At the end of 2016, SWIFT introduced a new Customer Security Program, which also includes the SWIFT Customer Security Controls Framework (CSCF). Last August, SWIFT announced a new version of the SWIFT CSCF in response to the growing number of cyberattacks on SWIFT infrastructure, causing billions in financial losses. Member institutions are expected to comply with these new controls and attest to the mandatory controls at the end of 2019. The latest version promotes some advisory controls to mandatory controls and introduces new advisory controls.
What’s New in CSCF v2019 – And How Illumio ASP Can Help
Here’s an overview of the most important things you need to know about the changes to the requirements.
Three advisory controls were promoted to mandatory controls:
- Control 2.6 - Operator Session Confidentiality and Integrity
- Control 2.7 - Vulnerability Scanning
- Control 5.4 - Physical and Logical Password Storage
Control 2.7 requires covered organizations to document and analyze the outcome of the vulnerability scanning for appropriate action and remediation. Illumio ASP partially supports this requirement via the Vulnerability Maps feature. Illumio ASP displays a Vulnerability Exposure Score, which measures risk by calculating how many workloads can potentially exploit a vulnerability in any given host. Security teams use this information to take appropriate actions such as refining the existing firewall rules to the process, port, and protocol as a compensating control.
CSCF v2019 also introduces two new advisory controls:
- Control 1.3A - Virtualization Platform Protection
- Control 2.10A - Application Hardening
Illumio ASP's default-deny model applies at the operating system level instead of the hypervisor level. Illumio ASP partially supports Control 1.3A by blocking and logging all unauthorized attempts to connect to all hosts (virtualized, bare-metal, cloud, and containers).
Illumio ASP can partially support Control 2.10A by programming firewall rules that limit inbound and outbound connections between SWIFT-certified messaging interfaces and SWIFT components, down to specific ports, processes, and protocols.
As a reminder, advisory controls are opt-in, but SWIFT member companies are required to comply with and attest to the mandatory controls.
What happens if an organization is not SWIFT CSCF compliant or does not submit its self-attestation to the SWIFT CSP database?
SWIFT currently does not impose any penalties for organizations that do not comply with the CSCF and who fail to submit a self-attestation. However, failure to submit a self-attestation is visible to the entire SWIFT community. Members will be able to search the SWIFT database to determine if a counterparty is SWIFT compliant.
SWIFT will also report non-compliance with the CSCF self-attestation requirements to the local monetary authorities, central banks, and financial regulatory agencies.
Reporting of non-compliance with the SWIFT self-attestation will be mandatory in 2019.
If transaction parties are not compliant with the CSCF, SWIFT will inform counterparties to the transaction, especially if there is no local supervisory body. Non-compliance will therefore severely limit an organization’s ability to transact business and facilitate payments.
For a detailed view of Illumio ASP to SWIFT CSCF v2019’s controls mapping grid, check out this new solution brief.