The Skinny on your SWIFT CSCF v2021 Independent Assessment

By Angela Polania

Following the infamous “Bangladesh Bank cyber heist” in 2016, the Society for Worldwide Interbank Financial Telecommunication (SWIFT) established a Customer Security Programme (CSP) to enhance security and protection against cyber threats. Every year since, SWIFT has been building on its Customer Security Controls Framework (CSCF), continuously fighting against existing and emerging cyber threats.  But the fight is not over.  From self-attestation to organizing your independent assessment, here’s the skinny on what you need to keep your systems safe and in compliance for 2021.  

What you need to look out for in v2021

The impacts of the CSCF v2021 are among some of the largest affecting technology systems in the banking and financial services industry, so it is essential to begin your assessment now. The CSCF v2021 is now composed of a maximum of twenty-two mandatory (22) and nine (9) advisory controls, depending on your architectural type. Not to mention, self-assessment will no longer suffice.  By December 31, 2021, all SWIFT institutions must have an independent assessment to support their self-assessed compliance with SWIFT CSCF v2021.

Highlights of changes in CSCF v2021 include:

  • Worth repeating: By December 31, 2021, all SWIFT institutions must have an independent assessment to support their self-assessed compliance with SWIFT CSCF v2021.
  • Two former advisory controls in v2019 and one from v2020 were promoted to mandatory in v2021: 1.3; 1.4 and 2.10 
  • New architecture type A4 is included 
  • Compliance extends to 3rd party cloud providers 
  • An emphasis on a risk-based approach
  • Vulnerability scanning is mandatory – except Architecture B (which is advisory)
  • Shared responsibilities illustration specific to IaaS cloud model

Independent assessments may be performed by internal or external resources or some combination of both.  Click here for more details on what qualifies as a valid independent assessor. The assessment should include a review of existing controls and their efficiency, and a confirmation that they support the customer’s compliance with the CSP control objectives.  The requirement is for an assessment, not an audit, so ensure your independent assessor is not charging you excessive audit fees.  Contact Us for a reasonable quote on an independent assessment fee or find us on the SWIFT directory of CSP assessment providers.  

The three controls promoted to mandatory aim to protect and reduce potential vulnerabilities on critical interface components as well as critical systems where virtualization is being used more frequently.

Next Steps to SWIFT CSCF v2021 Requirements

The upcoming SWIFT Release’s requirements act as a catalyst for documenting the weaknesses in the structure and standards that underpin many IT systems. Often the more extensive the organization and the longer their IT history, the bigger challenges they face when updating their IT systems.

As a result, organizations should take an approach that requires collaboration and strong leadership across the organization and a constant focus on improving cybersecurity controls to meet new requirements.

A few considerations for the next steps are:

  1. Assess whether your organization is prepared to perform an independent assessment in 2021.
  2. Evaluate and select your independent assessment team.
  3. Plan the independent assessment.

How Can We Help?

Elevate is listed as a CSP Assessment Provider in SWIFT’s official directory. We use our collective experience and in-depth knowledge of the CSCF to evaluate the risks associated with the SWIFT controls.

Our team will work with you to perform a gap analysis of your SWIFT-related environment and provide a view of your controls’ current and desired state. The gap analysis can include testing controls to advise on their effectiveness and help you get ready for attestation. We will help your organization navigate the factors associated with implementing CSCF to become compliant.

What is SWIFT

The SWIFT system manages almost every international money and security transfer in the world.  The SWIFT system is a vast messaging network used by banks and other financial institutions to quickly, accurately, and securely send and receive money transfer-related information.  The system processes over 33 million transactions per day through its network.  

SWIFT is a member-owned cooperative that provides safe and secure financial transactions for its’ members.  SWIFT membership consists of more than 11,000 institutions in over 200 countries.  Almost all forms of financial institutions from banks, to security dealers, to asset management companies, etc., are in some way using one or more SWIFT services.