Earlier 2023, AMATAS became an official partner of the SWIFT (Society for Worldwide Interbank Financial Telecommunication) customer security program. We fully support the cooperative’s mission of establishing a more secure environment across the partner network, where “Failure is not an option”, which is implemented within all three critical SWIFT functions – management; risk and compliance; and audit. As part of SWIFT’s assessment providers, AMATAS is looking forward to supporting financial institutions in carrying out their independent, third-party annual SWIFT assessment.
Our team consists of professionals with many years of cybersecurity auditing experience; vast knowledge of regulations and compliance (specifically in the financial sector); the ability to establish and sustain long-standing trust-based client relationships. Solely in the last year, AMATAS’s portfolio of independent security assessments grew with financial institutions across the Eastern European region. Our goal is always to provide evidence of compliance as efficiently as possible, and at the same time track those invisible vulnerabilities to enhance institutional and organizational cybersecurity capacities.
Within this article, the AMATAS team provides you with more information regarding the SWIFT assessments and project scope; also why it’s a good idea to start your audit at the start of Q3.
What is a cybersecurity audit?
At the beginning of the year, Forbes shared a list of the five industries that are the most at risk from cyberattacks. It’s no surprise that the financial sector ranked amongst the most vulnerable ones. For cybercriminals, the financial domain has always been a very lucrative one – with an abundance of valuable, sensitive data (and assets) just at the reach of their keyboards, that could be easily sold to the highest bidder on the dark net. But on the defense side, more and more institutions have started to trust cybersecurity professionals in taking precautions – in advance – to protect their customers and systems.
One of these more popular steps is the cybersecurity assessment, an instrument to understand just how effective the organization’s or institution’s current security tools are to protect it against imminent threats. In other words, the cybersecurity audit observes the organization’s security posture by thoroughly evaluating digital assets, information systems, and security controls.
The most effective reviews are characterized by a detailed assessment of its five core elements: Operations Security, Network Security, Data Security, System Security, and Physical Security. Ultimately, the assessment should discover just how effective the current cybersecurity practices are by pinpointing potential security vulnerabilities and gaps in procedures; the level of the cybersecurity risk; and compliance with frameworks, regulations, and standardized requirements. The comprehensive audit also includes actions to reduce the risk of cyber threats.
What is SWIFT: CSCF and the importance of the annual audits
SWIFT is a member-owned cooperative and infrastructure provider, trusted by global financial institutions. SWIFT is dedicated to secure financial messaging services, thus enabling its members to “quickly, accurately, and securely” communicate information, regarding financial transfers. It’s said that SWIFT is “the largest and most streamlined method for international payments and settlements“.
All SWIFT members must comply with a set of regulatory, control guidelines – the Customer Security Controls Framework (CSCF). The CSCF is constantly adapting to the security challenges in the financial sector, aiming to achieve three main objectives for the SWIFT community: “secure your environment; know and limit access; detect and respond“.
So far, the framework consists of 22 mandatory and nine advisory controls.
The mandatory ones serve as security references for all members. These security controls establish the community’s vision – aiming to attain a more tangible character as to SWIFT’s security benefits and reduce global risks.
The advisory security controls are on a recommendation basis and are more flexible to the rising security challenges: from the ever-evolving threat landscape to global legislation. It’s often the case that some of these controls become mandatory.
Under the CSCF, all SWIFT members must demonstrate that they comply with the mandatory security controls via an annual independent, third-party audit. The assessment can be performed by external auditors (as well as by internally independent persons with appropriate expertise) and covers some of these categories:
- sanctions compliance: anti-money laundering (AML) and counter-terrorist financing (CTF) policies;
- customer security: due diligence and Know Your Customer (KYC) processes;
- incident reporting: procedures for notifying relevant authorities of possible incidents and suspicious activities.
When selecting to carry out your annual SWIFT audit, it’s a good idea to trust an expert security partner, who has the relevant experience and can fully understand the extent of both mandatory and advisory controls.
For example, an experienced professional will not just assess whether the institution is compliant but will offer you a bespoke vision of the current security risks that impact the environment; trends that will soon become security standards; and recommendations or solutions as to how to further secure your systems.
But more on the benefits of working with security partners within the next part of this article. First, let’s look into cybersecurity audits and why they’re important, especially for achieving sustainable growth in the financial sector.
AMATAS SWIFT Independent Assessment Framework
Back in 2022, AMATAS was trusted by financial institutions across the Eastern European region to successfully conduct their independent SWIFT audits. During these assessments, our highly experienced professionals support SWIFT members with dedicated knowledge of regulatory projects and cybersecurity expertise. Our teams’ skill set thus allows us to allocate and provide efficient evidence of compliance with regulations. What is more, we have created a project management framework, based on our best practices, that saves resources to achieve actionable and tangible results.
The AMATAS SWIFT audit framework consists of eight phases:
- Project planning and Kick-off workshop,
- Gap analysis and Remediation support,
- Audit planning and Performance of on-site/off-site audit,
- Remediation/findings and Final report.
This encompasses all in-scope components that are vital to the audit, like data exchange layers; local SWIFT infrastructures; operators, and their PCs. The final assessment will confirm whether the selected infrastructure is compliant with the CSCF regulations. It will also cover all production and backup environments; and disaster recovery (in which some of the above systems and endpoints are held). Now that we’ve highlighted how the process works, the AMATAS team would like to share one very important reminder with you. The earlier you start conducting your institution’s SWIFT audit, the more benefits you’d gain from the process itself.
We appeal that audits are kicked off in Q3 to not just merely meet the end-of-the-year SWIFT deadlines, but gain many more tangible benefits for your institution or organization.
One of which is attaining a better understanding of your cybersecurity procedures and protocols, and also what potential security vulnerabilities could be. By relying on AMATAS’s cybersecurity consultancy expertise, we promise to make the most out of your auditing experience. Our professionals have a track record of successfully implementing strategies to both tackle all identified discrepancies (during the audit) and strive towards achieving the recommended criteria – as in previous years, those have become mandatory.
The early start of the process allows for more space for thought and bespoke problem-solving from our experts – who by relying on their know-how could look beyond expectations. Thus, tackling even more obscure security threats within your systems, which could become problematic in the near future, without rushing to meet the end-of-year SWIFT deadlines.
Start your SWIFT audit at the start of Q3 to have more time to ameliorate your cybersecurity strategy with the help of expert consultants.
To further support your efforts in securing your systems, AMATAS has prepared a special, early-bird quote for SWIFT members looking to start their audits in advance. Our offer is applicable by July 31st, 2023, and is available only per request.
If you’re interested to find out more, email us at: firstname.lastname@example.org