In response to recent cyber-attacks, SWIFT issued baseline security requirements through its Customer Security Controls Framework. While the SWIFT network itself was not compromised in the attacks, in some cases hackers successfully breached the local operating environment established by SWIFT users.

To reduce the opportunities for cybercriminals to exploit weaknesses in SWIFT users' local environments in the future, SWIFT created the Customer Security Program (CSP). The CSP is a programme designed to help organisations using Swift to design, review and implement specific cyber security controls for their local environments.

The CSP focusses on three mutually reinforcing areas. Customers will first need to protect and secure their local environment (you), it is then about preventing and detecting fraud in your commercial relationships (your counterparts), and continuously sharing information and preparing to defend against future cyber threats (your community).

You

Securing your local SWIFT-related infrastructure and putting in place the right people, policies and practices, are critical to avoiding cyber related fraud.

Your counterparts

Companies do not operate in a vacuum and all SWIFT users are part of a broader ecosystem. Even with strong security measures in place, attackers are very sophisticated and you need to assume that you may be the target of cyber-attacks. That is why it is also vital to manage security risk in your interactions and relationships with counterparties

Your community

The financial industry is truly global, and so are the cyber challenges it faces. What happens to one company in one location can be replicated elsewhere in the world.

SWIFT has requested users to set up these cyber security controls by 31 December 2017, and to update their systems according to CSP requests on an annual basis. The CSP compliance will come through self-attestation. SWIFT has already announced updates to the Customer Security Controls Framework for attestation in 2021.

SWIFT encourages its users to implement and monitor these customer security controls as part of a broader cyber security risk management program which should be regularly evaluated and adjusted, based on leading industry practices, and changes to the individual users' security posture and infrastructure.
Moreover, from mid-2021, all users will be obligated to perform ‘Community Standard Assessments’. This means that all attestations submitted in 2021 under the CSCF v2021 also require an independent assessment. A user can do this in either of two ways:

• External assessment, by an independent external organisation, which has existing cybersecurity assessment experience, and individual assessors who have relevant security industry certification(s). Deloitte can help you with the external assessment, or
• Internal assessment, by a user’s second or third line of defense function (such as compliance, risk management or internal audit) or its functional equivalent [as appropriate], which is independent from the first line of defense function that submitted the attestation (such as the CISO office) or its functional equivalent [as appropriate]. As per external assessors, those undertaking the assessment work should possess recent and relevant experience in the assessment of cyber-related security controls.

Last, separate and distinct from the above two categories, SWIFT also reserves the right to seek independent external assurance to verify the veracity of their self-attestation, as outlined in the Customer Security Controls Policy (CSCP). These are called “SWIFT-Mandated assessments”.

SWIFT-Mandated assessments must cover all SWIFT mandatory controls applicable to the user’s architecture type as defined in the version of the CSCF applicable at the time the assessment is conducted, even if the assessment request relates to an attestation submitted under a prior version of the CSCF.

The SWIFT Customer Security Controls Framework is built up out of 3 objectives and 7 strategic security principles. The framework is applicable to four types of SWIFT user architectures, titled A1, A2, A3, A4 and B. SWIFT users must first identify which architecture applies to them before implementing the applicable controls.

Deloitte SWIFT Customer Security Program experience
Download the brochure

SWIFT CSP Changes in 2021

What is the impact of the updates of the 2021 version of the CSCF on your financial organization

The SWIFT Customer Security Program was created to set the bar of cyber security for the financial services industry, following a series of cyber heists. In this article, we look at the most recent changes that were made to the Customer Security Control Framework (CSCF) in order to maintain an up-to-date cyber security maturity in the financial industry. You may have some questions around this. How do the 2021 changes to the CSCF affect your organization? What are the updates to the CSCF in 2021? When will we have to attest against the 2021 CSCF?
In this article we will have a more detailed look at what these changes are and how it affects your organization.

History of the Customer Security Controls Framework

The customer security Controls Framework (CSCF) has gradually evolved over the past years. In a few years’ time, the framework has emerged from including 27 controls in 2017, to 31 controls in 2021. Moreover, every year the number of mandatory controls increased. Typically, there is a period of 18 months to understand and implement future changes to the framework. More specifically, the new version of the CSCF was released in June 2020 and compliance is expected by December 2021. In addition, the CSCF change management process allows a phased approach: new mandatory controls or scope extensions are typically first introduced as advisory and only thereafter as mandatory.

Over time, more controls will transform to mandatory controls and will have to be implemented. Therefore, we advise you to already start testing your readiness of those controls. By doing this, there is the added value of improving the maturity of the controls before they actually become mandatory. This avoids non-compliance with the Customer Security Program in the future.

Changed to be taken into account for your organization:

1. Significant scope change

The scope of control 4.2 was significantly changed as multi-factor authentication is also to be presented when accessing, at least for transaction processing, a SWIFT related service, application or component operated by a service provider (such as a service bureau, an L2BA provider or intermediate actor). This means that authentication to any application used for SWIFT transaction processing, now requires multi-factor authentication.

2. New architecture types

One of the most significant changes of the updated version of the CSCF is the new architecture type: Type A4. The most important change here is that organizations that define themselves as an A4 type architecture, don't create a separate secure zone.

3. Advisory controls that are promoted to mandatory

Control 1.4 about the restriction of internet access has been promoted to a mandatory control for all infrastructure types. Direct access to the Internet raises exposure to internet-based attacks. Risk is even higher in case of human interactions (browsing, emails or other social network activities being permitted). Therefore, general purpose and dedicated operator PCs as well as systems within the secure zone have controlled direct internet access in line with business requirements.

4. Scope update and clarifications

The scope of 6 controls were extended with, for most cases, the (customer) connector. SWIFT has also clarified the definition of the ‘connector’: “Embed middleware/MQ servers and API end points when used to connect or transmit transactions to service providers or SWIFT Differentiate SWIFT related connectors (such as SIL, DirectLink, AutoCLient)”.
Additionally, an explicit reference was added to remote (externally hosted or operated) virtualisation platform to foster attention when engaging with a third party or moving to the cloud under requirement 1.3.

The SWIFT CSP controls