phong Bank Victim of SWIFT-Based Attack.

• Attackers used malware to steal $81 million from Bangladesh Bank: according to BAE Systems, attackers installed malware to compromise SWIFT communications and illegally transfer $81 million. Further information is provided here: Bangladesh Bank Attackers Hacked SWIFT Software.

• $4.4 million moved to accounts in the US, UK, and Japan via fraudulent SWIFT messages: this case involved attackers hacking a Nepalese bank’s SWIFT server to orchestrate the transfer. Details are available in the following report: Attackers Hacked Nepalese Bank's SWIFT Server.

Nevertheless, the positive impact of the CSP is undeniable: by sharing attestation data, SWIFT users create a peer-driven momentum towards better security practices, contributing to a safer financial environment for all.

The future of the CSP and cybersecurity in finance

The future of the CSP is intertwined with the rapid evolution of technology and the shifting landscape of cyber threats. To address these evolving threats, the CSP’s future strategy will likely incorporate several key adaptations:

1. Enhanced encryption techniques: in anticipation of Quantum Computing threats, adopting quantum-resistant encryption methods will be crucial. These methods are designed to be secure against both classical and quantum-computing attacks.
2. Artificial Intelligence (AI) and Machine Learning (ML) for defense: by using AI for defensive purposes, the CSP could enhance anomaly detection systems to identify and respond to unusual activities faster and more accurately. This could be particularly effective in spotting sophisticated social engineering and insider threats.
3. Strengthening supply chain security: the CSP will need to implement stricter security requirements and regular audits for third-party vendors. Encouraging transparency and collaboration across the financial sector will be vital in identifying and mitigating potential vulnerabilities early.
4. Continuous adaptation framework: the CSP should establish a framework for continuous adaptation, which includes regular updates to its security standards and practices, based on emerging technologies and cyber threats. This will require strict collaboration with cybersecurity experts, financial institutions, and technology providers.

By embedding these strategies, the CSP can enhance its resilience and continue to safeguard the global financial system effectively.

Conclusion

The CSP has been decisive in strengthening the financial industry's defenses against cyber threats. It emphasises the importance of collaboration and compliance with security controls to maintain the integrity of the global financial system. As we look to the future, the CSP will continue to evolve, addressing new challenges and ensuring the financial ecosystem remains secure.

Financial institutions are encouraged to regularly review and update their cybersecurity practices in line with the latest version of the CSCF. Engaging with SWIFT’s community for shared learning and improvement is vital for staying ahead of potential threats and safeguarding the global financial system.

  Read more about cybersecurity within the financial ecosystem in this article: Open Banking: risks and perks of humanised digital banking.