“I was sure we were well positioned in most of the SWIFT CSP domains. Hence, I was skeptical regarding the necessity of this project. Very soon I recognized I was wrong. Capgemini’s approach did not only help to identify weaknesses and noncompliances, it fostered the awareness for information security within our department, too.” - Head of Payments
Customer: A leading real estate finance bank
Client Challenges / Business Need: Our client was facing the new, binding SWIFT security requirements, released to increase payment systems security. With limited resources and within a short timeframe our client needed assurance about their current level of SWIFT CSP compliance.
Solution-at-a-glance: A tailored and independent readiness assessment regarding the SWIFT CSP requirements within 8 weeks.
Results and Benefits:
- A management report of all 27 SWIFT CSP controls and their level of compliance to SWIFT CSP Framework
- Classified, identified gaps with clear recommendation for mitigation
Capgemini Invent makes a bank SWIFT CSP ready
The German headquartered bank is operating from branches in Europe and the US, specialized in loans, bonds and derivatives for a variety of sectors:
- real estate e.g. loans for office buildings
- infrastructure and project finance e.g. toll roads, tunnels, multi-story car parks, ports, airports, schools, hospitals
- public and asset finance e.g. government bonds
- structured products e.g. asset-backed securities (ABS), commercial or residential mortgage-backed securities (CMBS or RMBS), collateralized debt obligations (CDO)
Gaining assurance about the banks SWIFT CSP compliance level within no time
Our client was faced with new, binding SWIFT security requirements, released to increase payment systems security e.g.:
- Restrict internet access and protect critical systems from general IT environment
- Avoid manipulation of payments data by the implementation of data integrity checks
- Prevent that a compromise of a single authentication factor allows access into SWIFT systems, by implementing multi-factor authentication
All SWIFT customers were prompted by SWIFT to assess their compliance to these requirements by the means of a self-assessment. Results had to be reported to SWIFT by a standardized self-attestation prior Q1 2018.
Consequences for banks that do not meet the requirements are versatile. SWIFT will inform the regulator about banks that have not disclosed a self-attestation from January 2018 onwards. In cases of major non-compliances SWIFT impends to even exclude banks from the SWIFT network. Disregarding the SWIFT CSP requirements can be existence threatening for any financial institution.
An unbiased and top-notch analysis for the preparation of the primary SWIFT CSP self-assessment
Capgemini Invent an official SWIFT Cybersecurity service provider conducted a tailored and independent readiness assessment regarding the SWIFT CSP requirements within 8 weeks. The team managed to achieve the target with a minimum level of distraction for client staff using a proven approach:
- A common understanding of the client’s SWIFT architecture type and readiness assessment scope have been established
- Relevant controls have been clustered into the domains of processes; infrastructure; interfaces and; external service providers/ vendors
- Focus workshops with stakeholders from every domain have been performed
Focus workshops led to supplementary documentation e.g. policies and evidences of relevant controls performed by the client. External service providers and vendors have been asked to provide recent audit reports and certificates.
Capgemini Invent assessed the evidences provided by the client regarding:
- Corporate requirements are compliant to requirements of SWIFT CSP and SWIFT Customer Security Controls Framework and industry best practices
- Reflection of processes and controls described by stakeholders during focus workshops i.e. client personnel is compliant to corporate requirements
ISAE 3402 reports and further certificates facilitated by external service providers and vendors have been evaluated according to the following requirements:
- Level of compliance to requirements of SWIFT CSP and SWIFT Customer Security Controls Framework
- Relevance of controls tested/ certified
- Reliability of the certification body
Results count – Guidance to close identified gaps and increased cybersecurity awareness
This readiness assessment approach culminated in a management report of all 27 SWIFT CSP controls and their level of compliance to SWIFT CSP Framework. Identified gaps have been classified and clear recommendations have been made to enable the client to close these gaps before the primary SWIFT CSP self-assessment was due. Furthermore, the awareness for Cybersecurity among payments department personnel was raised.