The financial sector remains one of the main targets for cyber attacks. According to one analysis, of the 200 banks polled, 4 out of 5 have sustained at least one SWIFT fraud attempt since 2016. The total damage due to SWIFT payment fraud was at least US$ 380 million. In addition, two-thirds of banks reported that SWIFT cybercrime has been on the rise since 2016. There is now pressure on financial institutions and specialists to plan and implement the steps needed for compliance. In this blog, you will learn about the key changes to the SWIFT Customer Security Controls Framework (CSCF) in the 2021 version.
The following changes to the SWIFT CSCF v2021 must be taken on board:
New mandatory control 1.4 – restricting Internet access (this item was previously part of the control 1.1)
Newly-introduced architecture type A4 to distinguish SWIFT connectors from customer-owned connectors (B or A3 architectures could become A4)
Introduction of the independent assessment
The SWIFT v2021 assessment includes a maximum of 22 mandatory and nine advisory controls, with extensive implementation guidelines. The total number of controls is dictated by the type of architecture, which depends on how SWIFT members connect to the SWIFT network. SWIFT differentiates between five possible architecture types (types A1-A4 and type B), with all 31 controls (22 mandatory) falling within scope for architecture types A1 and A2, and only a subset of 22 controls (14 mandatory) falling within scope for architecture type B.
The CSCF v2021 is simply promoting the previous year's advisory control to the new mandatory control. In practice, however, this control 1.4 was already part of mandatory control 1.1, which has been in place from the very first version of the CSCF. As a result, for clients who have already followed the CSCF v2020, there should not be any additional burden with the controls within the CSCF v2021. This is because the CSCF v2021 mainly consists of clarifications to the scope of existing controls. Here is an overview:
Table 1: Number of controls per type of architecture
The CSCF version 2021 introduced a new architecture type A4 to distinguish SWIFT members that use SWIFT connectors (A3) versus members that use customer-owned connectors (new A4). Expanding the scope to include middleware/MQ servers and file server solutions as customer-owned connectors could result in some existing B or A3 architectures becoming A4.
The following example illustrates in a schematic way the architecture type A4 with the integration of commercially available customer connectors such as file transfer solutions or middleware/MQ servers:
Diagram 1: Architecture A4 – middleware/file transfer as a connector (source: SWIFT)
The following example illustrates in a schematic way the architecture type A4 with the integration of customer API connectors developed in-house:
Diagram 2: Architecture A4 – customer (home-made API) connector (source: SWIFT)
Due to COVID-19, in mid-2020 SWIFT had decided to revert from CSCF v2020 to the previous year's 2019 version, as well as suspending independent assessment. Independent assessment is now being introduced in 2021.
Therefore, self-assessment is no longer permitted for this year's certification, which must be carried out between July and December 2021. What is known as an independent community standard assessment must be carried out; this is illustrated in the following diagram.
Diagram 3: https://www.swift.com/ja/node/300801
To carry out an independent assessment, you have the two following options:
Qualified assessors must have experience that is recent (within the last twelve months) and relevant in order to be able to perform a cyber security-focused assessment in accordance with an industry standard such as PCI DSS, ISO/IEC 27001 or the NIST Cyber Security Framework. In addition, assessors must be independent, as defined by the Institute of Internal Auditors (IIA), and at least the lead assessor must have industry-related professional certification (e.g. CISSP, CISA, CISM, ISO/IEC 27001 Lead Auditor or QSA). When assessing users’ security compliance, assessors must use a risk-based approach. Implementation can be done either in accordance with the documented implementation guidelines proposed by SWIFT, or in accordance with an alternative implementation that addresses the risk drivers, covers the relevant in-scope components and meets the specified control objective.
If the independent assessment is not carried out by a SWIFT member, or if the results are unsatisfactory, SWIFT reserves the right to report this to the local supervisory authorities or other SWIFT members (counter-parties). Ultimately, the “weakest link” puts the entire network at risk. It should also be mentioned, for the sake of completeness, that the SWIFT-mandated assessment (audit initiated by SWIFT) still exists. This must be carried out by an external party.
Get the assessment done early, so that you have time to deal with any non-compliance issues before the end of the year. Are you aware of the current status of your compliance? Do you need support in interpreting and implementing the measures required? Are you looking for a qualified external service provider to carry out the assessment in your company?
InfoGuard is a provider of SWIFT CSP assessment and cyber security services, and can carry out a compliance assessment for the required confirmation. We are available to assist you with implementing the SWIFT CSCF controls or to conduct a compliance assessment of your implementation of the SWIFT CSP. Our SWIFT assessment provides you with a comprehensive overview of your current status, as well as recommendations for measures to meet compliance v2021. You can find more information and a contact form here: