On February 15, 2019, the Society for Worldwide Interbank Financial Telecommunication (“SWIFT”) published guidelines for assessing cybersecurity counterparty risk for financial institutions (the "Guidelines").
Organizations within the banking and payments ecosystem interact with counterparties on a daily basis, which can put them at risk. The Guidelines provide non-binding information and recommendations on how organizations can implement a framework to identify and respond to such risk.
Cybersecurity has been a major focus for financial institutions and their regulators, and the Guidelines should be considered in connection with OSFI’s Cyber Security Self-Assessment Guidance and its recent Advisory on Technology and Cyber Security Incident Reporting (which is summarized here).
Establish a governance model for cybersecurity risk management
The Guidelines recommend the establishment of a cybersecurity governance model to oversee the risk management process. The governance model should align responsibilities across the "3 Lines of Defense". Day-to-day operational risk decisions are dealt with in the first line, exceptions and escalations are handled by the second line with a degree of independence from the first, and auditing and assurance are carried out by an independent third line.
The governance model should be implemented through a senior committee structure and lead by a senior executive with appropriate decision-making authority. It should also include representatives from various internal stakeholders, including business, payment operations, IT and cybersecurity, and risk, compliance and auditing. The Guidelines recommend that the senior committee have a clearly articulated mandate describing both its longer-term strategy and day-to-day operating model, including roles and responsibilities. The mandate should also call for regular briefings to the board and senior management on issues of counterparty risk.
Establish a cybersecurity risk management framework
Organizations should implement a cybersecurity risk management framework for assessing and responding to counterparty risk. Organizations should first collect counterparty risk data necessary for the assessment, including the industry and region in which the counterparty operates, the degree of regulatory oversight, the history of the relationship with the counterparty, known cyber security incidents involving the counterparty, and the type, value and frequency of transactions conducted with the counterparty.
Once risk data has been collected, organizations should assess the risk by assigning an overall score based on established risk assessment methodology and then consider that score in the context of their own risk appetite. The outcome of this process will determine the risk mitigation countermeasures required to "treat" the risk.
Adopt cybersecurity risk-mitigating countermeasures
The Guidelines provide a number of risk mitigation countermeasures that organizations may use to address counterparty risk. These countermeasures include requesting that counterparties implement additional controls or fraud detection measures, or substantiate their information through the provision of technical specification documentation or assessments by independent third parties. Organizations can also implement stricter transactional governance, such as by flagging for review transactions based on criteria like transaction type, value or currency. Transactions identified as higher risk can then be referred for further review or additional verification measures. Organizations can undertake periodic reviews of counterparties to determine if a counterparty’s risk profile has changed and adjust risk mitigation countermeasures as appropriate.
Incorporate attestation data from Swift counterparties
The SWIFT Customer Security Controls Policy requires organizations to self-attest compliance against a set of mandatory security controls and encourages compliance with a set of advisory controls. This self-attestation data can be exchanged with other organizations to facilitate the assessment of counterparty risk. The Guidelines provide recommendations for how organizations can incorporate attestation data into their counterparty risk frameworks, including criteria for granting and requesting access to self-attestation data and the assignment of weightings and scores for risk assessment of the data.
The Guidelines represent an important element of cybersecurity best practices for financial institutions and may be instructive of measures that should be considered by all organizations.