The SWIFT Customer Security Controls Framework (CSCF) consists of both mandatory and advisory security controls for users in the SWIFT community. The controls will evolve over time to combat new and emerging threats and implement new safeguards to reduce cybersecurity risk.
The SWIFT Customer Security Programme (CSP) is a framework designed to help financial institutions improve their cyber security posture. All SWIFT members must submit an annual self-attestation of compliance with the controls outlined in the framework. SWIFT conducts random inspections on its members to ensure that they have appropriate cyber security controls in place and reports any non-compliant organisations to industry regulators.
The mandatory security controls establish a security baseline for the entire community. They must be implemented by all users on their local SWIFT infrastructure. SWIFT has chosen to prioritize these mandatory controls to set a realistic goal for near-term, tangible security gains and risk reduction. The advisory controls are based on recommended practice that SWIFT recommends all users to implement. Over time, controls may change due to the evolving threat landscape, the introduction of new technologies, the evolution of security-related regulations in major jurisdictions, developments in cybersecurity practices, or user feedback.
You are making cross border transactions, so the security of your local SWIFT environment impacts the overall global financial system. The potential impact of a correspondent bank cutting ties with a local commercial bank through “de-risking” measures could mean that business goes down, and bigger players dominate the market. As part of the Customer Security Programme (CSP), every SWIFT user must submit an annual Security Attestation, showing compliance levels with the controls.
All users have to attest before the expiry date of the current controls version, confirming full compliance with the mandatory security controls no later than 31st December, and must re-attest at least annually thereafter. Re-attestation has to be done between July and December each year. New joiners need to attest before going live on the SWIFT network. Security Attestations have to be submitted via the KYC-Security Attestation application (KYC-SA). A new version of the controls becomes available in the application each year in early July. A detailed description of the security attestation process and requirements is available in the SWIFT Customer Security Controls Policy.
SWIFT reserves the right to report users that have not attested compliance with all mandatory security controls (or that connect through a non-compliant service provider) to their local supervisors.
You are in breach of the policy if:
Cybercriminals are deploying increasingly sophisticated means of circumventing individual controls within organisations local SWIFT environments and probed further into their systems to execute well-planned and finely orchestrated attacks. The determination, patience and cunning the attackers are demonstrating makes it more imperative now more than ever that customers rapidly deploy and maintain all basic cyber hygiene tools and measures, comprehensively adhere to recommended security controls, and incorporate all the elements set out in SWIFT’s Customer Security Programme in their local SWIFT environments and extend these security control requirements to the general IT enterprise.
We are listed in the Directory of CSP assessment providers. We use our collective experience in cyber defense and in-depth knowledge of the SWIFT Customer Security Controls Framework to contribute to evaluating the risks drivers associated with the SWIFT controls. Our battle-tested SWIFT CSP assessors will guide and assist you in the remediation of non-conformities discovered during the assessment. They will work with you to perform a cybersecurity assessment of your SWIFT-related environment by reviewing, scoping and conducting a gap analysis leading to self-attestation of compliance with the SWIFT Customer Security Controls Framework. These control mechanisms must be of the same level in the entire end-to-end chain of the transaction lifecycle as any vulnerability in your SWIFT network and application infrastructure will be the weakest link in the security implementation framework.
🇬🇭 +233 (0) 243 335 025
🇬🇭 +233 (0) 550 036 535
🇳🇬 +234 (0) 9031 734093 ()
2nd Norla Street, North Labone, Accra Ghana
All rights reserved 2023