Revised Swift CSCF v2024: Focus on Third-party risk Management

Author
Cornelia Bucher
Published
23. July 2024

The Society for Worldwide Interbank Financial Telecommunication (Swift) is continuously developing its customer security programme (CSP) to meet new challenges. The upcoming changes to the Swift Customer Security Controls Framework (CSCF) v2024 focus on third-party risk management and reflect the increasing security and regulatory concerns in the EU area such as DORA and NIS2. Here we analyse the most important changes to the controls and their impact on you as a Swift user.

In the face of the ongoing threats posed by cyber criminals in the financial sector, compliance requirements are subject to regular revision. The aim is to secure transaction systems in a digital environment that never stands still. In line with this, version 2024 of the SWIFT Customer Security Control Framework (CSCF) also entails various new regulations.

Swift CSCF v2024: Changes to enable new control mechanisms

Swift has revised the Customer Security Programme CSP for 2024 and communicated the latest control mechanisms in the binding Swift CSCF v2024.

You need to implement the following control measures by the deadline of 31 December and have them validated by an independent body.

New mandatory control 2.8: “Outsourced Critical Activity Protection”

Swift has declared “Control 2.8 Outsourced Critical Activity Protection”, newly introduced for 2024, to be mandatory for all architecture types. This shift from optional to mandatory status emphasises the crucial role of risk management in connection with third-party providers and service providers. And not without good reason: companies all too often grant external parties extensive access, which brings with it additional risks that need to be actively identified and controlled.

In focus: Control 2.4A “Back Office Data Flow Security”

In the past, the CSCF focussed on securing the “Swift Secure Zone”, a separate zone with critical components. Swift has now extended its security efforts to the back-office system (core system), as it has identified significant risks in data exchange with back-office applications, including outdated ones.

These risks include the confidentiality and integrity of sensitive data, unauthenticated traffic and unauthorised access to data and systems. Consequently, “Control 2.4A Back Office Data Flow Security” is expected to be mandatory in the coming years.

Swift encourages its users to prepare for the implementation of this requirement.

Enhanced user-friendliness thanks to “Swift CSP v2024” updates

Further minor changes or clarifications have been made to specific CSCF controls to improve usability and understanding and assist users in implementing the controls correctly.

The most important changes are listed below:

  • Control 2.3 System Hardening: Now includes USB port protection policies and improvements to application whitelisting.
  • Control 2.9 Transaction Business Controls: Business controls can now also be performed outside the safe zone.
  • Control 3.1 Physical Security: Contains recommendations for the disposal of devices and token security

Other controls have been updated for clarity and consistency, including:

  • Control 5.2 Token Management
  • Control 5.4 Password Repository Protection
  • Control 6.2 Software Integrity
  • Control 7.4A Scenario-based Risk Assessment

Swift compliance by the end of the year: certifications via independent assessments

All users must have the validity of the current controls checked and confirmed annually by an independent body, with full compliance required by 31 December. New participants need to be confirmed prior to joining the Swift network.

Integration with Swiss Interbank Clearing (SIC)

In addition to the requirements of Swift v2024, the assessment can be combined with the review of your “Swiss Interbank Clearing” (SIC) network. By utilising the synergies of both assessment procedures, you avoid duplicating the effort and ensure that both networks meet the highest security standards. Whether SIC or Swift assessment  – we can support you with both implementation projects – do not hesitate to contact us.

Updated Swift CSCF: the benefits behind the specifications

The launch of Swift CSCF v2024 heralds significant changes aimed at improving the security of the global financial transaction network. The new mandatory controls and enhanced recommendations provide a comprehensive framework to protect Swift users from cyber threats. By combining these measures with the SIC requirements, financial institutions can further strengthen their security situation and create a secure and reliable environment for financial transactions.

Act now and ensure that your organisation is Swift-compliant before the deadline. 31 December will come around before you know it. We at InfoGuard are happy to support you in fulfilling the requirements of Swift compliance v2024. 

SWIFT Assessment

 

Share article