SWIFT Customer Security Program


SWIFT Customer Security Program

Banking information is some of the most important to keep safe. That's why recent high-profile cyber-attacks on customers using Society for Worldwide Interbank Financial Telecommunications (SWIFT) are so significant. Deloitte can help business leaders navigate the factors associated with implementing SWIFT's Customer Security Controls Framework (CSCF), as well as address SWIFT dependencies.

In response to recent cyber-attacks, SWIFT issued baseline security requirements through its Customer Security Controls Framework. While the SWIFT network itself was not compromised in the attacks, in some cases hackers successfully breached the local operating environment established by SWIFT users.

To reduce the opportunities for cybercriminals to exploit weaknesses in SWIFT users' local environments in the future, SWIFT created the Customer Security Program (CSP). The CSP is a programme designed to help organisations using Swift to design, review and implement specific cyber security controls for their local environments.

The CSP focusses on three mutually reinforcing areas. Customers will first need to protect and secure their local environment (you), it is then about preventing and detecting fraud in your commercial relationships (your counterparts), and continuously sharing information and preparing to defend against future cyber threats (your community).


Securing your local SWIFT-related infrastructure and putting in place the right people, policies and practices, are critical to avoiding cyber related fraud.

Your counterparts

Companies do not operate in a vacuum and all SWIFT users are part of a broader ecosystem. Even with strong security measures in place, attackers are very sophisticated and you need to assume that you may be the target of cyber-attacks. That is why it is also vital to manage security risk in your interactions and relationships with counterparties

Your community

The financial industry is truly global, and so are the cyber challenges it faces. What happens to one company in one location can be replicated elsewhere in the world.

SWIFT has requested users to set up these cyber security controls by 31 December 2017, and to update their systems according to CSP requests on an annual basis. The CSP compliance will come through self-attestation. SWIFT has already announced updates to the Customer Security Controls Framework for attestation in 2021.

SWIFT encourages its users to implement and monitor these customer security controls as part of a broader cyber security risk management program which should be regularly evaluated and adjusted, based on leading industry practices, and changes to the individual users' security posture and infrastructure.
Moreover, from mid-2021, all users will be obligated to perform ‘Community Standard Assessments’. This means that all attestations submitted in 2021 under the CSCF v2021 also require an independent assessment. A user can do this in either of two ways:

  • External assessment, by an independent external organisation, which has existing cybersecurity assessment experience, and individual assessors who have relevant security industry certification(s). Deloitte can help you with the external assessment, or
  • Internal assessment, by a user’s second or third line of defense function (such as compliance, risk management or internal audit) or its functional equivalent [as appropriate], which is independent from the first line of defense function that submitted the attestation (such as the CISO office) or its functional equivalent [as appropriate]. As per external assessors, those undertaking the assessment work should possess recent and relevant experience in the assessment of cyber-related security controls.

Last, separate and distinct from the above two categories, SWIFT also reserves the right to seek independent external assurance to verify the veracity of their self-attestation, as outlined in the Customer Security Controls Policy (CSCP). These are called “SWIFT-Mandated assessments”.

SWIFT-Mandated assessments must cover all SWIFT mandatory controls applicable to the user’s architecture type as defined in the version of the CSCF applicable at the time the assessment is conducted, even if the assessment request relates to an attestation submitted under a prior version of the CSCF.

The SWIFT Customer Security Controls Framework is built up out of 3 objectives and 7 strategic security principles. The framework is applicable to four types of SWIFT user architectures, titled A1, A2, A3, A4 and B. SWIFT users must first identify which architecture applies to them before implementing the applicable controls.

SWIFT's strategic security principles

Click to enlarge the picture

SWIFT CSP controls scope

The diagram below depicts the scope of the customer security controls framework.

SWIFT's strategic security principles

Click to enlarge the picture

The scope of the SWIFT security controls is limited to the local SWIFT infrastructure and operator PCs (also referred to as the “secure zone”) and the connection to and from the secure zone. This includes the connection between the secure zone (1) operators, and (2) the back office or middleware. Depending on your set-up and applicable architecture, the scope may vary in size.

We help clients to establish controls and processes around their most sensitive assets, balancing the need to reduce risk, while also helping to enable productivity, business growth, and cost optimization objectives.

More information on the CSP CSCF is available here.

SWIFT CSP Changes in 2021

What is the impact of the updates of the 2021 version of the CSCF on your financial organization

The SWIFT Customer Security Program was created to set the bar of cyber security for the financial services industry, following a series of cyber heists. In this article, we look at the most recent changes that were made to the Customer Security Control Framework (CSCF) in order to maintain an up-to-date cyber security maturity in the financial industry. You may have some questions around this. How do the 2021 changes to the CSCF affect your organization? What are the updates to the CSCF in 2021? When will we have to attest against the 2021 CSCF?
In this article we will have a more detailed look at what these changes are and how it affects your organization.

History of the Customer Security Controls Framework

The customer security Controls Framework (CSCF) has gradually evolved over the past years. In a few years’ time, the framework has emerged from including 27 controls in 2017, to 31 controls in 2021. Moreover, every year the number of mandatory controls increased. Typically, there is a period of 18 months to understand and implement future changes to the framework. More specifically, the new version of the CSCF was released in June 2020 and compliance is expected by December 2021. In addition, the CSCF change management process allows a phased approach: new mandatory controls or scope extensions are typically first introduced as advisory and only thereafter as mandatory.

Over time, more controls will transform to mandatory controls and will have to be implemented. Therefore, we advise you to already start testing your readiness of those controls. By doing this, there is the added value of improving the maturity of the controls before they actually become mandatory. This avoids non-compliance with the Customer Security Program in the future.

Changed to be taken into account for your organization:

1. Significant scope change

The scope of control 4.2 was significantly changed as multi-factor authentication is also to be presented when accessing, at least for transaction processing, a SWIFT related service, application or component operated by a service provider (such as a service bureau, an L2BA provider or intermediate actor). This means that authentication to any application used for SWIFT transaction processing, now requires multi-factor authentication.

2. New architecture types

One of the most significant changes of the updated version of the CSCF is the new architecture type: Type A4. The most important change here is that organizations that define themselves as an A4 type architecture, don't create a separate secure zone.

3. Advisory controls that are promoted to mandatory

Control 1.4 about the restriction of internet access has been promoted to a mandatory control for all infrastructure types. Direct access to the Internet raises exposure to internet-based attacks. Risk is even higher in case of human interactions (browsing, emails or other social network activities being permitted). Therefore, general purpose and dedicated operator PCs as well as systems within the secure zone have controlled direct internet access in line with business requirements.

4. Scope update and clarifications

The scope of 6 controls were extended with, for most cases, the (customer) connector. SWIFT has also clarified the definition of the ‘connector’: “Embed middleware/MQ servers and API end points when used to connect or transmit transactions to service providers or SWIFT Differentiate SWIFT related connectors (such as SIL, DirectLink, AutoCLient)”.
Additionally, an explicit reference was added to remote (externally hosted or operated) virtualisation platform to foster attention when engaging with a third party or moving to the cloud under requirement 1.3.

The SWIFT CSP controls

Click to enlarge the picture

How confident are you in the effectiveness of your last self-declaration?

We propose that you begin your journey by performing a gap assessment to fully understand your current situation towards current and future (advisory controls may become mandatory) requirements and assessment framework. This could help you to better identify and plan your projects to ensure you’ll be compliant by the given date. Doing a gap assessment evaluating the design, implementation, and operating effectiveness of your control environment would also help to prevent your first independent assessment revealing unexpected non-compliant controls.

Deloitte’s cyber risk practice is widely acknowledged as a leading security consulting practice, and is eminently qualified to help your organization be secure, vigilant, and resilient in the face of evolving cyber threats.

Deloitte ranked #1 by Gartner in security consulting services for the sixth consecutive year

Gartner, the world's leading information technology research and advisory company, has positioned Deloitte first globally, based on revenue, in security consulting services for the sixth consecutive year in its report, Market Share: Security Consulting Services, Worldwide, 2017.

  • Deloitte’s leadership in the field of information security assures you of our ability to assign qualified, knowledgeable, and industry-respected personnel who have performed similar consulting assignments
  • Our experience in delivering similar mandates for local organizations brings industry specific experience. Our local industry resources and high experience of security technologies, constitute an invaluable set of resources for SWIFT CSP-related engagements. This enables us to use proven tools and methods to carry out comprehensive engagements
  • We are technology and solution agnostic and we only recommend a solution that makes sense for the business and provides value

We offer holistic services that can support your organization as you address your SWIFT dependencies:

> Mandated assessment

  • Mandated Assessment is a type of SWIFT CSP independent assessment supporting the SWIFT CSP self-attestation. SWIFT users are mandated by SWIFT to perform this assessment with an external assessor. SWIFT users that were selected (about 100 every year) have to report the selected organization to SWIFT by the end of March.

Added values: Use of a unique SWIFT CSP methodology developed by our centre of excellence in Belgium; Unique experience and credentials on these type of engagements worldwide.

SWIFT CSP Workshop
Review for CSP Self-attestation

  • Team of consultants with deep SWIFT CSP experience perform a CSP workshop with your key staff that were involved in the SWIFT self-attestation.
  • Purpose of the workshop is the perform a review of your self-attestation and provide you with high level opinion on remediation activities defined by your organization.

Added values: quick confirmation of your self-attestation, confirmation of your team understanding of the CSCF and high level assessment of your remediation plan.


CSP Readiness / gap analysis
Compliance assessment

  • A Team of consultants with deep SWIFT CSP experience will review your environment based on the SWIFT Customer Security Control Framework.
  • Through interviewing your staff, inspecting system configurations and documentation we will deliver a gap analysis report or a management report that can be used for the self-attestation. This can be done on the full scope of a limited one (focusing on new controls becoming mandatory etc.).

Added values: review of your environment by our team with a high level of understanding and experience that will limit your team involvement and disruption to minimum.


Advise on closing the gaps
Security control design

  • Team of consultants with deep SWIFT CSP experience will work closely with the organization key stakeholders in order to define a plan how to close the gaps against SWIFT CSCF.
  • Through interviewing your staff, we will assist you in the design of security controls in line with SWIFT CSP requirements, including security architecture, Identity and Access Management, incident response, etc.

Added values: project and remediation plan prepared by experts with the correct understanding of how the controls should be implemented in your environment with minimal impact and disruption.


Closing the gaps project management

  • If you are struggling with (timely/correct) implementation of controls, Deloitte has project managers with an in-depth knowledge of the Customer Security Program. Therewith, Deloitte can guide you to correctly and timely remediate all controls within the Customer Security Controls Framework.

Added values: our project managers will ensure that new controls are implemented with minimal disruption to the current environment and will close all gaps against CSCF.


Controls implementation

  • Through years of experience with different implementation methods, using all kinds of software and hardware, the Cyber practice of Deloitte Belgium is exceptionally placed to provide assistance with the implementation of controls in the Customer Security Controls Framework.

Added values: controls implemented by team that understand the CSCF and will implement controls that will fully mitigate gaps with minimal disruption to your current environment.

We help clients establish controls and processes around their most sensitive assets, balancing the need to reduce risk, while also helping to enable productivity, business growth, and cost optimization objectives.

Learn more about our cyber risk services.

Moreover, Deloitte in Luxembourg, and globally through the Deloitte Touche Tohmatsu Limited network of member firms, are the number one providers of security risk management solutions.

* While Deloitte is prepared to assist you in connection with the SWIFT Customer Security Controls Framework, please note that Deloitte does not represent or speak for SWIFT; and the Customer Security Controls Framework is part of the contractual framework between SWIFT and its users.


Stéphane Hurtaud

Stéphane Hurtaud

Partner | Cyber Risk Leader

Stéphane is a partner within our Risk Advisory practice. He has over 25 years of experience in the IT risk, Information Security and IT audit fields, with a strong focus on the financial services indu... More

Maxime Verac

Maxime Verac

Director | Cyber Risk

Maxime joined Deloitte in 2012, and currently serves as Director in Risk Advisory. Maxime has extensive experience in Cyber Security – especially in the Financial Services Industry and for Government ... More

Yasser Aboukir

Yasser Aboukir

Director | Cyber Risk

Yasser joined Deloitte in 2015, and currently serves as Director in Risk Advisory, specialized in Cyber Risk. Since 2011, Yasser built an extensive experience in security assessments, incident respons... More

Insert CSS fragment. Do not delete! This box/component contains code needed on this page. This message will not be visible when page is activated.