This website uses cookies. View our cookie policy
Close
USA
Select regional store:

SWIFT Security Controls

On September 27, 2016, the Society for Worldwide Interbank Financial Telecommunication (SWIFT) announced a new set of core banking security standards and an associated assurance framework as part of its Customer Security Programme.

Compliance with 16 security controls (listed below) will be mandatory for all SWIFT customers—including those connected through service bureaus—from January 1, 2018.

Customers will also be able to choose to implement a further 11 advisory controls.

All SWIFT customers will have to demonstrate their compliance by annual self-attestation. Some randomly selected customers will have to provide additional assurance of their compliance via internal or external audit.

To ensure transparency, SWIFT customers’ compliance status will be available to their counterparts.

Organizations in the financial sector will have only nine months between the final standards being published and their being enforced.

Achieving accredited certification to the international standard for information security management, ISO 27001, is the best way of complying with the international best practice that underpins the new SWIFT controls.

Until the final standards are issued in March 2017, ISO 27001 provides the most obvious starting point for SWIFT customers.

On this page

  • Introduction
  • Implementation timeline
  • SWIFT mandatory and advisory controls—October 2016 version
  • ISO 27001

 

Introduction

Following a series of high-profile wire fraud incidents, including the theft of some $81 million from Bangladesh’s central bank in early 2016, the interbank messaging service SWIFT came under increasing pressure to improve cybersecurity in the financial sector and reduce the risk of wire fraud.

In October 2016, SWIFT released a set of core security standards to "raise the security bar for customers on the SWIFT network."

More than 11,000 banking and securities organizations, market infrastructures, and corporate customers in more than 200 countries use SWIFT’s messaging platform, products and services. All of them must comply with SWIFT’s new baseline cybersecurity controls by January 1, 2018.

 

Implementation timeline

  • October 2016
    SWIFT released preliminary details about the controls. These are detailed in the table below.

  • March 2017
    Following a two-month validation period in which SWIFT will engage with nominated security contacts at SWIFT National Member Groups, the final requirements will be published in March 2017. Banking partners will then have just nine months to comply.

  • January 2018
    From January 1, 2018, SWIFT will enforce the use of the controls by reporting any non-compliant customer to their regulators.

 

SWIFT mandatory and advisory controls—October 2016 version

SWIFT’s assurance framework has three objectives and eight principles, which are underpinned by 27 controls.

16 controls are mandatory (M1 to M16 below) and 11 are advisory (A1 to A11 below).

The 27 controls are mapped against recognized international standards—NIST, the PCI DSS, and ISO 27002 (the code of practice for information security controls that supports ISO 27001).

To ensure transparency, SWIFT customers’ compliance status will be available to their counterparts.

 

3 objectives

8 principles

16 mandatory controls

11 advisory controls

Secure your environment

1. Restrict Internet access

   
 

2. Segregate critical systems from general IT environment

M1. Operating system privileged account control

 
    M2. SWIFT environment segregation  
 

3. Reduce attack surface and vulnerabilities

M3. Internal data flow security

A1. Back office data flow security

   

M4. Security patching

A2. External transmission data protection

   

M5. System hardening

A3. Session integrity

     

A4. Vulnerability scanning

     

A5. Critical activity outsourcing

     

A6. Transaction business controls

 

4. Physically secure the environment

M6. Physical security

 

Know and limit access

5. Prevent compromise of credentials

M7. Password policy

 
   

M8. Multi-factor authentication

 
 

6. Manage identities and segregate privileges

M9. User account management

A7. Personnel vetting process

   

M10. Token management

A8. Physical and logical password storage

Detect and respond

7. Detect anomalous activity to systems or transaction records

M11. Malware protection

A9. Intrusion detection

   

M12. Database integrity

 
   

M13. Logging and monitoring

 
   

M14. Software integrity

 
 

8. Plan for incident response and information sharing

M15. Cyber incident response planning

A10. Penetration testing

   

M16. Security training and awareness

A11. Scenario risk assessment

 

Please note that these controls are subject to change. The final versions will be released in March 2017.

Organizations in the financial sector will then have only nine months before the standards are enforced, from January 2018. This is not long for a compliance project.

 

ISO 27001

Until the final controls are issued in March 2017, the international standard for information security management, ISO 27001, is the most obvious starting point for SWIFT customers.

ISO 27001 is the only information security standard against which organizations can achieve independently accredited certification, demonstrating that they have implemented the information security best practice that underpins the new SWIFT controls.

Moreover, as well as relying on attestations of compliance, SWIFT customers will be able to request additional assurance from their counterparts that they have implemented security best practice. ISO 27001 provides such assurance.

Click here for more information about ISO 27001 >>

 

ISO 27001 implementation packages

IT Governance's ISO 27001 packaged solutions have helped hundreds of organizations implement ISO 27001 at a speed and for a budget that is appropriate to their individual needs and preferred project approach.

Each fixed-price solution combines products and services that can be accessed online and deployed by any company in the world, whatever its size, type or location.

Find out more about our ISO 27001 packaged solutions and which one is right for you >>

 

ISO 27001 training

IT Governance is responsible for the world’s first accredited program of ISO 27001 education. The ISO 27001 learning pathway provides training courses from Foundation to Advanced level, and offers opportunities to attain industry-standard qualifications awarded by IBITGQ.

Find out more about IT Governance’s ISO 27001 learning pathway >>

 

Cyber incident response management

The speed at which you identify a breach, combat the spread of malware, prevent access to data, and remediate the threat will make a significant difference in controlling risk, costs, and exposure during an incident.

With an effective incident response plan, you will be able to detect incidents at an earlier stage and develop an effective defence against the attack.

Find out more about cyber incident response management, and learn how IT Governance can help your organization prepare for the worst >>

 

Call us now on 1 817 317 3454 or email us to find out more about how we can help you comply with the mandatory SWIFT security controls.

 

Information correct as of October 2016. This page will be updated as new information becomes available.