What is new in the recently released CSP v2020? SWIFT Customer Security Programme

2

SWIFT Customer Security Programme | What is new in the recently released CSP v2020?

In order to improve the level of assurance currently provided by the self-attestations, an independent assessment framework (IAF) has been developed by SWIFT and will require all attestations to be supported by an independent assessment from the CSP v2020. The self-assessment will no longer be possible and SWIFT customers will now have to rely on an independent assessment performed either by their internal second or third line of defense (e.g. risk management, internal audit, etc.), or by an external third party organization.

While a self-attestation usually takes a light approach, an independent assessment should rely on evidence for the design, the implementation, and the operating effectiveness of the controls.

What is new in the recently released CSP v2020?The introduction of a new assessment methodology

Auditing the CSPHow different will your declaration be on 31.12.2020?

SWIFT Customer Security Programme | What is new in the recently released CSP v2020?

The CSP v2020 also introduces some changes to the controls to adapt the framework to the evolution of the cyber threat landscape and to progressively improve the overall growth of the control environment.

Two advisory controls, introduced in CSP v2019, are being promoted to mandatory:

• 1.3 – Virtualization platform protection: The objective is to secure the virtualization platform and virtual machines hosting the SWIFT-related components to the same level as physical systems

• 2.10 – Application hardening: The objective is to reduce the attack surface of SWIFT-related components by performing interfaces and application hardening

Two new advisory controls are introduced:

• 1.4A – Restrict Internet access: This control has been extracted from control 1.1 and centralize the guidance related to internet access

• 2.11A – RMS business control: This control has been extracted from control 2.9A to split the transactions and RMA business controls

Finally one control is being extended:

• 2.4A – Back-office data flow security: The middleware components are now included in the scope

The SWIFT CSP controls

3

Banking information is some of the most important to keep private. That's why recent high-profile cyber-attacks on customers using Society for Worldwide Interbank Financial Telecommunications (SWIFT) are so significant.

Deloitte can help business leaders navigate the factors associated with implementing SWIFT's Customer Security Controls Framework (CSCF) as well as address SWIFT dependencies and ultimately disrupt through innovation.

An update of the control framework

How we can help?

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities. DTTL (also referred to as “Deloitte Global”) and each of its member firms are legally separate and independent entities. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.

Deloitte is a leading global provider of audit and assurance, consulting, financial advisory, risk advisory, tax and related services. Our network of member firms in more than 150 countries and territories serves four out of five Fortune Global 500® companies. Learn how Deloitte’s approximately 286,000 people make an impact that matters at www.deloitte.com.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms or their related entities (collectively, the “Deloitte network”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.

© 2019 Deloitte Tax & Consulting

Stéphane HurtaudPartner – Information & Technology Risk+352 451 454 434shurtaud@deloitte.lu

Maxime VeracSenior Manager – Information & Technology Risk+352 451 454 258mverac@deloitte.lu

Contacts