SWIFT Customer Security Program
In response to current risk and cyber security challenges, SWIFT established a complex set of rules and requirements, which should actively support customers in the fight against cyber-attacks. Thanks to a long-lasting cooperation with SWIFT, via Excellence centre in Belgium, we are uniquely positioned to guide you through the challenges associated with implementing SWIFT's Customer Security Controls Framework (CSCF) as well as address SWIFT dependencies and compliance requirements.
Resilience against cyber-attacks
To standardize the level of operational and cyber risk management, SWIFT introduced the Customer Security Program (CSP). The CSP is a framework, designed to help users set up own cyber security controls that they can implement themselves in their local environments.
Through the SWIFT CSP companies are able to align to the security requirements baseline that was created by SWIFT and is updated every year to respond to any new cyber challenges. As in previous years, also in 2021 updates to the Customer Security Controls Framework (CSCF) were announced - currently 22 mandatory controls and 9 advisory controls are in scope of CSCF.
Download PDF >
Community-Standard Assessments 2021
Moreover, from mid-2021, all users will be obligated to perform ‘Community Standard Assessments’. This means that all attestations submitted in 2021 under the CSCF v2021 also require an independent assessment. A user can do this in either of two ways:
- External assessment, by an independent external organization (such as Deloitte), which has existing cybersecurity assessment experience, and individual assessors who have relevant security industry certification(s).
- Internal assessment, by a user’s second or third line of defense function (such as compliance, risk management or internal audit) or its functional equivalent [as appropriate], which is independent from the first line of defense function that submitted the attestation (such as the CISO office) or its functional equivalent [as appropriate]. As per external assessors, those undertaking the assessment work should possess recent and relevant experience in the assessment of cyber-related security controls.
SWIFT-Mandated assessments
Last, separate and distinct from the above two categories, SWIFT also reserves the right to seek independent external assurance to verify the veracity of their self-attestation, as outlined in the Customer Security Controls Policy (CSCP). These are called “SWIFT-Mandated assessments”.
SWIFT-Mandated assessments must cover all SWIFT mandatory controls applicable to the user’s architecture type as defined in the version of the CSCF applicable at the time the assessment is conducted, even if the assessment request relates to an attestation submitted under a prior version of the CSCF.
Opens in new window
