SWIFT requiring users to comply with new cybersecurity rules

Authored by: Russell Sommers

SWIFT, the global provider of secure financial messaging services, announced on Sept. 27, 2016 that financial institutions using the interbank messaging network must comply with its new cybersecurity standards. Led by the National Bank of Belgium, the oversight board which also includes: the U.S., UK, Canada, Germany, Japan, France, Italy, Sweden, Switzerland and the Netherlands, announced draft standards will be released in October with a two month comment period. The goal is to publish final standards by March 2017 with enforcement and inspection beginning Jan. 1, 2018.

These new standards are going to impact over 11,000 financial institutions across approximately 200 countries, according to SWIFT CEO, Gottfried Leibbrandt. The framework will include 16 mandatory controls, as well as 11 optional advisory controls. In an effort to help institutions manage counterparty risk and to force accountability for the institutions’ comprehensive cyber risk program, SWIFT has noted their intent to publish Cybersecurity Examination Reports for public use.

Adding to complex cybersecurity regulations

This new cybersecurity regulation adds to the existing cybersecurity regulatory pressures financial institutions are currently experiencing, which includes guidance from the Federal Financial Institutions Examination Council (FFIEC), the Securities and Exchange Commission (SEC) and most recently the New York Department of Financial Services. These regulator-specific cybersecurity rules sit on top of the myriad of existing cybersecurity frameworks, including: The National Institute of Standards and Technology (NIST) CSF, ISO/IEC 27001, COBIT 5 and ISA 62443.

Common themes in cybersecurity regulations

While new cybersecurity regulations are released seemingly on a monthly basis, the general tenets remain the same. The themes common among the regulations are:

  • Well documented policies and procedures
  • Risk based approach
  • Strong internal control structure and oversight
  • Focus on data:
    • Classification with a focus on consumer information - personally identifiable information (PII) and protected health information (PHI)
    • Encryption of data in transit and data at rest
    • Use of third party vendors
  • Layered security controls:
    • Intrusion protection and detection (IPS/IDS)
    • Multifactor authentication (for accessing confidential data)
    • Password complexity
    • Administrative access
    • Vulnerability assessment and penetration testing
    • Incident response
  • Training and commitment to competence:
    • Information security team
    • Security awareness
    • Executive management and director education

Successful compliance

The aspect of compliance that will dictate success will be the ability to:

  1. Develop an understanding of all regulatory requirements to which your institution must comply.
  2. Define the framework to which your institution has ascribed.
  3. Document how your institution has met each aspect of the standards of the framework.
  4. Document any identified internal control exceptions and their remediation.
  5. Document response procedures invoked in the event of an incident, including a root cause analysis and the timing and procedures undergone in response.
  6. Prove, through rigorous testing, that the required controls have been implemented and are working effectively.

The changing rules and regulations continue to add to an already complex set of requirements. We recommend financial institutions begin reviewing their cybersecurity compliance processes.

For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.