Following the introduction of SWIFT’s Customer Security Controls Framework in April 2017, we are pleased to report that 89% of all SWIFT customers attested their level of compliance with the mandatory security controls by the 31 December 2017 deadline.
Combined, these institutions account for over 99% of all FIN messages sent over the SWIFT network. The number of attestations continues to rise, as several hundred organisations have subsequently attested or have attestations in progress. Banks are reminded that SWIFT reserves the right to inform financial supervisors if they have not yet attested.
This excellent response - across segments, markets and infrastructure types - demonstrates the financial industry’s commitment to combatting the persistent threat of cyber-attacks.
The community’s response to complying with this first stage in the attestation process has been extremely positive, and has enabled an increased level of security for SWIFT customers as they will now know more about their counterparts. However, significant work will still need to be done to drive further security improvements and increase transparency across the financial community. For example, in what will mark a significant step-change, all SWIFT customers will need to re-attest and to confirm full compliance with the mandatory security controls by the end of 2018. As of 1 January 2019, SWIFT again reserves the right to notify local supervisors of users that have failed to re-attest or have not confirmed full compliance with the mandatory controls within the required period. Attestations will also have to be renewed annually thereafter.
Customers should also begin to incorporate their counterparties’ attestation data into their risk management and business decision-making processes - alongside other risk considerations such as KYC, sanctions and AML. Using the KYC Registry Security Attestation Application (KYC-SA) customers can share their attestation data with their counterparties and request data from others. This creates an opportunity for an organisation to be transparent about their attestation status, which should increase the trust and confidence for counterparts doing business with each other.
The transparency provided by this counterparty data exchange system is driving attestation and compliance with the controls, as institutions seek to demonstrate their cyber security to their counterparties. SWIFT will introduce additional measures to assure the ongoing quality and effectiveness of customer security attestations in 2018.