Secure Payment Messaging: Navigating New Swift CSP Standards and Leading Practices in 2024

Announcer  00:04

Welcome to the Treasury Update Podcast presented by strategic treasure, your source for interesting Treasury News Analysis and insights in your car, at the gym, or wherever you decide to tune it.

 

Craig Jeffery  00:18

Welcome to the treasure update podcast. This is Craig Jeffrey, your host. Today, I’m interviewing Christin Cifaldi, who is the Director of Product Development and Analytics at Strategic Treasurer. Welcome to the podcast, Christin.

 

Christin Cifaldi  00:31

It’s great to be here, Craig.

 

Craig Jeffery  00:32

We are talking through a series on cybersecurity. And today we’ll be talking about one of the elements of payment rail and messaging rail standards, from payment card to Swift, even to the ACH network. These payment rails and messaging rails are coming up with standards. Today we’re going to talk about Swift CSP. There’s a lot there. So what does swift CSP stands for?

 

Christin Cifaldi  00:59

Swift CSP stands for Swift customer security program.

 

Craig Jeffery  01:03

And how do they spell program?

 

Christin Cifaldi  01:05

They spell it with an E and two M’s.

 

Craig Jeffery  01:08

That’s awesome. Yeah.  Program the the English spelling.Yes, for the longer code. So Swift is a giant messaging and standard setting body, which I think it’s no longer stands for the all the initials that went into it. So it stands for the swift platform where there’s messaging which moves the vast majority of money around the globe, what’s required under this standard and who’s in scope.

 

Christin Cifaldi  01:33

So banks and corporates connected to Swift would be in scope. With this impacting the internal IT departments and Treasury Departments of corporates who are responsible for meeting all the security requirements under the program.

 

Craig Jeffery  01:48

On the intro to today’s topic, I mentioned that these payment and messaging rails have standards and it’s to protect the overall network. Can you explain why the standards exist? And why why Swift has done this?

 

Christin Cifaldi  02:03

Yeah, so in response to additional threats over time, Swift rolled out this program in 2016, to help protect the messaging and limit the fraud and cyber attacks on Swift connected banks and corporates. And 2017 was the first year that reporting was required under this CSP.

 

Craig Jeffery  02:23

Yeah, I guess, you know, is what do people target the famous bank robber? You know, when they asked, you know, why do you? Why do you steal from banks? And that’s, that’s where the money is? Well, cash isn’t sitting in piles. It’s in messaging, it’s in the it’s in the communication. So that’s why they focus on that you’re going through this and making sure the endpoints are secure. How does how does a company do that and show that they’ve done that.

 

Christin Cifaldi  02:50

So companies are required to either complete an internal or an external assessment annually, which would cover the three objectives and seven principles of the CSP. And within those three objectives, there’s 32 controls that are recommended. So you would complete a full assessment, and to end to make sure that you’re meeting these controls, either as written or you would have to document and support an alternative implementation.

 

Craig Jeffery  03:18

So these controls have to be met. How is that confirmed? Is it just confirmed to Swift is it confirmed to trading partners,

 

Christin Cifaldi  03:26

it’s confirmed to Swift and then under KYC, folks can see your results, whether you’re compliant or non compliant, and then it is up to them to decide if they then want to continue doing business with a non compliant entity. So what you would do is you would upload a letter to Swift a letter of attestation, from your third party or your internal IT department to prove that you are compliant. And then there’s also through their portal, questions that you have to answer and then your seaso, your chief information security officer would sign off on that.

 

Craig Jeffery  04:03

So the KYC piece is in the Swift portal. So instead of having, let’s say you’re dealing with 10, banks, you don’t have to go and send secure messages to attend different banks and go back and forth. You can give them permission through the portal, and they can see all your documentation. Yep. Yeah, that seems like the ideal way to go to especially when you’re dealing with multiple institutions. I know. How long have we been doing attestation for clients?

 

Christin Cifaldi  04:31

We’ve been offering at a station for clients since the first year it was required in 2017.

 

Craig Jeffery  04:36

All right, enough with a commercial. You know, that’s good. So So you mentioned you know, 32 industry, you mentioned three objectives, seven principles, 32 controls, each year, there’s some changes that go on, and maybe you could go and explain the the broader three objectives. I know there’s a lot of detail here and as a podcast, it’s very easy to read lots of the details but but maybe explain To me, the three objectives.

 

Christin Cifaldi  05:02

Yeah, so the first objective is secure your environment. And the principles that make up the secure environment objective are restricting Internet access to Swift connected systems to essential employees only. So just limiting those on a need to no need to access bases to anything that touches Swift. You also want to have any swift systems that you may have on premises segregated from your general IT environment by using separate servers, you need to reduce your attack service by removing any unnecessary access points to those swift servers. And you’d further minimize vulnerabilities by performing penetration testing, keeping your anti malware products and services up to date with a documented routine. And you would physically secure the Treasury environment or IT environment using key cards and security monitoring such as cameras.

 

Craig Jeffery  06:04

And badging through doors and keys and control a virus that’s that’s securing the environment. This is some aspect of the principle of least privilege or access, as well as digital and physical. What’s number two, if we’re securing the environment, what what’s the second one?

 

Christin Cifaldi  06:20

Number two is no and limit access. So that’s our second objective. And the principles that make up that objective are preventing compromise of credentials by using complex passwords and MFA, managing identities and segregating privileges by revoking access to former or transferred employees immediately. So having that policy written out and followed. And you also would want to limit access by the principle of least privilege, which Craig just mentioned, and it’s also part of securing your environment. So you don’t want every person in Treasury, every person in it to be able to access this, you only want those in individuals who need to be on Swift.

 

Craig Jeffery  07:02

And that makes sense in so many ways. You know, if you’ve ever visited, I always think of you visit the old forts. And they have really high walls, and they protect the walls. But once you’re in, it’s just this open area. And so once the wall is breached, they can get around. And so the principle of least privilege is not just have strong perimeter, but break it up. So you can’t move freely when you’re inside. I don’t know if that imagery helps anybody. But that’s, that’s what I think about. So those are the two secure your environment, no limit access, and what’s the third?

 

Christin Cifaldi  07:30

The third is detect and respond. So the principles that go into this third objective are detecting anomalous activity to system or transaction records by utilizing system controls, such as multiple levels of approval, employee training, and routinely scanning all systems. And again, this one, you want this to be well documented, written down, understood by it and any of the finance professionals who are touching these systems. And you need to work with your IT and your cybersecurity teams to plan for incident response and information sharing with Swift by creating an annually reviewing a detailed incident response plan.

 

Craig Jeffery  08:14

So that’s the, that’s how you can respond to the issue know who to call and when to do it. The first part of the Detect side, you mentioned detecting anomalous activity, at the system or transaction level, isn’t one of the things that criminals try to do is if they get into a system, they want to go undetected. So they’re trying to avoid, you know, they don’t want to say, Okay, we’ve only been this company wires out one to $2 million. We’re not going to wire a $10 million all at once, because we want to, we want to monitor and observe what goes on and stay within the within the range. That makes sense. Any comments on that?

 

Christin Cifaldi  08:53

Yeah, I think that goes into multiple levels of approval for wires, and then also employee training. So training employees, giving them specific notices, like, if you get an email that says the CFO is on vacation, and it’s an urgent wire, you need to double check that just make sure that it’s actually a real requests, you know, and then even if it is a false request, you have those multiple levels of approval in there. So maybe the analyst kicks it off accidentally, but then the manager is the backstop and says, Yeah, I know the CFO is on vacation, but he or she’s never asked me to send a wire from vacation before. So lots of training goes into that. And then also no amount of training can replace these automatic controls. So that would be requiring complex passwords, forcing people to have those complex passwords, forcing that multiple level of approval and then also limiting you know, access based on principle of least privilege. You just can’t replace that with training.

 

Craig Jeffery  09:53

So secure your environment, no limit access to tech and respond and then the seven principles that you had, you had talked through Oh, and where can people find the 32 controls.

 

Christin Cifaldi  10:04

32 controls can be downloaded from the Swift website, they publish annually a document just containing everything. It’s called the customer security control framework, the C, S, C, F, and that’s where those detailed controls can be found.

 

Craig Jeffery  10:24

Now, criminals continue to advance their attack methods, and so the defenses have to improve. And accordingly, we see swift CSP, making adjustments improvements, just like we’ve seen in the card environment and others what, what’s the cadence and the the method that swift goes about enhancing these, either the, the main objectives of those change, or maybe some of the principles, but certainly on the control level, what’s the, how does that work?

 

Christin Cifaldi  10:53

So Swift is constantly monitoring throughout the year for any updated industry, best practices, new cyber attacks, they do publish those through their portal through IOCs. But every year in July, they publish an updated version of the CS CF, that customer security control framework. So our next version will be coming out this July. And the adaptation deadline is the end of December for each newversion.

 

Craig Jeffery  11:24

You mentioned IOC.

 

Christin Cifaldi  11:27

Indicator of compromise.

 

Craig Jeffery  11:29

There you go. All right. Any final thoughts about Swift customer security program?

 

Christin Cifaldi  11:34

So I think it’s important to stay on top, you know, get in there in July, look at any updates in the past, these have consisted of making advisory controls mandatory. So some corporates or banks might be just saying up that’s advisory, I’m not going to really go to my it and quiz them on that this year to see how they’re handling it. So just keeping in mind that you need to go back and refresh and that there are updating definitions. So it’s important not to just skip over something that’s mandatory, because you’ve already covered it in the past year, two years. And then just having your IT security team aware of the IOC s that are published to Swift, and that’s part of the information sharing. So if you’re connected to the SWIFT network, and you have an incident reporting it to them, we’ll get that information out there so that other corporates and banks can protect themselves.

 

Craig Jeffery  12:28

In one sense, this seems like a lot of work to use the network, right? Because not every network just like cards didn’t used to have to have PCI DSS swift messaging didn’t used to have swift customer security program. This could be viewed as there’s a lot of overhead necessary. But overhead, maybe it’s better to use other methods. And I don’t think that’s the case. I’m just saying that this that may be articulate what some people are thinking, but how you connect to Swift, whether you bring all the hardware in yourself, use some type of service bureau if swift service bureau or a treasury aggregator, or you use some kind of more vendor managed solution that has differences in terms of how much attestation and validation needs to occur. Is there a way that you would describe that?

 

Christin Cifaldi  13:18

Yeah, if you’re using a treasury aggregator, for example, they would be responsible for compliance with the CSP and would handle that reporting. So you could ask them, or look on Swift’s portal for them and just make sure that they’re current and compliant, and they could also provide you with any third party audit results that they’ve received on that. So that would be important. And if you’re out there shopping for a treasury aggregator to make sure that they’re compliant.

 

Craig Jeffery  13:48

That’s the way that many of these services work you have if you go to a third party, they become responsible for protecting card data or Swift attestations. You may have saw some responsibly there, but it’s it’s minimized greatly. Well, thanks so much, Christin. Yeah, thank you, Craig.

 

Announcer  14:08

You’ve reached the end of another episode of the Treasury Update Podcast. Be sure to follow Strategic Treasurer on LinkedIn. Just search for Strategic Treasurer. This podcast is provided for informational purposes only, and statements made by Strategic Treasurer LLC on this podcast are not intended as legal, business, consulting, or tax advice. For more information, visit and bookmark StrategicTreasurer.com.