SWIFT Customer Security Programme – mandatory specifications to protect your local SWIFT infrastructures

The growing number of cyber-attacks, including those on the local infrastructures of SWIFT participants, has prompted SWIFT to create a security programme for its participants in order to fight together against cyber threats.

SWIFT published its Customer Security Programme in April 2017. It defines specific requirements to be met by all connected participants. The programme aims to improve the exchange of information within the SWIFT community, to ensure a high level of security for the local SWIFT infrastructure of participants, and to put in place an assurance framework to counter the ever growing number of cyber threats and strengthen the ability of SWIFT participants to combat cyber-attacks.

SWIFT Customer Security Programme

The programme calls upon all SWIFT participants to implement a control and assurance framework. The control framework consists of a set of 16 mandatory and 11 advisory security controls. The controls are based on existing SWIFT security guidelines, and are in line with good practice standards such as NIST, ISO/IEC 27002 and PCI-DSS. The mandatory controls establish a security baseline for the entire SWIFT community. SWIFT also recommends implementing the advisory controls to provide optimal protection for local SWIFT infrastructures.

Demands placed on SWIFT participants

The SWIFT Customer Security Programme will come into force on 1 January 2018. As well as applying to financial service providers, it is also valid for all companies that participate in the SWIFT network. Before the introduction of the programme, each SWIFT participant must conduct a self-assessment and notify SWIFT of its status regarding compliance with the controls (by the end of 2017). From 2018, all participants must confirm their compliance with controls on an annual basis. This confirmation can be provided via a self-assessment (self-attestation), internal audit (self-inspection) or external audit (third-party inspection). Participants are free to choose the type of confirmation they wish to submit. SWIFT will however also carry out regular spot checks of confirmations via internal or external audits for quality assurance purposes.

SWIFT participants must consider the following points in particular:

  • Should only the mandatory controls be implemented, or also the advisory ones?
  • How should the assurance framework be structured? Is self-assessment sufficient, or should an internal or external audit be conducted on a regular basis?
  • Should the status regarding compliance with controls be made public to other SWIFT participants?
  • How can it be ensured that controls continue to be adhered to in the future?

The support we offer you

SWIFT Readiness Assessment

We can help make sure you comply with the SWIFT requirements by 1 January 2018 by assessing your current status and highlighting any gaps.

SWIFT control support

We can provide support for the implementation of controls by means of a post-implementation review.

SWIFT compliance confirmation

We can assist you with your annual confirmation of compliance with SWIFT requirements.

Please feel free to contact our experts if you are interested in the topic.

More information

Contacts

Jens Probst
Director, Systems & Process
Assurance
+41 58 792 29 59
jens.probst@ch.pwc.com

Claudia Hösli
Senior Manager, Specialist Cyber Security
+41 58 792 14 85
claudia.hoesli@ch.pwc.com

Marco Schurtenberger
Senior Manager, Specialist Cyber Security
+41 58 792 22 33
marco.schurtenberger@ch.pwc.com

The ransomware that made the world cry

The last few days of the cybersecurity community have been heated up by a vast-scale ransomware attack rippling across the world. On Friday 12 May came the first announcements of victims infected with a ransomware dubbed WannaCry (also known as WCry or Wanna Decryptor). It soon became clear that the scale of this wave was bigger than usual. According to the last estimates, the malware infected more than 250,000 systems in as many as one hundred countries. The list of victims is long and includes notorious names across all sectors. In some cases, the malware had unfortunate consequences. For instance, a few hospitals in the United Kingdom had to cancel their scheduled surgeries and some students in China lost their graduation thesis.

What we know

The malware encrypts and adds the extension “.WCRY” to all files that match a list of 176 specific extensions including documents, database and backup files. The victim is requested to pay between USD 300 and 600 in Bitcoins to get its files back. So far, there is no evidence that a payment will effectively provide the key for decrypting the files. In their message, the authors threaten to delete the file forever if their request is not met within eight days. The international ambitions of this campaign are made clear by the fact that the ransom message is translated in 28 languages.

Once the initial host has been infected, the ransomware dropper makes use of the MS17-010 vulnerability of the Server Message Block (SMB) protocol to spread laterally through the network. The exploit using this vulnerability has been made public by the group Shadow Broker on 14 April 2017 in a leak of hacking tools allegedly crafted by a state actor. Microsoft had released a patch a month before.

Switzerland has not been spared. The Swiss GovCERT declared that until Sunday evening there were roughly 200 potential victims. The number of victims could steeply increase, as there are more than 5,000 systems directly connected to the Internet over a SMB protocol.

What is still unclear

Despite the overwhelming information, some points still remain unclear. First, it is not yet known how the dropper is initially delivered to the victims. According to one hypothesis a spear phishing e-mail should have spread the malicious attachment. However, no such e-mails have surfaced yet. In its alert, the US-CERT claimed that hackers gained access to the victims’ network either through Remote Desktop Protocol or through the exploitation of the critical Windows SMB vulnerability mentioned above. Second, the identity of the authors is wrapped in mystery. Given the financial nature of the attack, the dominant hypothesis states that the attack has been launched by a criminal group. However, it should not be forgotten that in the past even state actors were involved in spectacular heists. Fresh discoveries suggest that the malware might be linked to Lazarus, a state actor group believed to be involved in the infamous SWIFT attack against the Bangladesh Central Bank of February 2016. So far, the authors have neither spent nor transferred the Bitcoins they obtained. At this stage, it is difficult to make further assertions on the attribution of the attack.

Main takeaways

As previously mentioned, the exploit used in this attack was leaked in April this year. By that time, the vendor had already released a patch to correct the flaws. Unfortunately, many users ignored this threat and were not much eager to install the patch. This episode should serve as a reminder that threat actors will reuse leaked tools and that without a proper prophylaxis an incident is just around the corner.

As reported by the media, a young IT-security researcher could temporarily curb the attack by registering a “kill-switch” domain that told the ransomware to stop spreading itself. Unfortunately, new versions of the malware without this feature have already been spotted in the wild. Furthermore, the threat intelligence community generously shared a lot of indicators and advices helping organisations to identify, prevent and dwarf the impact of infections. These common efforts have to be praised and should continue in the future.

Recommendations

If not done yet, apply the MS17-010 patches immediately. As short-term actions, your IT team should consider to:

  • disable all external SMB access (blocking ports 137, 139 and 445 to/from the internet);
  • disable the use of the SMBv1 network file sharing protocol;
  • ensure two-factor authentication is in place for all necessary external accesses to systems (e.g. VPN and RDP);
  • update the antivirus signatures;
  • rapidly isolate the infected system from your corporate network to curb the spreading of the infection;
  • backup the encrypted files in case a decryption tool become available, if you have already fallen victim to the ransomware.

On a more long-term approach, consider to plan and exercise a business continuity programme, adopt and test an incident response strategy, a consistent patch and vulnerability management, as well as a regular backup policy and security awareness raising trainings.

PwC can provide you with the necessary assistance and counsel to address these issues and improve your overall security posture. PwC strongly believes in a holistic approach to cyber security by offering a wide variety of services covering all the phases of the cyber lifecycle: from strategy and policy development to its implementation and review.

Why is the latest attack different and what is its relevance for boards? Read more.

In case of questions, please contact us at
cyberinvestigation@ch.pwc.com

 

PwC Deal Talk – Doing Deals in France from a Swiss Investor’s Perspective

Edition 3/2017

With nearly 600 kilometers of common border, France and Switzerland have historically maintained close trading ties. In 2015, Swiss exports to France amounted to USD 14.4 bn mainly consisting of pharmaceutical and chemicals products and watchmaking items. With cumulative invested capital of EUR 42.4 bn at the end of 2015, Switzerland is amongst the biggest foreign investors in France.

France recently emerged as one of the most active European countries in terms of venture capital investments, paving the way for further foreign capital inflow. In the meantime, the French economy is slowly recovering from the 2008 global financial crisis and has shown a GDP growth reaching 1.1% in 2016. This recovery was also visible in M&A activity, which increased in terms of value and number of deals, particularly in the past three years.

Nonetheless, the French market is distinct from the rest of Europe and investors need to be aware of some unique features applicable to transactions. With first-hand experience and local teams on the ground, PwC can help you to avoid common pitfalls when doing deals in France.

Read Attachment

Contact Us

Sascha Beer
Partner
Corporate Finance / M&A
Tel. +41 58 792 1539
sascha.beer@ch.pwc.com

Nico Psarras
Partner
Head of Transaction Services
Tel. +41 58 792 1572
nico.psarras@ch.pwc.com

Maxime Dubouloz
Head of M&A Western Switzerland
Tel. +41 58 792 9058
maxime.dubouloz@ch.pwc.com

Mathieu Gravier
Senior Manager, Transaction Services
Tel. +41 58 792 9300
gravier.mathieu@ch.pwc.com

 

Event series − VAT in ERP systems: how does it challenge IT, the Tax Administration and tax experts?

Register Online to our upcoming series of events on VAT in ERP systems: how does it challenge IT, the Tax Administration and tax experts?

ERP systems are often not equipped to handle the complex requirements of VAT correctly, flexibly and efficiently without extra work or manual intervention.

The legal requirements are constantly changing, and on the basis of the OECD guidelines many countries are exchanging data or demanding evermore detailed information from taxpayers. Organisations are well on the way to transparency.

At these events we’ll be discussing the views of our clients, looking at the different needs of the IT and tax functions, and finally sharing some insights from the Tax Administration.

The aim of the events is to talk about experiences and needs, learn from each other, and build ‘best practice’ together. If required this dialogue can be continued afterwards within our “ITX ERP Support Community”. In the beginning, the questions and the coordination of the same language in the cooperation of the tax and IT department are at the company’s disposal. Our discussions will revolve around the issues that organisations face and creating a common language enabling the tax and IT functions to work together.

Have we piqued your interest? We look forward to welcoming you to one of our discussions.

The dates are planned as follows:

Zurich

  • Wednesday, 31 May 2017, 4.30 pm registration / welcome drink
  • 5.00 pm start, 6.00 pm end, followed by an apéro and individual discussions and questions
  • PricewaterhouseCoopers AG, Birchstrasse 160, 8050 Zurich

Berne

  • Tuesday, 6 June 2017, 4.30 pm registration / welcome drink
  • 5.00 pm start, 6.00 pm end, followed by an apéro and individual discussions and questions
  • PricewaterhouseCoopers AG, Bahnhofplatz 10, 3001 Berne

Geneva

  • Thursday, 15 June 2017, 4.30 pm registration / welcome drink
  • 5.00 pm start, 6.00 pm end, followed by an apéro and individual discussions and questions
  • PricewaterhouseCoopers AG, Avenue Giuseppe-Motta 50, 1211 Geneva
  • This event takes place in English. To discuss your questions, local PwC colleagues will be at your disposal

Basel

  • Thursday, 22 June 2017, 4.30 pm registration / welcome drink
  • 5.00 pm start, 6.00 pm end, followed by an apéro and individual discussions and questions
  • PricewaterhouseCoopers AG, St.Jakobs-Strasse 25, 4002 Basel

The detailed programme has been published on our website www.pwc.ch/vat-erp. We are looking forward to your registration.

If you have any questions, please get in touch with your usual PwC contact person or one of the experts below

Your contacts

Ilona Paakkala
Director
ITX Technology Leader
Tel. +41 58 792 42 58
paakkala.ilona@ch.pwc.com

Sandra Wirz
Senior Manager
ITX ERP Support Responsible
Tel. +41 58 792 25 32
sandra.wirz@ch.pwc.com

Switzerland targeted in sustained global cyber campaign

PwC and BAE Systems have recently concluded an intensive investigation into an espionage network dubbed APT10. Our Advanced Cyber Defense team in Switzerland has been involved in the detection, response and remediation of the attack in multiple sectors where Swiss based clients have fallen victim to this campaign.

Over the last year we have seen sustained targeted attacks against major organisations in Switzerland. The attacks have specifically targeted managed IT service providers (MSPs) and used these networks to reach MSPs customers. This potentially gave unprecedented global access to the intellectual property and sensitive data of those MSPs and their clients.
As part of the investigations carried out by our Swiss, UK and global teams, we have linked these activities to similar attacks in more than 14 countries. PwC has gone public with this because although we have already seen several companies compromised, there may be many other organisations affected. We recommend performing a cybersecurity breach assessment to detect whether your organisation has been previously compromised, and to use tailored threat intelligence to manage risk effectively.

World-wide, the campaign has targeted many Japanese state entities, and in the US, defence-related as well as telecommunication companies. The construction, retail and consumer, energy and mining, technology, professional services, metals, industrial manufacturing, and public sector were also targeted.

What is APT10?

APT10 has targeted “managed IT service providers” and has used them as a springboard to crawl through networks. The group behind the campaign has been using a wide variety of malware which has evolved over time. This has included: RedLeaves, PlugX, Poison Ivy, EvilGrab, and mimikatz. These tools used as part of the campaign have been around for quite some while and passed around within criminal circles.

The campaign uses an impressive network of command-and-control servers. PwC assesses the energy and resources invested into the campaign as high and sustained.

Attribution

PwC was successful in attributing the attack to the campaign by seeking analytical conclusions from a variety of disciplines and perspectives, all pointing to the same conclusion. Reverse engineering of the malware revealed a command-and-control infrastructure as well as recognisable characteristics. Additional folders and file conventions and paths further shed light on associated techniques, tools, and procedures (TTPs). Robust intelligence corroborated with similar indicators and activities across related victims. Lastly, the modus operandi, targeted information and temporal analysis of activities when compared to similar activities at the time and in the industry reinforced PwC’s conclusions.

Several indicators point to the instigators being located in East Asia. Most strikingly, the timestamps of registration of domains for the important network of command-and-control servers as well as the compilation time would appear to make sense for an actor based within this region. Many of these indicators could be faked to induce investigators to draw the wrong conclusions. However, to do so consistently across several types of evidence, and without hinting at another geographical location would be rather exceptional.

Further investigations are still being carried out to try to determine more exactly who could be behind the attacks. Attribution is a lengthy investigative process, but we believe that the report needed to come out quickly to help organisations protect their networks as much as possible.

What to do

The report includes a long list of Indicators-of-Compromise. It is advisable to upload these into your systems to protect against future possible attacks. Furthermore, for organisations in targeted sectors with high value intellectual property we recommend conducting a threat hunt into your network to identify whether you have been targeted by the attacks.

PwC also recommends at a minimum two factor authentication for jump posts where managed service providers (MSP) enter client networks. The compromise and data exfiltration is done via system and MSP administrator accounts so having stronger controls around these entry points are key. Additionally, increasing visibility across the enterprise through a holistic logging policy would further assist.

Should you need any help to conduct such assessment, PwC would gladly assist you in any way we can. Don’t hesitate to get in touch with us: PwC Swiss Breach Aid Team

The report and the technical indicators can be found here
 

Reto Häni
Cyber Security Leader
+41 79 345 01 24
reto.haeni@ch.pwc.com

EUDTG Newsletter January – February 2017

EU direct tax law is a fast developing area. This presents taxpayers, in particular groups and multinational corporations that have an EU or European Economic Area (EEA) presence, with various challenges.

The following topics are covered in this issue of EU Tax News:

CJEU Cases

  • Netherlands: CJEU judgment on pro-rata personal deductions for non-resident taxpayers: X
  • Netherlands:  CJEU judgment on the application of Article 64 (1) TFEU concerning the extended recovery period for foreign assets: X

    National Developments
  • Belgium: New Innovation Income Deduction replaces the Patent Income Deduction
  • Finland: Supreme Administrative Court confirms withholding tax treatment for non-UCITS and non-listed Maltese SICAV
  • Hungary:  Hungarian implementation of ATAD’s CFC rules
  • Italy: Italian Tax Court of First Instance judgment on the compatibility of withholding tax levied on dividends distributed to a US pension fund with EU law
  • Sweden: Swedish Supreme Administrative Court judgments on the denial of refund of Swedish withholding tax
  • Switzerland: Corporate Tax Reform III rejected by the Swiss voters
  • United Kingdom: Supreme Court judgment in R (on the application of Miller and another) v Secretary of State for Exiting the European Union

EU Developments

  • EU: ECOFIN Council agreement on ATAD II
  • EU: European Parliament Resolution of 14 February 2017 on the annual report on EU competition policy
  • EU: Public CBCR: European Parliament’s joint ECON & JURI Committee issues draft report
  • EU: EU Member States send letter to non-EU 92 countries in context of common EU list of non-cooperative tax jurisdictions
  • Spain European Commission requests Spain to amend its law implementing reporting obligations for certain assets located outside of Spain

Fiscal State aid

  • Luxembourg: Non-confidential version of the European Commission’s State aid opening decision in GDF Suez
  • Spain: AG Opinion on tax exemptions for Church-run schools

Read the full newsletter here.

This EU Tax Newsletter is prepared by members of PwC’s international EU Direct Tax Group (EUDTG).

Further information about our service offerings in EU taxes: www.pwc.com/eudtg

Changes to legislation governing Swiss VAT liability

Swiss VAT law places new obligations on foreign companies

The partial amendment to the Federal Law on Value Added Tax (VAT law) will impact companies not established in Switzerland from 1 January 2018. Businesses which are not based in Switzerland but provide supplies vis-a-vis Switzerland may be liable to pay Swiss VAT. This will apply in instances where a foreign company generates turnover in Switzerland, in other words in cases where Switzerland is the place of supply for the purposes of VAT. The following information outlines the VAT situation in Switzerland today and in the near future.


Download the full report here.

If you have any questions, please get in touch your usual PwC contact person or our expert

Julia Sailer
Director
Leader VAT compliance Switzerland
Tel. +41 58 792 44 57
julia.sailer@ch.pwc.com

Additional Languages for this report

German
French
Italian

Digital goes live – Meet PwC at the SAP Forum 2017 – Switzerland’s biggest digital festival

Visit us at the SAP Forum 2017, Switzerland’s biggest SAP event, in Basel on 4–5 April. Spend two fascinating days with technical specialists and industry experts and make the most of the discussions about current trends in digital transformation with SAP.

PwC and SAP enjoy a long-standing, global partnership. With 7,500 PwC experts worldwide, we support our customers from the strategy stage through to implementation in SAP transformation projects. PwC was named as a leader in the Gartner Magic Quadrant for SAP Implementation Services in 2015 and was also recognised in the IDC MarketScape Worldwide SAP Implementation Services Ecosystem Vendor Assessment in 2016.

We look forward to discussing any challenges that you might be facing in relation to SAP, SAP HANA and process and technological support for value-added tax, customs clearance, security and compliance with SAP.

Location:

Congress Center in Basel. You can find us in the second floor foyer.

Highlights from the programme:

Tuesday 4 April 2017 – Business Summit – primarily aimed at business decision-makers

Inspiring keynote speech by Skype founder Jonas Kjellberg

Creative approaches: Forward thinkers present digital business cases live on stage, including

  • SBB’s reporting strategy as a marker of innovation
  • OC Oerlikon’s commitment to digital transformation in its procurement, finance and shared services areas
  • Adrian Zwingli, founder of SwissQ, talks about the changes to the company’s structure
  • Nicole Burth Tschudi, CEO of Adecco Schweiz, presents her vision for the working world of the future

An opportunity to experience digital innovation topics through exciting showcases

‘Elevator pitches’ on SAP S/4HANA, the cloud and security

Forging strong alliances: the open programme and lots of lounge areas provide just the right environment for making new contacts.

Wednesday 5 April 2017  – Technical Summit – primarily aimed at decision-makers and experts from the technology sectors

SAP Executive keynote speech by Rolf Schumann, Global General Manager for Platform and Innovation | SAP Cloud Platform

Drawing upon practical experience – fascinating insights into current digital transformation projects:

IoT Live! – AMAG launches is digital fleet

  • Success with SAP S/4HANA! From making the initial decision to going live: reporting to customers
  • Implementing an international, multilingual B2C shop based on SAP Hybris, presented by Mammut
  • S/4HANA enterprise management @ BKW – one of the first to go live in Switzerland!
  • Landscape transformation and system conversion at Zurich Insurance

The key trends of machine learning and mixed reality, plus interactive deep-dive sessions

48-hour SAP InnoJam session: the ultimate coding challenge goes into the next round!

Planning:

Put together your own personal programme here.

Registrierung:

The ‘SAP Forum 2017’ event is directly organised by SAP (Switzerland) AG. PwC is involved in the event as a supporting partner. Please register directly via the following link at SAP (Switzerland) AG. Participation in the event is free of charge for those who have registered in advance. A walk-in fee of CHF 150 (excluding VAT) is charged for those attending without having registered previously. Please note the registration rules on the event website.

You can contact us in person at any time.

Jozsef Csoka
Senior Manager Advisory
+41 58 792 75 16
jozsef.csoka@ch.pwc.com

Good, but could do better – Key learnings from the FAFT AML&CFT Mutual Evaluation Report of Switzerland

On 7 December 2016, the Financial Action Task Force (FATF) published the results of the Mutual Evaluation Report on Switzerland, concluding their assessment performed from 25 February to 11 March 2016. The results, extending to 245 pages, make interesting reading for AML practitioners and compliance officers.

FAFT concluded,Overall, Switzerland’s Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) regime is technically robust and has achieved good results. It would still benefit from some improvements in order to be fully effective.”

PwC  analysed the key findings and identified learnings for regulated firms together with options for regulatory development. The key learnings concern:

  1. Suspicious Transaction Reporting (“STR”)
  2. Due diligence on longstanding customers
  3. AML&CFT customer risk classification
  4. AML&CFT Risk Assessment
  5. Penalty Sanctions

Read our findings and perspective here

For more information please contact our experts

Michèle Hess
Assurance Director
michele.hess@ch.pwc.com
+41 58 792 46 67

Daniel Cicetti
Assurance Senior Manager
daniel.cicetti@ch.pwc.com
+41 58 792 23 92

Alister Smith
Advisory Senior Manager
alister.smith@ch.pwc.com
+41 58 792 47 96

Enhanced auditor’s report: towards trust and transparency

The new auditor’s report required by Swiss legislation is designed to be more informative and insightful, and give the stakeholders of reporting entities greater assurance. We at PwC welcome the new reporting requirements as an opportunity to unlock the ‘black box ’of what we actually do as auditors and increase trust in our role.

We also realise, though, that the new reports and their potential impact on governance have to be discussed and understood – not only by the auditors who produce them, but by reporting entities and their stakeholders, from shareholders to regulators. For this reason we’ve produced a short flyer explaining the major changes and their implications, including a commented overview of the structure of the new report.

You can read the flyer via the link below. Feel free to contact us if you’d like to discuss the new auditor’s report and its implications in more detail.

Download flyer