By Angelo Chiarot – Senior Security Advisor of Kirey Group
The Society for Worldwide Interbank Financial Telecommunication, better known as SWIFT, is an organization founded in Brussels in 1973 with the aim of establishing common processes and standards for financial transactions worldwide. Used for the exchange of 37.7 million daily messages in 2020 [1], with a growth of 10.3% compared to 2019[2], the SWIFT circuit counts in February 2021 the membership of more than 11,000 global institutions connected by 200 different countries[3].
|
In relation to the continuous occurrence and evolution of fraud events that have an impact on the financial sector (as reported by ENISA - European Union Agency for Cybersecurity and CLUSIT - Italian Association for Information Security) the model defined by SWIFT is the answer to the requests of international banking and financial institutions. The latter had and still have the necessity to arrange a system that allows the monetary exchange from one country to another with certain, reliable and especially secure methods. |
Source: SWIFT, December 2019 |
Initially set up and managed by banking institutions as a replacement for TELEX, now obsolete and lacking sufficient security guarantees, the SWIFT circuit is now the reference standard for the exchange of financial messages. It is also accessible to other financial operators, such as brokers, stock exchange operators, clearing and depository institutions, institutions authorised to exchange securities. The circuit provides for the assignment to the member parts of a Bank Identifier Code - BIC, i.e. a code with a length of eight or eleven characters, uniquely assigned to each associated entity.
The SWIFT model, together with the transactional mechanisms that are based on the exchange of messaging compliant with ISO 15022[4] and ISO 20022[5] standards, is composed of security measures qualified in the Customer Security Programme and detailed in the Customer Security Framework (two of the main technical-regulatory documents on security controls). These measures are designed to guarantee the confidentiality and the integrity of information and the availability of the service, with the aim of mitigating the risk of incurring fraud. In order to guarantee proper levels of security throughout the circuit, member entities must formally and periodically demonstrate that they have arrange, applied and maintained the necessary security controls, according to the reference architectures.
With the goal of determining the system components concerned, in addition to the organizational aspects (e.g. company or third party roles involved), within the perimeter on which insists the application of security controls (secure zones), SWIFT requires entities to identify which of the five reference architectures (see Figure 1) is closer to what is deployed in their operating environment for message transmission and reception.
In accordance with an approach based on the identification and mitigation of risk, the identification of the reference architecture allows the timely determination of the security controls applicable to the secure zone and to the internal and external parties involved (e.g. service provider). Elements on which the following Assessment activity, necessary to demonstrate security compliance and maturity. Achieving and being able to demonstrate compliance, as well as being factors that allow the mitigation of fraud and direct loss phenomena, allow the sharing with its national and international partners of the character of reliability and security achieved, thus further strengthening the Organization’s image and reputation.
Figure 1 – Reference architectures
With the Customer Security Programme (CSP), SWIFT classifies reference architectures through the identification of interfaces, applications and tools, specifying how different implementations can however be characterized by a substantial level of customization, compared to the groups identified below:
A1 architecture: ownership of license and use of the communication interface and the messaging interface, or of the communication interface only, which typically reside within the premises of the Organization or at the service provider.
Architecture A2: ownership of license and use of the messaging interface only, located at the Organization or at a service provider.
A4 architecture: use of a custom connector, typically using an application solution (e.g. file transfer or middleware such as IBM MQ Server) that allows communication with a service provider.
Architecture B: no specific infrastructure components. The messaging service is used via a PC or other device through a Graphical User Interface (GUI) or through a back-office application through the Application Programming Interface (API) that connects to services provided by a service provider.
The Customer Security Programme (CSP) also requires each entity to define, document, apply and verify its payment processes and technological components with respect to control objectives, the principles and individual security controls defined by SWIFT (see Figure 2), in compliance with the applicability criteria of each type of architecture used.
The security controls, not limited to technologies but also applicable to persons and processes of the Organization, are divided into mandatory (mandatory) and advisory (discretionary). These represent the selection made by SWIFT of controls from the main standards and best practices, more used and recognized globally, such as the Payment Card Industry Data Security Standard (PCI DSS), Information Security Management Systems (ISO/IEC 27002) and the National Institute of Standards and Technology (NIST), for the protection of confidentiality, integrity and availability of information and continuity of service.
Figure 2 – Taxonomy of controls
The selected controls help Organizations to mitigate security risks that seem increasingly looming, in today's threat landscape. Addressing these risks adequately thus enables the prevention and reduction of potential adverse, fraudulent and potential loss events, such as:
The Regulation requires that organizations must certify annually their compliance status, typically within the period July-December, in relation to the annual update criteria of the reference documentation, in particular the Customer Security Control Framework (CSCF).
Starting from mid-2021, the attestations of compliance submitted in accordance with CSCF v.2021, shall be the result of the safety control assessment conducted independently, exclusively through:
Kima Projects & Services S.r.l. | Kirey Group, already Certification Body for electronic payment environments since 2006 according to the Payment Card Industry Data Security Standard (PCI DSS) in banking and finance, in 2020 has obtained accreditation as an Assessor qualified by SWIFT, through the Customer Security Programme (CSP) Assessment Provider, enabling the evaluation and validation of SWIFT payment environments.
Kima has a Senior Security Advisor with more than twenty years of expertise and experience, as well as security certifications that allow them to be qualified as suitable entities for carrying out compliance activities regarding the security requirements of SWIFT.
To date, the certifications held by the Security Advisory Team are the following:
Actively involved in the provision of services for banking institutions and financial operators, Kima is therefore the appropriate interlocutor who has an offer for the SWIFT Regulation which consists of the following main activities: