What is the SWIFT Customer Security Programme (CSP)?
In 2016, the Society for Worldwide Interbank Financial Telecommunication (SWIFT) established a Customer Security Programme (CSP) introducing the Customer Security Controls Framework (CSCF). The Program aims to drive transparency and improve the security posture across the global financial community. The SWIFT community consists of over 11,000 institutions worldwide – all of which are required to annually attest to the current CSCF. The CSP focuses on three mutually reinforcing areas:
While all institutions are responsible for protecting their own environment, SWIFT’s CSP mission is to support the global financial community in the fight against cyber-attacks.
Why is Compliance with SWIFT Important?
The SWIFT system manages almost every international money and security transfer in the world. The SWIFT system is a vast messaging network used by banks and other financial institutions to quickly, accurately, and securely send and receive money transfer-related information. The system processes over 33 million transactions per day through its network.
SWIFT is a member-owned cooperative that provides safe and secure financial transactions for its members. Their membership consists of more than 11,000 institutions in over 200 countries. Almost all forms of financial institutions from banks to security dealers, to asset management companies, etc., are in some way using one or more of SWIFT services.
Starting in 2021, SWIFT institutions are required to self-attest against the CSCF v2021, which comprises 3 overarching objectives, 8 principles, and a maximum of 31 controls, with comprehensive implementation guidelines by architecture type. In addition, all institutions are required to perform an independent assessment to demonstrate their compliance with SWIFT CSCF v2021.
Who can perform an Independent Assessment?
Independent assessments are mandatory and can be conducted by:
- Internal (independent) Assessors: 2nd or 3rd lines of defense (compliance, risk management, or internal audit) anyone that does not report to the CISO.
- External Assessors: independent auditors or CSP assessment providers, like Elevate, with cybersecurity assessment experience that have teams of SWIFT certified security professionals. External Assessors must be selected from the directory of CSP assessment providers.
- Mixed Team: composed of internal and external assessors is also an option.
The requirement is for an assessment, not an audit, so ensure your independent assessor is not charging you excessive audit fees. Contact Us for a reasonable quote on an independent assessment fee or find us on the SWIFT directory of CSP assessment providers.
What are the factors for compliance complexity?
The current v2021 CSCF has a maximum of 31 controls (22 mandatory and 9 advisory). The total number of controls is determined by the “SWIFT architecture type”, defined by how SWIFT members connect to the SWIFT network.
Business Identifier Code (BIC) previously Bank Identifier Code
The general assumption is there is always one (and only one) BIC code that owns the license of the Messaging and Communication interface software. In the rare cases when there is no notion of BIC owner of the messaging Interface, SWIFT recommends that the user who owns (or the one operating) the communication interface self-attest as A1 while the other BIC codes attest as A2.
How Can We Help?
Elevate has deep expertise in CyberSecurity, Privacy, and IT Compliance. With over a decade of experience in providing IT audits and compliance for our banking and financial clients, we understand the unique and ever-evolving challenges and threats financial service firms are under. Our team of security, privacy, and IT auditors specializes in providing our clients independent and valued control design, implementation, and operating effectiveness over your compliance framework. We work with you every step to ensure a successful attestation for CSP v2021.
Your attestation readiness starts with proper planning. First, we meet with your team to understand your architectural type and the applicability of each control type to your operating environment. Our comprehensive review of your security posture is mapped directly to the CSCF v2021 requirements. Your compliance plan is based on your operating environment needs and is designed to achieve and maintain CSCF v20021 compliance.
- SWIFT CSP Independent Assessment
Our approach to conducting an independent assessment is tailored between our proprietary SWIFT CSCF tool and the CSCF Independent Assessment Process Guidelines for all five SWIFT architecture types. Our SWIFT Process Steps are designed to ensure our assessments cover the requirements to verify the mandatory controls, without over-simplifying or over-complicating the process.
Working with your key business and security stakeholders, we review the remediation plan to ensure all gaps and recommendations are aligned to your operating environment and meet your compliance objectives. Elevate will provide an independent assessment that is aligned with your self-attestation report.
As your partner, we provide continued support to see you through your remediation plan, on-time and that the CSCF v2021 requirements are met. We offer our clients ongoing training and SWIFT updates and industry thought leadership to ensure your team remains informed as SWIFT continues to evolve its program.
“SWIFT does not certify, warrant, endorse or recommend any service provider listed in its directory and SWIFT customers are not required to use providers listed in the directory”