Webinar Norms

Customer Security - We welcome your kind participation. Thank YOU.

Programme
- We will start session at 15:05 SGT.
CSP Update 2021
- Make sure you turn off your video.

- By default everyone will be muted.

- Note down your question. You can post it on

Q&A Chat session.

- In interest of time, if your question can’t be

addressed, we will get back to you via email.

- For any CSP queries post session, raise support

case.
Sept 2020
- This meeting will be recorded.
Customer Security Programme
CSP Update 2021

Sept, 2020
Agenda

̶ CSP - Evolution
̶ 2020 EOY KYC-SA Attestation
̶ CSCF v2021
̶ Independent Assessment Framework (IAF)
̶ Summary
̶ FAQ
̶ Resources

3
CSP - Evolution

4
CSP | Programme Reminder – Where does the CSCF stand?

Launched in 2016, CSP is

designed to help SWIFT
users implement practices You
that are essential to help
protect against, detect and
Secure and Protect
share information about • SWIFT Tools (R7.4; Security Guidance)
financial services • Customer Security Controls Framework
cybercrime.

Your
Counterparts
Your Prevent and Detect
Community • RMA, DVR and ‘In Flight’ Sender
Share and Prepare Payment Controls Service
• Intelligence Sharing • KYC-SA application
• SWIFT ISAC Portal (request/review)
• Independent Assessment
Framework

5
CSCF v2021 | Pragmatically Raising the Bar – Strategic Approach for v2021

The CSCF change management process is

designed to ensure that the SWIFT
community has sufficient time (up to 18
months) to understand and implement any
future changes to the controls
requirements. Typically, new mandatory
controls or scope extension is first Covid-19
introduced as advisory, thereby giving users 2021
at least two cycles to plan, budget and
implement. 2020
Proposed Changes put forward through
Consultation (Users, NMGs…)
• 31 Controls (22)
• 21 M + 10 A (14+8)
2019 • Compliance by 31 Dec20

x2 Promoted to Mandatory Ensure full propagation of existing

• 27 Controls (20 for B architecture) • 29 Controls (20)
• 1.3 Virtualisation Platform controls
• 16 M + 11 A (11+9) • 19 M + 10 A (11+9) • 2.10 Application Hardening
• Compliance by 31 Dec18 • Compliance by 31 Dec19
x2 New Advisory ( split from existing ) Enhance efficient control
x3 Promoted to Mandatory
• 1.4A Restrict Internet Access implementation through clarification
• 2.6 Operator Session flows
• 2.11A RMA Controls
2017 • 2.7 Vulnerability Scanning
• 5.4 Password Storage
2018 x1 Scope Extension (Advisory) Embed new Model/Technology in line
• 2.4A Back-Office Data Flow with SWIFT Strategy (Cloud/API’s)
x2 New Advisory
RESTRICTED – MQ / Middleware Server
• 1.3A Virtualisation Platform
RESTRICTED
• 2.10A Application Hardening 6
CSP | Policy Evolution

Covid-19
2021
2020

2021
• Re-introduction of the
2020 self–assessment option
2019 • Independent Assessment by 31 • Jurisdictional overseers
Dec 2020 reporting
• Refusal to perform a
2019 • Users need to SA between June and SWIFT Mandated
December; their attestation is then valid assessment is reportable
2017 • Attestation of Compliance by till the end of the following year • Grant all features
• Attestation and compliance by 31 Dec 2019 • SA must be supported by an independent • Updated provisions
external/internal assessment
31 Dec 2017/2018 regarding the use of
• Published attestation turn amber when • SWIFT Reserves the right to mandate an
independent external assessment personal data
expired or invalidated
• Advisory review by external/internal audit • Policy and CSCF updates follow an
• Internal Service Bureau are now annual update cycle
2017/2018 considered as Non SWIFT user group Hub • User Guide section transferred to KYC-
• Go Local India (GLI) users do not have to SA documentation
self attest
7
2020 EOY KYC-SA Attestation

8
CSP | CSCF v2019 remains valid for 2020 attestation cycle

• Users are requested to attest against the CSCF v2019 during the
second half of 2020
• KYC-SA baseline 2019.3 to be used in KYC-SA, available since 1st July 2020
EOY Attestation

• IAF is not mandated in 2020

• Congratulations to Users who have already completed their 2020 KYC attestation in
KYC-SA
• Users who have not submitted their attestation, are encouraged to do so as early as
possible, but no later than 31st Dec 2020

• SWIFT Mandated assessments invitations will be sent out in September

2020 and the assessments will be required to be completed by
December 2021 against v2021
• For more information, refer the CSP Timelines Update FAQ, via KB Tip
5024006

9
CSP | Grant All Features and Functions

‘Grant All’ objective: To improve operational efficiency of sharing attestation data by allowing access to your
attestation data for all pending and new access requests from messaging counterparties

During an initial notice period of 2 months, ability for customer to opt-out of the ‘grant all’ capability. After the notice period of
2 months, remaining customers will be opted in by default.

• For customers opted in to ‘Grant all’, all incoming Access Requests from messaging counterparties will be
‘granted’
• All customers are opted in after the initial notice period, unless they choose to opt out
• If you are opted in after the initial notice period, you may opt out at any time
• Extend overview of active Counterparties to Granters & Security Officers
• Updated grid view of counterparties and request status

All pending and new access

Counterparty opted in to
requests from messaging
Grant-All
counterparties will be granted
Access Request to view
attestation data for one or
more counterparty BICs Access requests managed
Counterparty opted out either using whitelist,
of Grant-All individually with manual
processing, or remain pending
until actioned
10
CSP | Grant All Implementation Timeline

Grant All function available

for opt in/opt out (2nd Week)

July August September October November

Confirmation of Grant All Grant All function

availability date and activated
activation

11
CSCF v2021

12
CSCF Controls Evolution

Pragmatically and Slowly

‘Raising the Bar’

2021
2020
Covid-19

2019
2021 - 31 Controls
2020 - 31 Controls • 22 Mandatory
• 21 Mandatory • 9 Advisory
• 10 Advisory • Compliance by 31 Dec 21
2018 - 27 Controls 2019 - 29 Controls • Compliance by
• 16 Mandatory • 19 Mandatory
• 11 Advisory 2018 • 10 Advisory
31 Dec 20 - Ensure full propagation of existing controls
- Enhance efficient control implementation (clarifications
• Compliance by 31 Dec 18 • Compliance by 31 Dec 19 - Embed new Model/Technology in line w ith
SWIFT Strategy (Cloud/API’s)

CSCF v2021 was built on v2020 with few updates.

CSCF v2021 ‘promotes’ one control to mandatory; However in

practice, 1.4 was already part of the mandatory control 1.1 since
2017 2017 - 27 Controls the 1st version of the CSCF. Hence, customers already aligned
• 16 Mandatory with v2020 will have no additional work with v2021 new or
• 11 Advisory promoted controls; the CSCF v2021 contains mostly scope
• Attestation by 31 Dec 17
clarifications.
13
Evolution of CSCF Controls – Pragmatically and Slowly ‘Raising the Bar’
2020 2021
2018 2019 CSCF v2021
CSCF v2019 CSCF v2020
2017 CSCF v1
1.1 1.2 2.1 2.2 16 Mandatory 19 Mandatory 21 Mandatory 22 Mandatory
CSCF v1
Environment OS Priv Internal Security 11 Advisory 10 Advisory 10 Advisory 9 Advisory
Protection Access Data Flow Updates Initial baseline
Clarifications New controls and Clarifications, e.g. Clarifications, e.g.
2.3 3.1 4.1 4.2 of controls,
(FAQ) retrofit clarifications 2.4 for use with for use with APIs
based on NIST,
System Physical Password MFA middleware / MQ and connector /
Hardening Security Policy
ISO 27000 and
PCI-DSS Compliance Released Aug 18 Released Jul 19 cloud
5.1 5.2 6.1 6.2 attestation with (first)
Logical Token Mgt Malware Software 16 Mandatory deadline Dec 18 attestation deadline Released Jul 20
Access Protection Integrity 11 Advisory3 Dec 19 with attestation
deadline Dec 21
6.3 6.4 7.1 7.2 Released Mar Promoted Controls
Database Logging Incident Training & 2017
Integrity Response Awareness Vulnerability
2.7 Scanning Promoted Controls
Attestation Promoted Controls
2.4 2.5 2.6 2.7
deadline Dec 17 Operator Internet
Back Office External Operator Vulnerability 1.3 Virtualization1
Data Flow Data Session Scanning
2.6 Session 1.4 Restriction1

2.8 2.9 5.3 5.4 Password Application

5.4 2.10 Hardening
Outsourcing Transaction
Storage
People Password
Controls Vetting Storage
New Controls New Controls New Controls
6.5 7.3 7.4 Internet
Virtualization1 N/A
Intrusion Pen Scenario 1.3 1.4 Restriction1
Detection Testing Risks
Application
2.10 Hardening 2.11 RMA Controls 2

X Mandatory Control X Advisory Control Control is subsequently promoted Control is subsequently split 1) 1.3 & 1.4 were split from 1.1 2) 2.11 was split from 2.9 14
CSCF v2021 | Consultation Process and Summary of resulting Changes
Consultation Process Summary of CSCF v2021 Changes

New Controls - N/A

1 ~150 External Stakeholders Ensure full propagation of existing controls
• Customers
Who • NMG’s and country Fully Transfer Internet Access from Mandatory 1.1 to 1.4
representatives
• Overseers through NBB 1.4 – Restrict Internet Access.
Protect Operator PCs, initial
• Centralise guidance related to internet access targets before lateral move
• Remove existing scope from initial Control 1.1 Reduction of 1.1 and transfer to 1.4
was already defined in CSCF v2020
Scope Consideration
2 • Promotion of Advisory
Controls to Mandatory? Clarifications on scope definition
What • New Advisory Controls?
• Alternative implementations? General
• Clarifications to cope with new • Ease identification of elements in scope
technologies? • Highlight risk-based approach for compliance
• Connector definition review (SWIFT <> Customer ones)
General Operator PC’s
• Highlight PC’s connected to local or remote infrastructure
Via Webinars and Feedback need to be protected
3 Forms APIs – No change today but pave for the future
• Regional webinars to • Back office still out of scope with SWIFT footprint
Split usage of
How introduce proposed changes • New Architecture Type - A4 for customer’s own
SWIFT footprint (A1/A2/AA3)
• Feedback Forms ~30 received connectors (middleware or API end point) from customer’s connectors (A4)
- NMGs (13), Customers (12), Third Party – Extended to cloud provider
Representatives (3) • Highlight where reasonable comfort has to be sought
from the used Cloud Provider – User still accountable SWIFT footprint: products delivered by
SWIFT and vendors
• Support to Digital Connectivity (SAA/AMH/SAG/SIL/DL/MicroGateway) 15
CSCF v2021 – Rationale for the new Architecture A4
Today’s Architectures and Limitations Split A3 between SWIFT & Non-SWIFT Footprint Benefits

A1/A2
SWIFT Footprint
• SWIFT or vendors’ compatible Connectors: local software to facilitate communication with
Products to link with an interface, or to a service provider
Interfaces SWIFTNet Differentiate
• SAG/AGI/SAA/AMH in Secure Zone SWIFT connectors - provided by SWIFT or vendors - • Better split to ease
• All controls SWIFT Footprint e.g. Autoclient, SIL proper architecture
Customer connectors - off the shelf (file transfer solutions, identification by
SWIFT Footprint Middleware/MQ servers…) or home made product users
• SWIFT or Compatible Vendors (implementing API’s) - Non-SWIFT footprint
Software to connect Interfaces
at Service Provider or Lite2
• Differentiate pace
A3
• (SIL)DL/AC/MicroGateway in Secure A3 Architecture - relies on SWIFT connectors of changes
Zone (New) A4 Architecture - relies on Customer connectors
Connectors
• All but 1 control • Pave the way for
Other Footprint progressively in
• File transfer solutions, local
future models (no
Controls with Clarified In-Scope SWIFT-Footprint
middleware servers to connect
with Service Provider A3 – No Change
with API’s)
• Less controls (Advisory) • Same controls as today - SWIFT connector in-scope
• Could allow to
A3… Mix of SWIFT and non-SWIFT A4 – Introduced as Advisory to pave the way identify and cover
• Difficult to extend the scope • Controls with customer connector in-scope other intermediate
Limitations • Basic Cyber Hygiene
• Mix of Mandatory <> Advisory actors (third party)
• API model will extend usage of • Connectivity for local App2app
Non-SWIFT Footprint • Centralised business controls
• Scope can be progressively wider
16
CSCF v2021 – Architecture A3 versus New Architecture A4

SWIFT Connector: products delivered by

SWIFT and potentially vendors
(DirectLink, AutoClient, SIL, MicroGateway)

17
CSCF v2021 – Summary and Controls Applicability

Arch A1 A2 A3 A4 B
Man. 22 22 21 17 14
Adv. 9 9 9 9 8
Tot. 31 31 30 26 22

Consider also Annex F of CSCF v2021 for

controls applicability

18
CSCF v2021 – Clarifications for Efficiency and Alignment to Reality

19
Independent Assessment Framework (IAF)
CSP | Flavours of the assessments

Timeline
Assessment Type Selection Criteria Assessor 2022
2019 2020 2021
and beyond

Still possible but will not be First Line of


Non Compliant-
Self-Assessment reportable as of
compliant after start of IAF defense Jan2022

 Community-Standard Mandated for all customers with Internal or

Assessment the start of IAF external

SWIFT-Mandated Mandated - Sampled Customers

 Assessment Driven by QA Analysis
External only

Start of IAF
21
CSP | Audit vs Assessment

The objective is the same: providing assurance on the compliance with the stated CSCF
Control Objective.

• The two approaches (Audit / Assessment) are possible:

• Assessments are more flexible and there is a wider range of assessment
providers, including those who may not necessarily meet the requirements of an
audit organisation.
• Audit is subject to internationally recognised standards. An audit is typically
longer and more expensive than an assessment.

• SWIFT is indifferent on the way assurance is provided (assessment or audit) provided

the firm (and the individual assessors) possess the necessary skills as set out in the
independent Assurance Framework.

22
CSP | Risk-Based approach when assessing security compliance

Assessors must employ a risk-based approach when assessing the security compliance of the
users; i.e. assessors must not use the SWIFT proposed Implementation Guidelines as a strict
audit check list.
Hence, the implementation of a CSP control can be:
• As per the documented SWIFT proposed Implementation Guidelines
• An alternative Implementation that:
 Addresses the risk drivers
 Covers the relevant in-scope components
 Meets the stated control objective, i.e. the security goal to be achieved

IMPORTANT: Both methods are valid and equivalent from a CSP compliance perspective

23
CSP | Independent Assurance Framework flow and timeline

Independent assessor selection Results reflected in the KYC-SA application

• Customer to select an internal OR/AND external Upon availability of the controls version in the application (as from July 1st )
assessor • Customer to align their self attestation results against the review results
• For an external assessor, customers can consult • Customer to add the name and contact details of assessor and start and
the Directory of CSP Assessment Providers end date of the assessment report

1 3

2 4
Since 2020

Assessor conducts review Escalation

Against the current • Customer and assessor to apply the framework and
Word and excel templates as described in the KC. • Failure to undertake a Community-Standard assessment
CSCF version of the
controls • Customer can consult FAQ KB TIP 5022902 or contact before the end of the calendar year 2021 will result in a non
SWIFT Support compatible attestation and reporting to the local supervisors
• Use future version of the CSCF for clarifications as and visible to counterparties via the KYC-SA application
appropriate • An assessment will have a validity period of maximum two
years under conditions
24
CSP | Independent Assurance Framework – details (1/2)

Community-Standard Assessments
All customers from 2021
Internal or external assessment

Assessor • Independency: as defined by ‘Institute of Internal Auditors’ (IIA)

• Recent (12 months) and relevant experience, e.g. PCI DSS, ISO 27001
must have • Qualifications, e.g. QSA, CISSP, CISA, CISM, or similar
Skills
• Internal independent assessor: second or third line of defence or its functional equivalent
• External assessors: (non-prescriptive) directory of CSP assessment providers
Assessor
• Service providers such as service bureaus or L2BA provider are eligible under some
Selection conditions
• SWIFT does not endorse or validate any particular assessor
• CSP SWIFTSmart modules (translations available)
• Swift.com KC: PDF Framework document, Optional Excel-based Assessment Templates and
Available
Word Completion letter
Resources • CSP curriculum (Annex A of the IAF)

25
CSP | Independent Assurance Framework – details (2/2)

Community-Standard Assessments
All customers from 2021
Internal or external assessment

• Risk-Based approach (i.e. compliance vs control objective)

Testing • A mix of assessment methods as appropriate, e.g. interview, replay, documentation
Methods • Possible leverage of existing relevant assurance

• Assessment to start any time during the year

Timing • Fill in 2021 attestations between 1st July and 31st December 2021

• Recommended: findings in the Excel-based Assessment Templates and Completion letter

Outputs • Expected: summary of findings in assessor report to customer
• Recommended retention of 5 years (minimum 2 years) of documentation

Escalation • Absence of assessment results in reporting to the supervisors and visibility to counterparties

Costs • Customer is responsible for costs associated with the assessment

26
Summary

27
CSP | COVID-19 : Expectation from Customers in 2020

DO’S
• When attesting between July 2020 and December 2020, Users MUST use the CSCF v2019. SWIFT recommends to use the v2020 or the v2021
for clarifications only and at user’s discretion; Consulting the published v2020 or v2021 must not result in any scope creep in 2020.
• Focus on the controls which are applicable this year for data attestation against CSCF v2019.
• Since attesting window in KYC-SA (baseline 2019.3) opens up on 1st July 2020, ensure that you submit your attestation at the earliest.
Attestation submitted 1st July 2020 onwards, will have its validity till 31st Dec 2021, (Thus not limited to 12 months anymore).
• If you are a first time user, please ensure that you have access to KYC-SA application and you have identified and assigned designated users to
perform data contribution to KYC-SA. Please refer the slides “How SWIFT can Help”, for more information and further assistance.
• If you have not started working on your 2020 attestation yet, please initiate process, as we are heading towards Year End.
• Ensure that you are using the correct draft version any time in the process. This avoid re-work at your end.
• Once your attestation draft is finalized & submitted to the approver internally, please request the Approver to approve draft.
• If your Entity is managed centrally and intend to submit data attestation centrally, follow-up with your Parent BIC and remind them to submit
data.
• If you are hosting SWIFT infrastructure for an attesting user, please help your hosted entity by proactively furnishing all required information
needed to complete their attestation.
• Read the Tip 5024006 IAF FAQ COVID-19, if unsure about the impact on CSP timelines

28
CSP | Expectation from Customers

DON’TS
• Don’t wait for last minute data submission in December, due to various reasons, such as:
o Staff unavailability due to unforeseen sick leaves or planned personal leaves.
o Year end resource crisis at customer end, due to long Christmas festival, in some regions.
o Unforeseen emergencies/crisis at customer end will ideally takes precedence over data submission and attestation.

Through these Do’s and Don’ts, SWIFT wants to re-iterate that it’s a
collaborative journey and without your genuine efforts, SWIFT may not
be able to safeguard community from emerging Cyber Security threats at
any given time. Your Co-operation is highly appreciated.

29
CSP | FAQ
With the introduction of
Compared to Architecture type A4 in CSCF
CSCFv2019, how many v2021, is there a need to
new mandatory & With the introduction of
reassess one’s Architecture
advisory controls Architecture type A4 in
type, before data submission
introduced in CSCF v2021, which existing
for July 2021 onwards?
CSCFv2021? Architecture type can have
potential impact, for which
reassessment required?

We are in middle of data

attestation submission Is the
process for YR 2020 & SWIFT (internal/external)
is now referring CSCF v independent
2021/IAF. What should be assessment
community focus and priority? mandatory for
2021?

SWIFT has also Published

CSCF v2020, document. Form July 2021,
Should one refer CSCF v2020 Under the Assurance
document along with CSCF I have been informed type, if one select
v2021 document or just CSCF by SWIFT to perform “Self assessment”,
v2021, in preparation to next “Mandated External will it be considered
year attestation cycle? assessment for YR as non-compliant?
2021”, How should I
proceed forward?
31
How SWIFT can help

32
CSP | Supporting the Community
Where can I go to find additional info?

CSP Pages SWIFT ISAC Portal

Visit the CSP pages for programme news and Consult the Portal for information related to
security threats
swift.com* updates. In particular:
• Filter the Latest news with “Customer Security
Programme” and/or “Cyber Security” for relevantSWIFTSmart
topics The SWIFTSmart e-learning training platform
* Login required includes a portfolio of modules, including in-depth
Knowledge Centre modules on each of the mandatory security
• Access all the CSP docs controls
• Access all the CSCF docs Include a module related to the IAF
• Access some additional supporting docs and
modules MySWIFT
A self-service portal containing “how-to” videos,
Knowledge Base guidance on frequently asked questions and
• Tip 5024006 IAF FAQ COVID-19 Knowledge Base tips.
• Tip 5024038 CSP Timelines Update COVID-19
• Tip 5021823: CSP FAQ
• Tip 5022902: IAF FAQ
• Tip 5020786 Security Guidance
33
CSP | Supporting the Community
Where can I go to find additional info?

34
CSP | Supporting the Community
Need more help?

SWIFT Customer Support Directory of Cyber Security

Service Providers
SWIFT Customer Support teams are If you need practical, on-the-ground
on hand 24/7 to answer specific implementation support, you can
SWIFT queries if you don’t find the consult the Directory of Cyber
information resources you are Security Service Providers on
looking for. SWIFT.com to help find a third-party
project partner that may be suitable
for your needs.
Directory of CSP Assessment
Providers
SWIFT Services
If you need support to perform the
To support best practices in
Independent assessment, consult
infrastructure implementation and
the Directory of CSP assessment
management SWIFT offer services
providers on SWIFT.com to help find
such as the SWIFT infrastructure
a third-party project partner that may
security review, Security boot
be suitable for your needs.
camps, SWIFT Admin and
Operation certifications and
recurring support contracts such as
Alliance Managed Operations, Local
support and Premium custom
support. Consult the Services page.
35
CSP | Quiz

1) Though we are in year 2020, KYC data-attestation this year is based on CSCF v2019 controls ?
True/False.

2) Independent Assessment, is mandated by SWIFT for year 2020 & as a customer I must work on this?
True/False

3) After the Nov Grant All activation, if the default “Opt In” is set in KYC-SA, access request (to attestation
data) from messaging counterparties will be automatically processed/granted?True/False.

4) As per CSCF v2021 controls, there will be five architecture types going forward? True/False.

5) For performing community-standard assessment, any person can be approached to perform

internal/external assessment? True/False

6) For performing community-standard assessment, customer is responsible for advance planning and
budgeting? True/False
CSP | Quiz Answers

 Though we are in year 2020, KYC data-attestation this year is based on CSCF v2019 controls ?
TRUE

 Independent Assessment, is mandated by SWIFT for year 2020 & as a customer I must work on this?
FALSE

 After the Nov Grant All activation, if the default “Opt In” is set in KYC-SA, access request (to attestation
data) from messaging counterparties will be automatically processed/granted?
TRUE

 As per CSCF v2021 controls, there will be five architecture types going forward?
TRUE

 For performing community-standard assessment, any person can be approached to perform

internal/external assessment?
FALSE

 For performing community-standard assessment, customer is responsible for advance planning and
budgeting?
TRUE
&
Feedback Poll is opened in parallel. Request you to
please share your valuable Feedback, before you
Leave.
CSP | Poll

1) Whether session was informative & met your expectation around CSP?
a. Yes
b. No

2) If the answer to above question is NO, please explain what was missed out and what you would like to
hear more in upcoming session?

3) How would you like to rate this session?

a. Very Satisfied
b. Satisfied
c. Unsatisfied

4) Any Feedback? (From CI perspective)

www.swift.com

41