SWIFT Security Update ReBIT Saqib Sheikh, saqib. sheikh@swift SWIFT Security Update ReBIT Saqib Sheikh, saqib.sheikh@swift.com March 2018 TLP rating AMBER Confidential to participants and restricted distribution

Cyber threats continue to be persistent and sophisticated SWIFT Security Update to ReBIT, March 2018

SWIFT published a detailed case study in November 2017, customers must remain vigilant and ensure sound mitigating controls are in place SWIFT Security Update to ReBIT, March 2018

The Customer Security Programme (CSP) will continue to support our customers in responding to cyber threats, based on these three pillars You Secure and Protect SWIFT Tools Customer Security Controls Framework Your Counterparts Prevent and Detect Transaction Pattern Detection – RMA, DVR and Payment Controls Your Community Share and Prepare Intelligence Sharing SWIFT ISAC Portal SWIFT Security Update to ReBIT, March 2018

Change Management Process In 2018, key milestones around cyber intelligence sharing, evolution of the control framework and new anti-fraud tools are planned Security Controls v2 published SWIFT ISAC R2 - STIX/TAXII (Feb 18) Quality Assurance Framework All Clients Must Comply with Mandatory Security Controls V1 (31 Dec 18) KYC-SA v3 Consumption Management Q1 18 Q2 18 Q3 18 Q4 18 Payment Controls Pilot (Q1 18) Change Management Process Payment Controls Go-Live (Q3 18) SWIFT Security Update to ReBIT, March 2018

In 2017 SWIFT established a new minimum security baseline, applicable to all live BICs Tthe Customer Security Controls Framework comprises a core set of security controls that all SWIFT customers must apply to their SWIFT-related infrastructure. 16 Mandatory security controls Establish a security baseline for the entire community All users must self-attest against their implementation on their local SWIFT-related infrastructure Set a realistic goal for near-term, tangible security gain and risk reduction. 11 Advisory controls Based on good practice that SWIFT recommends customers implement on their local SWIFT-related infrastructure. SWIFT Security Update to ReBIT, March 2018

The majority of customers have published their current level of compliance against this baseline, and this valuable data is available to you 89% of customers attested their level of compliance with the mandatory controls by the 31 December 2017 deadline This was an overwhelmingly positive response from the community – across every segment, market and infrastructure type. All customers now need to self-attest that they fully comply with all mandatory security controls by 31 December 2018. Self-attestations need to be renewed every 12 months. 89% BICs globally that self- attested by the deadline 99% Attested BICs represent 99% of the FIN Traffic SWIFT Security Update to ReBIT, March 2018

As part of your operating guidelines this data can be used to confirm level of security of your participants Users should consume counterparty attestation data and integrate this into their risk management and business decision-making processes. Using the KYC-SA, customers can share their attestation data with their counterparties and request data from others. Customers remain in control of their attestation data – they can grant or deny requests of their attestation data. SWIFT Security Update to ReBIT, March 2018

The SWIFT security control framework will evolve, giving customers 18 months to budget, plan and comply with new versions of the framework 2017 2018 2019 2020 2021 SWIFT writes V2 controls Customer budgets V2 Customer implements V2 controls V2 Reg Reporting V2 Reg Reporting Version V2 of Security Controls V2 attest window opens V2 attest window closes Customer needs to meet V2 mandatory controls by end 2019 V2 controls doc published Cust attests CP consumes V2 updates / corrections SWIFT Security Update to ReBIT, March 2018

Daily validation reports are available to support strong, independent reconciliation “With cyber security and fraud prevention as top institutional priorities, Daily Validation Reports have quickly become an important part of our daily reconciliation process and controls. A European Central Bank In the event of an attack the accuracy of data in interface systems may be compromised. Validate Activity Validate aggregated daily activity and transactions (reference and value) for a Group or a BIC8 across the payment chain Daily volume and value totals, maximum value of single transactions and comparisons to 24 months historical profile Assess Risks Assess large or unusual message flows based on different risk factors (largest transactions, largest aggregates, or deviation with average activity). Identifies new combinations of parties in payment chain highlights transactions sent outside of business hours Review Behaviours Ensure alignment to Compliance policy SWIFT Security Update to ReBIT, March 2018

Payments Controls Engine Message by message payments screening service will be a powerful new anti-fraud tool SWIFT is developing Payment Controls for subscribing organisations, performing ‘in-flight’ transaction monitoring to identify payment activity that is out-of-policy or indicative of fraud risks. Payments Controls provide an additional safeguard on top of users’ existing fraud prevention systems. Payments Controls Engine Message Copy Release / Abort Focus on Smaller Institutions Initially for smaller, sending organisations. Will also help protect larger organisations through reduced risks of received payments. Secure In-Network Using sanctions screening model to alert/release/abort payment messages in real-time. Monitoring policy defined by the subscriber. SWIFT Security Update to ReBIT, March 2018

SWIFT provides support in being compliant to the SWIFT CSCF by end 2018 SWIFT Security Update to ReBIT, March 2018

Have you secured your infrastructure? Are you prepared to respond to these persistent and sophisticated cyber threats? Have you secured your infrastructure? Have you implemented necessary controls? Do you have the capacity to respond? Have you secured your ongoing operations? SWIFT Security Update to ReBIT, March 2018

The following controls support compliance to recent regulations 1 Have you secured your SWIFT infrastructure? Enables compliance to RBI requirements   a) Ensure automated integration with back office systems and minimise manual processing CBS integration service SWIFT infrastructure security review 1b, 1h b) Comply with security controls Security integration service 1c, 1d, 1e, 1f, 1g, 1k, 3b, 4a, 4e, 4f 2 Have you implemented necessary controls a) Ensure independent reconciliation with golden source data Daily validation reports, for all banks Real-time flow monitoring, for top tier banks 1a, 1h, 2b, 4g b) Implement transaction controls Payments control service GPI stop & recall of payments 1a, 2a, 3b, 4b, 4d c) Ensure strong relationship management Regular RMA analysis and clean-up RMA+ 1g 3 Do you have capacity to respond? a) Ensure your staff are aware and trained to detect and respond to cyber threats SWIFT administration & operations training Security bootcamp Annual SWIFT certifications 1i, 1l, 4a, 4f b) Ensure your staff have access to latest cyber intelligence SWIFT Info Sharing & Analysis Centre SWIFT security guidelines 1i, 1l, 4f 4 Have you secured your ongoing operations? a) Implement independent monitoring and operations support Alliance Managed Operations System Care Premium Plus 4b SWIFT Security Update to ReBIT, March 2018

Have you secured your infrastructure? Review the configuration of your channel against SWIFT best practices SWIFT infrastructure security review Operational excellence review Architecture analysis Have you secured your infrastructure? Comply with security controls Back office data flow security Two factor authentication Other security integration services SWIFT Security Update to ReBIT, March 2018

Have you implemented necessary controls? Ensure independent reconciliation with golden-source data Daily validation reports Business intelligence reports Real-time flow monitoring Have you implemented necessary controls? Implement transaction controls Payments control service GPI stop & recall Ensure strong relationship management Regular RMA analysis and clean-up RMA+ for granular control SWIFT Security Update to ReBIT, March 2018

Do you have the capacity to respond? Ensure your staff are aware and trained to detect and respond to cyber threats Security bootcamps Tailored training SWIFT Administration and Operation certifications SWIFTSmart Do you have the capacity to respond? Ensure your staff have access to latest cyber intelligence SWIFT Info Sharing & Analysis Centre SWIFT security guidelines SWIFT Security Update to ReBIT, March 2018

Have you secured your ongoing operations? Implement independent monitoring and operations support Alliance Managed Operations Local support Premium custom support Have you secured your ongoing operations? SWIFT Security Update to ReBIT, March 2018

What you can continue to do 1 Engage in SWIFT ISAC and sign up for notifications. 2 Ensure mandatory security updates of SWIFT software are installed. 3 Ensure that you fully comply with all the mandatory security controls and attest by 31 December 2018. 4 Consider your institution’s counterparty risk frameworks to consume and utilise counterparty attestation data. 5 Consider SWIFT’s anti-fraud tools (Payment Controls, Daily Validation Reports, RMA clean-ups, etc.) SWIFT Security Update to ReBIT, March 2018

? … Questions SWIFT Security Update to ReBIT, March 2018

SWIFT Security Update to ReBIT, March 2018