SWIFT CSP Changes in 2021
What is the impact of the updates of the 2021 version of the CSCF on your financial organization
The SWIFT Customer Security Program was created to set the bar of cyber security for the financial services industry, following a series of cyber heists. In this article, we look at the most recent changes that were made to the Customer Security Control Framework (CSCF) in order to maintain an up-to-date cyber security maturity in the financial industry. You may have some questions around this. How do the 2021 changes to the CSCF affect your organization? What are the updates to the CSCF in 2021? When will we have to attest against the 2021 CSCF?
In this article we will have a more detailed look at what these changes are and how it affects your organization.
History of the Customer Security Controls Framework
The customer security Controls Framework (CSCF) has gradually evolved over the past years. In a few years’ time, the framework has emerged from including 27 controls in 2017, to 31 controls in 2021. Moreover, every year the number of mandatory controls increased. Typically, there is a period of 18 months to understand and implement future changes to the framework. More specifically, the new version of the CSCF was released in June 2020 and compliance is expected by December 2021. In addition, the CSCF change management process allows a phased approach: new mandatory controls or scope extensions are typically first introduced as advisory and only thereafter as mandatory.
Over time, more controls will transform to mandatory controls and will have to be implemented. Therefore, we advise you to already start testing your readiness of those controls. By doing this, there is the added value of improving the maturity of the controls before they actually become mandatory. This avoids non-compliance with the Customer Security Program in the future.
Changed to be taken into account for your organization:
1. Significant scope change
The scope of control 4.2 was significantly changed as multi-factor authentication is also to be presented when accessing, at least for transaction processing, a SWIFT related service, application or component operated by a service provider (such as a service bureau, an L2BA provider or intermediate actor). This means that authentication to any application used for SWIFT transaction processing, now requires multi-factor authentication.
2. New architecture types
One of the most significant changes of the updated version of the CSCF is the new architecture type: Type A4. The most important change here is that organizations that define themselves as an A4 type architecture, don't create a separate secure zone.
3. Advisory controls that are promoted to mandatory
Control 1.4 about the restriction of internet access has been promoted to a mandatory control for all infrastructure types. Direct access to the Internet raises exposure to internet-based attacks. Risk is even higher in case of human interactions (browsing, emails or other social network activities being permitted). Therefore, general purpose and dedicated operator PCs as well as systems within the secure zone have controlled direct internet access in line with business requirements.
4. Scope update and clarifications
The scope of 6 controls were extended with, for most cases, the (customer) connector. SWIFT has also clarified the definition of the ‘connector’: “Embed middleware/MQ servers and API end points when used to connect or transmit transactions to service providers or SWIFT Differentiate SWIFT related connectors (such as SIL, DirectLink, AutoCLient)”.
Additionally, an explicit reference was added to remote (externally hosted or operated) virtualisation platform to foster attention when engaging with a third party or moving to the cloud under requirement 1.3.
The SWIFT CSP controls