Key changes for achieving compliance to SWIFT CSP in 2021
Independent Assessment Framework
Until 2020, SWIFT users were mandated to provide a self-attestation against CSCF control framework for the architecture and SWIFT components in scope. As of 2021, SWIFT requires the yearly attestation to be supported by an independent assessment, which needs to be completed by 31st December. It can be performed:
- Externally, by an independent external organization which has existing cybersecurity assessment experience, and individual assessors who have relevant security industry certification(s); or
- Internally, by the second or third line of defense function (such as compliance, risk management or internal audit) or its functional equivalent, as appropriate, which is independent from the first line of defense function that submitted the attestation (such as the CISO office) or its functional equivalent, as appropriate.
Without an independent assessment, SWIFT will report to the supervisors (regulators) and inform counterparties.
Introducing a new architecture type (A4)
Until 2020, SWIFT users categorized their architecture as B when their applications were connected to SWIFT interfaces through a connectors such as MQ server, SFTP server, custom API end point, etc. . As of 2021, SWIFT has introduced a new architecture type (A4) for such cases.
Users can continue categorizing as architecture B if:
- They have access to SWIFT messaging services via a Graphical User Interfact (GUI) application; or
- Their back-office applications communicate directly using APIs client or a Middleware client..
The new CSCF version: CSCF v2021
Under CSCF v2021, control about Internet Access restriction is transferred from Mandatory 1.1 to 1.4. Moreover, SWIFT has provided additional clarifications on scope definition such as:
- General: Additional controls included in CSCF v2021;
- General Operator PCs: Include PCs connected to local or remote infrastructure in the scope
- Third Party – Extended to cloud provider and specifically for scenarios where Cloud Provider is used but the SWIFT users are still accountable