By using this website, you agree with the use of cookies set for performance, statistical and advertising purposes. Learn more about our Cookie consent.
Why is SWIFT mandating an independent review of the CSP attestation this year?
All SWIFT users are mandated to carry out an independent assessment when attesting. The Independent Assessment Framework (IAF) was introduced at the request of the global SWIFT community to reinforce and uphold the highest level of security of the global financial community.
Our assessment is in December – why are you engaging with us now?
The annual attestation can be made as early as July 1st and will be valid until the next annual attestation is required. Engaging early and being proactive will help provide peace of mind that you will comfortably meet the attestation deadline. In preparation for the new assessment methodology we encourage our clients to act now to avoid any delays in the instance that any remediation work needs to be done in order to comply with all mandatory controls of the CSP.
What are the consequences of noncompliance?
In the instance of non-compliance, SWIFT can inform other members within the community and have the right to report any non-conformities to the local authorities of the respective country of that member. Understandably, this could have detrimental effects on an organisation; potentially jeopardising daily business operations as well as reputational damage and trust.
Start planning for your attestation now to avoid any consequences.
How long does remedial action normally take prior to the independent assessment taking place?
In some instances, typical resolution periods can take multiple weeks to months. The CSP pre-attestation review will highlight any instances of non-conformance and you will be provided with a task list of any necessary remediation works required before the actual independent assessment is performed.
Our SWIFT certified auditors will be on hand to provide guidance and ensure you have the necessary measures in place to fully comply with the SWIFT CSP.
Is Bottomline experienced at doing these pre-assessment checks and the independent assessments?
To fully support our customers, we have a long-standing SWIFT certified cyber risk audit partner that we have been working with for over four years to successfully deliver CSP assessments. This ensures that our customers fully understand their requirements and are able to complete the attestation to the highest standard.
What happens if we don’t do the independent assessment this year?
All SWIFT users are mandated to carry out the independent assessment to support their CSP attestation. In the instance that an independent assessment is not completed, the SWIFT user will be considered non-compliant with the CSP.
The consequences of non-compliance are high and could result in detrimental effects to both an organisation’s business and their reputation.
What is the benefit of Bottomline doing the Independent Assessment vs. an accountancy firm or external consultant?
Bottomline is able to provide peace of mind and assurance that your organisation will meet and exceed the requirements of the CSP with intimate knowledge of your SWIFT environment. We offer a competitive CSP compliance package to help customers with the independent assessment and to meet specific controls laid out in the Customer Security Control Framework (CSCF).
We also offer year-round guidance and advice regarding the CSP, ensuring our customers feel in control of their security and compliance needs.
Can Bottomline provide us with a template of what the pre-attestation review outputs will look like?
The pre-attestation review will allow our SWIFT certi ied auditors to review and discuss your organisation’s current compliance status, before the actual independent assessment is performed. The auditors will then recommend enhancements and possible remediation works. The outputs of this will be outlined in both a summary presentation and a detailed task list with the relevant details.
We’ll be happy to share an example of the reports with you.
What additional controls do we need to attest to this year and can Bottomline assist us in being compliant?
The CSP is constantly evolving, it is assessed annually, with new controls introduced and advisory controls promoted to mandatory to ensure the bar continues to be raised. The SWIFT CSP 2021 assessment comprises a maximum of 22 mandatory controls and 9 advisory controls within the CSCF v2021. In 2020, 2 advisory controls were promoted to mandatory and 2 new advisory controls were introduced, however due to COVID-19 these changes were not enforced until 2021. In 2021 1 control was promoted to mandatory. Organisations must attest to v2021 of the CSCF supported by an independent assessment.
Bottomline can provide guidance and assurance with helping your organisation adhere to the CSP requirements.
Remediation work can take time so we urge you to get in touch now to discuss you compliance status, providing peace of mind that you will successfully attest to the 2021 CSP.
Which controls are most misunderstood in attesting which leads to potential non- compliance with the mandatory requirements?
One control that is often misunderstood is 6.4 – Logging and Monitoring. This is a mandatory control that requires the organisation to ensure they have monitoring and alerting capabilities in place to detect anomalous actions and operations within their local SWIFT environment.
In some instances, where organisations have not implemented sufficient measures, it can take from 3 to 6 months to resolve.
Another commonly misunderstood control is 7.2 – Security Training and Awareness. This control requires annual security training for all staff within an organisation. This control is very easily overlooked; however, it is critical that appropriate training is provided for all staff and must be evidenced to SWIFT in order to comply with the CSP.
If an external assessor is chosen what are the responsibilities for you as a client?
The assessor will work closely with your organisation to review your existing processes, providing guidance and recommendations prior to the formal assessment, ensuring you feel in control and ready. The assessor will then perform the independent assessment, meeting with various individuals within your organisation to discuss your procedures and review your organisation’s compliance to the CSP, including sampling controls.
The assessor will then provide an official certification with appropriate evidence that can be uploaded to SWIFT as proof to support your attestation.
