Does your organization use the SWIFT network with some or all of your IT services outsourced to a third party? Are you one of those third-party organizations engaged by a SWIFT user for the hosting, installation, operation, and/or maintenance of components involved in your customer's SWIFT implementation?
If you answered yes to either of these two questions, you may be surprised to know that the scope of your SWIFT independent cybersecurity assessment may extend further than you thought.
To help you with that, in this video, we'll highlight key portions of the new SWIFT Outsourcing Agent Security Baseline.
I'm Jon Anderson, SWIFT Practice Leader here at Schellman. I've been conducting and managing SWIFT assessments since 2020 using the contemporaneous version of the SWIFT Customer Security Controls Framework (CSCF), and so I understand how the organizations and entities involved in the SWIFT ecosystem for financial messaging have always relied heavily on outsourcing agents for various information technology, development, and information security tasks.
As such, to ensure the security of this extended ecosystem, SWIFT enforces a robust security baseline specifically for outsourcing agents known as the SWIFT Outsourcing Agent Security Baseline or OASBL.
The OASBL serves to acknowledge the shared responsibility between organizations that use SWIFT and the outsourcing agents they employ in maintaining a secure environment for financial messaging.
While the organization that uses the SWIFT network is ultimately accountable for its own data and transactions, the outsourcing agent also has a critical role in safeguarding the entrusted information and systems—hence the OASBL.
As part of its goal to ensure the security of SWIFT third parties, the OASBL places significant emphasis on secure zones, or that part(s) of an outsourcing agent's environment interacts with SWIFT data or the customer's SWIFT infrastructure. SWIFT secure zones must be designated as such and have heightened security controls compared to the rest of the outsourced agent's environment.
That being said, the OASBL does acknowledge that it may not be possible for outsourcing agents to fully isolate their SWIFT-related activities based on:
If that's the case for your environment, the OASBL has outlined an alternate set of reduced security expectations that must be met within the outsourcing agent's secure zone. The controls described within these reduced expectations cover areas like:
It's important to note that while the OASBL does outline these security requirements, it doesn't necessarily mandate independent assessments for outsourcing agents.
But even if outsourced agents do not undergo an independent SWIFT assessment, if it's found during the scoping process that the SWIFT user has outsourced in-scope security information technology tasks to an outsourced agent, the latter will need to support their customer's CSCF assessment.
In this, outsourced agents have three options:
Whether you are a SWIFT network user or an outsourced agent supporting your SWIFT network user customers, your organization should consider its place within the SWIFT ecosystem and your responsibilities for compliance with the customer security controls program.
Here at Schellman, we can help you complete your independent assessment and support your annual attestation. If you have any questions, please reach out to us—we'd love to speak with you.