4 minute read 21 May 2021

How to achieve SWIFT Customer Security Programme compliance in 2021?

Sylvie Goethals
By Sylvie Goethals

EY Belgium Financial Services Risk Partner

Dedicated to Financial Services. Focused on quality in delivery and client satisfaction.

4 minute read 21 May 2021
Related topics Financial Services Cybersecurity
Upvote

Show resources

SWIFT CSP requirements are changing in 2021. Here is what you need to know to remain compliant.

In brief

  • Although the Society for Worldwide Interbank Financial Telecommunication (SWIFT) Customer Security Program has been around for a few years, important changes have been introduced:
    • The requirement to perform Mandatory independent assessments
    • A new architecture, called Architecture A4
  • Additional mandatory and advised controls

The CSP was first introduced in 2017 along with the Customer Security Control Framework (CSCF). The CSCF has evolved over time through introduction of new controls and new clarifications on implementation guidance and scope.

Depending on your interaction with SWIFT and whether (part of) your systems are outsourced, SWIFT has defined specific control requirements for each type of architecture. It is important to highlight that, even if you have fully outsourced the SWIFT systems, you are still obliged to complete the independent assessment. 

Graph: SWIFT CSP requirements over time

Key changes for achieving compliance to SWIFT CSP in 2021

Independent Assessment Framework

Until 2020, SWIFT users were mandated to provide a self-attestation against CSCF control framework for the architecture and SWIFT components in scope. As of 2021, SWIFT requires the yearly attestation to be supported by an independent assessment, which needs to be completed by 31st December. It can be performed:

  • Externally, by an independent external organization which has existing cybersecurity assessment experience, and individual assessors who have relevant security industry certification(s); or

  • Internally, by the second or third line of defense function (such as compliance, risk management or internal audit) or its functional equivalent, as appropriate, which is independent from the first line of defense function that submitted the attestation (such as the CISO office) or its functional equivalent, as appropriate.

Without an independent assessment, SWIFT will report to the supervisors (regulators) and inform counterparties.

 

Introducing a new architecture type (A4)

Until 2020, SWIFT users categorized their architecture as B when their applications were connected to SWIFT interfaces through a connectors such as MQ server, SFTP server, custom API end point, etc. . As of 2021, SWIFT has introduced a new architecture type (A4) for such cases.

Users can continue categorizing as architecture B if:

  • They have access to SWIFT messaging services via a Graphical User Interfact (GUI) application; or

  • Their back-office applications communicate directly using APIs client or a Middleware client..

The new CSCF version: CSCF v2021

Under CSCF v2021, control about Internet Access restriction is transferred from Mandatory 1.1 to 1.4. Moreover, SWIFT has provided additional clarifications on scope definition such as:

  • General: Additional controls included in CSCF v2021;

  • General Operator PCs: Include PCs connected to local or remote infrastructure in the scope

  • Third Party – Extended to cloud provider and specifically for scenarios where Cloud Provider is used but the SWIFT users are still accountable
 

What you need to keep in mind to achieve SWIFT CSP compliance

  • Independent assessment: Consider the selection of an external party to perform the independent assessment, based on the available internal skillset. The external party can either perform this through an independent assessment report (e.g. Assessment report as per templates provided by SWIFT, ISAE3000 or equivalent), or assist your risk, compliance or internal audit department with the necessary experts and auditors.

  • Scope of the assessment: Review your architecture and evaluate whether your implementation needs to be categorized as architecture A4 instead of B.

  • Timing of the assessment: There are two quarters available to achieve compliance (Q3 and Q4). Ideally, a gap assessment can be conducted to perform a timely remediation for the independent assessment results to be compliant.

How EY can help

Technology Risk

EY teams provide assessment and attestation services to help companies understand and manage business risks related to technology in the Transformative Age.

Read more


Conclusion

While SWIFT CSP is extremely relevant for institutions to enhance their cybersecurity level, remaining compliant with the standard is becoming remains demanding due to the new requirements introduced in 2021. SWIFT customers should take timely action to implement CSCF v2021 changes and obtain an independent assessment.

Newsletters EY Belgium

Subscribe to one of our newsletters and stay up to date of our latest news, insights, events or more. 

Subscribe

Summary

In 2021, SWIFT has introduced changes to its Customer Security Programme. Institutions have to react in time to remain compliant.

About this article

Sylvie Goethals
By Sylvie Goethals

EY Belgium Financial Services Risk Partner

Dedicated to Financial Services. Focused on quality in delivery and client satisfaction.

Related topics Financial Services Cybersecurity
Upvote