Compliance with SWIFT Customer Security Programme (CSP) requirements

With the dynamic development of new technologies, the financial sector is becoming particularly vulnerable to losses caused by cyber attacks. Cybercrime in the financial sector has steadily increased in recent years, with cyberattacks increasingly targeting financial messaging systems such as SWIFT.

Supporting its participants in the fight against cyber attacks, SWIFT has established the SWIFT Customer Security Programme (SWIFT CSP) comprising a set of controls to strengthen system security and fight against cyber threat. The implementation of these controls is mandatory for all participants.

Mazars assists SWIFT participants in ensuring compliance with SWIFT CSP requirements, including securing local SWIFT infrastructure and maintaining an appropriate control environment, by conducting an independent external evaluation.

What is the SWIFT Customer Security Programme (CSP)?- Principles and requirements

The Customer Security Program (CSP) has been designed help users secure their local environments and, in turn, the SWIFT community at large.

SWIFT Customer Security Controls Framework (SWIFT CSCF)

As part of the program, SWIFT has developed a set of mandatory security controls, the SWIFT Customer Security Controls Framework (SWIFT CSCF), which is revised annually.

The CSCF consists of mandatory and advisory security controls. Mandatory controls establish a general security baseline for the SWIFT community and must be implemented in the local SWIFT infrastructure by all users. The advisory controls are based on security best practices and SWIFT recommends that users apply them where applicable. The list of mandatory and advisory controls is regularly reviewed in light of the changing environment and potential risks.

Annual compliance assessment - a new requirement for independent assessment

Under CSP policy, SWIFT users are required to submit their CSCF compliance attestation annually by December 31 each year. Until 2020, users assessed compliance with the CSCF through self-assessment.

In 2020, SWIFT introduced a requirement to assess the compliance attestation through an independent assessment, which remained optional until the end of 2020. 

As of 2021, the requirement to conduct an independent assessment (Community Standard Assessment) is mandatory for all users. The independent assessment should be carried out in the form of:   

• external assessment conducted by an independent third-party organization such as Mazars that has experience in cybersecurity assessments; or
• internal assessment conducted by user’s second or third line of defense entity (such as a compliance, risk management or internal audit function).

Regardless of the form of independent assessment, as required by SWIFT, all assessors selected to conduct the CSCF assessment process must be qualified and independent . All individuals assigned to conduct the assessment should hold at least one industry-relevant professional certification in the area of information security.

The above requirements may, in many cases, exclude the possibility of an internal assessment, which is why Mazars offers you to have an independent external assessment carried out by our experts who have the relevant qualifications and certifications required by SWIFT.

What are the consequences of non-compliance?

The non-performance of a compliance assessment and the publication of an outdated assessment may be reported by SWIFT to the supervisors.

How can we help?

• Independent assessment of compliance with CSCFVerification of the control environment against the SWIFT Customer Security Control Framework and the preparation of a formal report describing confirmation of compliance of each control with documentation of observed implementation gaps as required by SWIFT.
• Gap analysisA review of the control environment and processes against the requirements of the SWIFT CSP and identification of areas of non-compliance (implementation gaps).
• Development of a gap closing planDevelop an action plan to address identified gaps against SWIFT CSCF requirements.
• Support in implementation of gap closing actionsSupport in indicating actions, procedures, workflows required to address the gap.
• Additional services in the SWIFT CSP areaAssessment of infrastructure vulnerability to attacks, including penetration testing