Swift Customer Security Programme v2024

Enhancing Global Financial Security

The Swift Customer Security Programme (CSP) initiative was launched by Swift in 2016 and aims to strengthen the security of the global financial community. As BDO is a CSP Assessment Provider, we would like to share our insights into Swift’s focus areas for v2024 and the upcoming changes. You’ll also get information on the link between Swift CSP and regulatory requirements such as DORA. To finish off, we’ll be sharing our own experiences and insights based on the performed assessments and questions commonly asked by our clients.

Evolution of the Swift CSP since 2016

In an era where digitalisation has transformed the way financial institutions work, the security of financial data and transactions is more important than ever. 

Following a number of security breaches at financial institutions, Swift became concerned about the security of its users. Swift decided to create a set of security controls and required all its users to attest their level of compliance with these controls transparently. The CSP is continually updated to address new threats and weaknesses in the ever-changing cybersecurity landscape.


Evolution of the Swift CSP since 2016 – body© by Swift 2023

Objectives, principles & controls

Swift has defined a set of security objectives, which are linked to seven principles and covered by the set of controls in thCustomer Security Controls Framework (CSCF). The CSCF consists of 25 mandatory and 7 advisory controls, but not all controls are applicable to all architecture types: it depends on the extent to which an organisation is integrated with Swift systems. 

    • A note on timing: Swift users are required to confirm their compliance with the mandatory security controls between July 1st and December 31st of each year – whether fully compliant or not! 

© by Swift 2023

Objectives

3 OBJECTIVES AND 7 PRINCIPLES:

  • Secure Your Environment 

1. Restrict Internet access & segregate critical systems from general IT environment

2. Reduce attack surface and vulnerabilities

3. Physically secure the environment 

  • Know and Limit Access 

4. Prevent compromise of credentials 

5. Manage identities and segregate privileges 

  • Detect and Respond 

6. Detect anomalous activity to system or transaction records 

7. Plan for incident response and information sharing

For more information on the Swift CSP and its history, read our article on this topic.

Swift focus areas

Third Party Risk Management – new mandatory control 2.8

Swift constantly monitors ongoing threats and evolutions in the cyber landscape, and adapts its CSCF to meet the challenges that arise. In 2024, Swift’s focus area is Third Party Risk Management, as this topic is gaining importance both from a security and regulatory perspective (e.g. DORA, NIS2). 

Many organisations rely heavily on third-party vendors and service providers to meet various operational needs, and as a result give external parties access to systems and large amounts of data. This poses additional risks that need to be actively identified and controlled.  

As a result, Swift has upgraded the status of control 2.8 Outsourced Critical Activity Protection from advisory to mandatory, for all architecture types.

swift-visua

What is expected for this control?

Swift has also defined an Outsourcing Agents Security Requirements Baseline, which establishes good practice on the controls to be implemented. 

In short, the aim of this new control is to maintain an effective third party risk management program

This includes: 

    • maintaining an overview of third parties (including outsourcing agents) and what components and controls they impact 

    • identifying critical vs. non-critical activity outsourcing

    • performing periodic risk assessments on third parties 

    • establishing SLAs and NDAs (for critical activities) 

    • obtaining assurance over the security controls implemented by the third party

 

Swift users should ensure that security provisions are included in contracts with third parties, which at a minimum should comply with the CSP controls. Furthermore, roles and responsibilities should be documented. 

Back Office Security – control 2.4A




In the past, the focus of the CSP was the so-called Swift Secure Zone – a segregated zone where the critical components reside. Now, Swift aims to ensure the security of the “first hop” of the back office, as it determined that significant risks exist related to the data exchange with (often legacy) back-office applications. This includes sensitive data confidentiality and integrity, unauthenticated system traffic and unauthorised access to data and systems. 

back-office

© by Swift 2023

To achieve this, Swift intends to make control 2.4A Back-Office Data Flow Security mandatory in the coming years, and encourages its users to start looking into how to implement this control. 

  •  For further information on this control and its implementation requirementscheck out the Swift CSCF or reach out to your BDO contact person. 


💡 For the year 2024, BDO recommends identifying the back-office first hops and evaluating the security of existing data exchanges. Next, a gap assessment should be performed to identify the actions that will be needed to reach the desired stateInitially, Swift will focus on new flows created between the back office and Swift systems. In a second phase, legacy flowshould also be protected – although these will most likely require the biggest investment, so users should not wait too long with the gap assessment and implementation.

Swift API offering 

The Swift API (Application Programming Interface) Platform allows Swift users to access the Swift API services. If an API service or API being consumed is in scope of the CSP, then the application API endpoint (considered a connector in the Customer Security Control Framework) consuming the API and related payload are subject to the CSP security controls. 

More details on Swift APIs can be found here.

What is the link between Swift CSP, industry standards and regulatory requirements?

Furthermore, links can be made to other European regulations such as DORA and NIS2. The Digital Operational Resilience Act (DORA) is an EU regulation for the financial industry and service providers to that industry entered into force on 16 January 2023 and will apply as of January 2025. DORA is based on five key pillars, as presented in the visual below. The biggest overlap here is related to cyber incident response planning and reporting, pentesting and third party risk management. 

For further information about DORA, NIS2 or other regulations, get in touch with your BDO contact person. 



The Swift CSP controls are based on good practices including ISO 27002:2022NIST Cybersecurity Framework v1.1, PCI DSS 4.0, Unified Compliance Framework (UCF) and SOC2 Trust Service Criteria 2017Swift has created a mapping table depicting the relationships between these industry standards and its own controls framework, available through the button below (a swift.com account is required).

Why BDO?

As your trusted partner, BDO will help you achieve your objectives in a pragmatic yet qualitative way. 

    • As Swift Certified Assessors, our assessments are of the highest quality and strive to add value to your organisation instead of just tick-the-box compliance. Our detailed yet straightforward reporting pinpoints what areas you should focus on. 

    • As implementation partners, we focus on the high-risk areas first, making sure your main security gaps are covered. Then, we focus on compliance areas, to ensure an assessment will pass the test. 

Thanks to BDO’s broad expertise, experience and proven record of assisting organisations in both the implementation and the assessment of Swift security controls, you can rely on both enhanced security and compliance with the CSP framework.

BDO tailors its work to each individual client’s needsto ensure our solutions add value where you most need itRanging from implementing an ISO27K-compliant GRC security program or a third party security management system to providing DORA and NIS2 assessments and implementations  always in a pragmatic waytailored to your needs. 

Our experts are well-versed in the Swift CSP controls and implementation guidelines, on top of their strong financial sector focus. This enables them to understand the complex regulatory landscape and the evolving cyber security threats.

All our Lead Auditors have proven experience in Swift CSP assessments, IT audits and ISO27K implementations and assessments, and have relevant certifications including the Swift Certified Assessors certification and a combination of CISA, CISM, CISSPISO27K Lead Auditor, etc. Furthermore, our low partner-to-staff ratio means high involvement and guidance from partners and experienced staff, and a solid and stable team to perform the assessments.

Our methodology 

Tips for v2024 implementation

BDO performed numerous assessments in 2023. Our experience across our assessments shows that getting scopingplanning and definitions right from the outset is vital for a successful assessment. Furthermore, based on our reviews, we believe the following key areas to be most likely to cause non-compliances in 2024: 

Many organisations have identified and listed their third parties and established a TPRM policy. However, procedures for conducting third-party risk assessments, such as periodic risk assessment reviews and SLA reviews with critical suppliers, are often not established or not properly implemented.

This is especially important given that these procedures should now be expanded to also cover a review/assessment of the supplier’s implementation of the CSP controls. Keep in mind that your TPRM processes will also need to comply with DORA by January 2025. 

Staff training and awareness on cybersecurity is an established practice nowadays, but not always fully in line with best practices. For instance, we have seen that certain groups of people such as senior management or IT staff are excluded from the assessments, although they often pose the biggest risk of losses if their (privileged) accounts are compromised.  

Consider using automated phishing simulation tools and short automated training videos in addition to longer classroom trainings to maximise the effectiveness of the awareness program. 

Given the upcoming implementation of DORA in January 2025 and its requirements on Incident Management and Operational Resilience Testingwe believe organisations should place more focus on Incident Response Planning. This will ensure their implementation is not only in line with Swift CSP but also with DORA. If your organisation is subject to DORA, assessors are likely to start reviewing processes with DORA mindset even before it is implemented. 

Tip: ask your CSP assessor if they have knowledge of DORA and if they can perform a light DORA review of these processes to give you an idea of whether you would be DORA-compliant. 

On top of performing the CSP assessment, BDO can advise you on all of the above-mentioned issues and assist you with their implementation. 

Frequently asked questions

We get many questions from our clients and prospects regarding the scope and depth of the assessmenttimelines and compliance. In the dropdowns below, wanswer the most common questions. 

cyber security audit is a review of an organisations cyber security policies, procedures and technology, following auditing standards as imposed by the Institute of Internal Auditors, for example. The goal is to ensure compliance with specific regulations and/or internal policies by looking back at a certain period of time and verifying the operating effectiveness of the controls  

In contrast, cyber security assessment is more high-level review of an organisations cybersecurity posture to identify potential risks and areas for improvement. As an assessment does not need to follow strict testing and reporting requirements, unlike an audit, the cost is often lower 

Swift recommends conducting an assessment instead of an audit to reduce the cost and workload for internal staff. All the while ensuring quality of the assessment is maintained and focused on the evaluation and review of security controls, and putting less emphasis on scoping, risk assessments and reporting. 

The assessment in 2024 can potentially rely on control(s) conclusions from 2023, if four conditions are fulfilled for each control:

  • Last year’s assessment was performed against last year’s version of the CSCF (or more recent) 
  • Last year’s assessment was not itself reliant on the year before or on an external assurance report* 
  • The new CSCF version does not materially affect the implementation 
  • The control design and implementation and Swift user environment have not materially changed 

*Note that you can rely on Third Party Assurance reports such as SOC2ISAE3000, PCI-DSS 4.0 or ISO27K, as long as the scope of the report covers the Swift CSP controls, and the timing of the report is recent enough – the period covered by the report must be no more than 18 months before the attestation is submitted (e.g. an attestation submitted on 24/12/2024 can still rely on a SOC2 Type II report for the period ending 30/06/2023. An example of the assessment to be made for an individual control is shown in the following image (for an attestation against v2023): 

© by Swift 2023


Users are required to confirm their compliance with the mandatory security controls between July 1 and December 31 of each year (whether fully compliant or not!). New joiners or BICs must complete their attestation before accessing the Swift network. 

The KYC Security Attestation application (KYC-SA) is used to submit security attestations. Swift releases the new version of the controls each year in early Julyand these controls are then attested against between July and December the next year. © by Swift 2023

We strongly urge all Swift users to implement and ensure compliance with the CSP controls as soon as possible. The CSP controls establish a baseline for security hygiene and should be within the capability of each organisation that processes financial transactions. Failing to implement CSP controls puts the organisation at an increased risk of cyber attacks, which can result in severe financial and operational losses and reputational impacts  

Nevertheless, if you submit a non-compliant attestationyou will not be kicked out of the Swift network. Your non-compliance status will, however, be listed in the KYC-SA directory for your counterparties to see, and Swift will communicate your non-compliance to your financial supervisory authority.  

Swift does ask each user to submit an attestationeven if it is non-compliantFailure to do so is in breach of your contractual obligations according to the Cloud Service Provider (CSP) Policy and Swift Terms and Conditions. 

The typical scope of CSP is the secure zone, the underlying infrastructure (network security such as firewalls, IPS etc) and the middleware and file transfer serversThe back office and the connection to the Swift network are typically not within the scope of the CSP. Note that the latter will change in the near future as control 2.4A will become mandatory in the coming years. 

Each control has its specific in-scope components that are well-defined in the controls framework. Review this together with your assessor to ensure mutual agreement on the scope of the assessment and to better prepare your staff. 

© by Swift 2023


In this case, you will most likely be an architecture type A4 or BDepending on the depth of outsourcing, the responsibilities will be split between you and the third party providing your services (the outsourcing agent) 

The visual below illustrates typical differences in architecture ranging from managed fully in-house to fully outsourced. In the end, your architecture type determines the CSP control in scope, but all responsibility for the assessment remains with you: you must obtain assurance on the compliance of your third parties. 

© by Swift 2023


Swift has a Knowledge Centre that you can use to find relevant articles, frequently asked questions and general information on Swift product and services. Furthermore, via SwiftSmart, Swift also offers e-learning courses specifically on the Swift CSP. Some useful links: 

Our staff includes Swift Certified Assessors in the subject area: CSP Assessments.