Complying with SWIFT CSCF Requirements

The Society for Worldwide Interbank Financial Telecommunication (SWIFT) platform enables financial institutions worldwide to securely send and receive financial transaction information. The SWIFT Customer Security Controls Framework (CSCF) defines Mandatory and Advisory controls for SWIFT users.

SWIFT publishes periodic updates to the CSCF controls to stay current with the evolving threat landscape, the introduction of new technologies, and changes in security-related regulations and cybersecurity practices. These updates are typically published annually.

In this blog post, we’ll highlight some of the key CSCF changes that financial institutions need to be compliant with as well as ways that Tevora can help your organization achieve compliance with these changes.

What Are the Deadlines for SWIFT CSCF Compliance?

SWIFT users must comply with the mandatory controls defined in the 2021 CSCF changes (v2021) by December 31, 2021; compliance with 2022 changes (v2022) is required by December 31, 2022.

Who Needs to Comply with SWIFT CSCF Requirements?

Banks and other financial institutions using the SWIFT platform are required to comply with mandatory CSCF controls. Third parties and vendors helping financial institutions process, store, or transmit SWIFT financial transaction information are also required to comply with these controls.

What’s Covered in the SWIFT CSCF Framework?

The SWIFT CSCF Framework is structured around three overarching objectives:

• Secure Your Environment
• Know and Limit Access
• Detect and Respond

These objectives are supported by eight principles and 31 controls, as depicted below.

CSCF Framework Overview

What’s Changing with CSCF v2021?

In July 2020, SWIFT published CSCF v2021, which includes changes to controls and associated implementation guidelines. Key changes include:

• Requirement to perform mandatory independent assessments
• New “Architecture A4” designation
• Additional Mandatory and Advisory controls

Independent Assessment Requirement

Prior to 2020, SWIFT required users to perform an annual self-attestation of compliance with CSCF framework architecture and in-scope SWIFT components. CSCF v2021 requires that the yearly attestation be supported by an independent assessment, which must be completed by December 31, 2021.

The independent assessment must be performed by:

• An independent external organization with cybersecurity assessment experience and independent assessors with relevant security industry certification(s), or
• An independent internal organization responsible for a second or third line of defense function (e.g., compliance, risk management, internal audit) or its functional equivalent. The internal organization must be independent from the first line of defense function that submitted the attestation (e.g., CISO office) or its functional equivalent.

Architecture A4 Designation

Prior to 2020, SWIFT users whose applications were connected to the SWIFT platform via connectors such as MQ server, SFTP server, or custom API endpoints were included in Architecture type B. With CSCF v2021, these users fall under the new A4 Architecture (Customer Connector) designation.

SWIFT users that access SWIFT messaging services via a Graphical User Interface (GUI) or use back-office applications to communicate with SWIFT directly using an API or middleware client may continue using the Architecture type B designation.

Additional Mandatory and Advisory Controls

Other key additions and changes to CSCF controls include:

• Control 1.4, Restriction of Internet Access, has been changed from Advisory to Mandatory. This control ensures internet access is restricted to the minimum needed to conduct business functions within the Secure Zone and with Operator PCs that interface with the SWIFT platform.
• The scope of Control 4.2, Multi-Factor Authentication (MFA), has been expanded to require MFA when accessing SWIFT-related applications and components used for transaction processing and operated by third-party service providers.

What’s Changing with CSCF v2022?

In July 2021, SWIFT published CSCF v2022, which includes promotion of one control from Advisory to Mandatory, one new Advisory control, scope extensions to two controls, and multiple minor control clarifications and changes.

Promotion of Transaction Business Controls

To reduce financial losses, SWIFT promoted 2.9 Transaction Business Controls from Advisory to Mandatory.

Creation of New Customer Environment Protection Control

SWIFT created a new Advisory control named 1.5A Customer Environment Protection to ensure protection of the “Customer Connector” and other customer-related equipment.

Scope Extension for Existing Controls

Control 6.2 Software Integrity has been made Advisory for architecture A4. Customer Connectors, which were introduced as an Advisory component in-scope for multiple controls in v2021, are now considered fully in-scope for these controls.

To help provide basic security and hygiene for end-user devices, the 1.2 Operating System Privileged Account Control has been made Advisory for general-purpose operator PCs and Architecture B.

What Happens if We Can’t Meet the Deadlines for CSCF Compliance?

SWIFT publishes a list of non-compliant members and makes it available to all SWIFT members. They reserve the right to report non-compliance to relevant supervisory authorities. SWIFT may also request an independent external assessment from users to verify the accuracy of their compliance attestation.

Additional Resources

Here are some Additional Resources that provide a deeper dive into SWIFT and the CSCF controls.

• The SWIFT organization
• Customer Security Controls Framework

We Can Help

If you have questions about SWIFT CSCF requirements, or would like help bringing your organization into compliance with CSCF v2021 or v2022, our team of experienced SWIFT security experts can help. We can also perform an external assessment of your compliance with CSCF v2021 or v2022 requirements. Just give us a call at (833) 292-1609 or email us at sales@tevora.com.