Infoguard Cyber Security Newsletter: SWIFT change to v2023

SWIFT CSCF v2023 – New Changes for Enhanced Cyber Security

Published on 10 Aug 2023 | by Cornelia Bucher | Data Governance | IT Security
The SWIFT Customer Security Programme (CSP) motto has now been changed to “maintaining the right level of cybersecurity hygiene”, as opposed to its previous iteration as “raising the bar on cybersecurity”. As every year, the Customer Security Controls Framework (CSCF) once again involves certain changes that impacted financial companies would be best advised to address sooner rather than later. This article sets out what these are and how you can prepare for them. 

The financial sector remains one of the most attractive targets for cyber criminals, which is why compliance requirements are (thankfully!) constantly being adapted. Accordingly, version 2023 of the SWIFT Customer Security Control Framework (CSCF) again involves some changes.

In summary: first, there is a new mandatory control 1.5 (only for architecture type A4 “Middleware/File Transfer Server as Connector”); second, the differences between the various architecture types have been better documented. New controls have been introduced for the other architectures (except A4), but some have been adapted slightly in terms of content. An excerpt:

  • The requirement to control systems’ connections (e.g. USB connections) has been moved from control 3.1 (Physical Security) to control 2.3 (System Hardening).
  • Control 2.2 (Security Updates) aligns the vulnerability remediation timeframes to common standard for security patching, also taking regular update deliveries into account.
  • Control 6.1 (Malware Protection) specifically mentions, as optional enhancement, to consider all the general operator PCs, not only the Windows OS based ones.

There have also been some changes to the Independent Assessment Framework, which are discussed in more detail below.

CSCF v2023: What needs to be borne in mind?

The following changes to SWIFT CSCF v2023 need to be taken into account:

Architecture typ A4

  • New mandatory conrol 1.5: Customer Environment Protection (equivalent to control 1.1, which is mandatory for the other A* architecture types).
  • Further specification of A4 architecture type compared to type B: emphasis that the distinction lies in the type of endpoint (server or client).

Back-office systems (e.g. core banking system, ERP system):

  • It is pointed out that adequate protection of back-office systems (e.g. core banking system, ERP system), responsible for generating transactions, is strongly recommended. This is becoming increasingly important with the increase in APIs.

SWIFT Assessment

New mandatory control 1.5 (Customer Environment Protection) – for architecture type A4

Following the introduction of customer connectors and architecture type A4 (by splitting architecture A3) in SWIFT CSCF v2021, control 1.5 (Customer Environment Protection) is now mandatory to bring architecture A4 in line with A3 and protect all connectors equally.

Distinction between architecture types A3, A4 and B

The architectural drawings have been revised and expanded to clarify the division between the different A3, A4 and B architectures.

Architecture type A3
  • SWIFT connectors, e.g.: Lite 2 AutoClient, SIL – Alliance Cloud, SIL – CFS, SIL – gpi connector, SWIFT API connector, SWIFT Microgateway

Infoguard Cyber Security Blog Architekturtyp A3

Source: SWIFT Customer Security Controls Framework v2023, Customer Security Programme (Version 01.07.2022)

Architecture type A4
  • Customer connectors, e.g. middleware server (e.g. MQ Server, Kafka)
  • File Transfer Server (SFTP Server)
  • Customer API connectors (internally developed application that uses the API specifications or integrates the Swift SDK)

Infoguard Cyber Security Blog Architekturtyp A4

Source: SWIFT Customer Security Controls Framework v2023, Customer Security Programme (Version 01.07.2022)

Infoguard-cyber-security-blog_cscf_v2023_compared_to_v2022-3

Source: SWIFT Customer Security Controls Framework v2023, Customer Security Programme (Version 01.07.2022)

Architecture type B

  • Users only access SWIFT messaging services via a GUI application at the service provider (user-to-application).
  • A user’s back-office applications (core banking system, ERP system) communicate directly with the service provider (application-to-application) using APIs from the service provider, a middleware client (e.g. an MQ, Kafka or Solace client/broker) or a secure file transfer client without connecting directly to SWIFT or independently transmitting business transactions.

Infoguard Cyber Security Blog Architekturtyp B

Source: SWIFT Customer Security Controls Framework v2023, Customer Security Programme (Version 01.07.2022)

Update of Independent Assessment Framework – removal of Delta Assessment

The Delta Assessment, as it was known last year, has been completely cancelled by SWIFT. All controls must be (re)assessed at each assessment. However, it is still possible to rely on the assessment of the control(s) from the previous year’s independent assessment (whether internal, external, mixed or SWIFT-mandated). Either way, an annual certification must be supported by an independent assessment, whether or not that certification is based on a previous audit in part or in full.

SWIFT has developed a new mandatory assessment report template to be completed by the assessor in addition to the familiar assessor templates for easier documentation of the chosen testing approach.

SWIFT Assessment – are you ready for compliance v2023?

Be prepared to address any non-compliance issues in good time before the end of 2023 with our SWIFT Compliance Assessment. We offer comprehensive cyber security services and support in assessing SWIFT customer security programmes. Our comprehensive SWIFT Assessment provides you with an evaluation of your ACTUAL state and clear recommendations for v2023 compliance. Secure your SWIFT transactions and stay compliant in the ever-changing financial world!

SWIFT Assessment
<< >>

Data Governance , IT Security

Cornelia Bucher
About the author / Cornelia Bucher

InfoGuard AG - Cornelia Bucher, Senior Cyber Security Consultant

More articles from Cornelia Bucher

Related articles
SWIFT CSCF v2021 – are you ready for the independent assessment?
SWIFT CSCF v2021 – are you ready for the independent assessment?
Published on 22 Jun 2021 | by Cornelia Bucher | Data Governance | 0 comments

The financial sector remains one of the main targets for cyber attacks. According to one analysis, of the 200 [...]
SWIFT Customer Security Programme – are you ready for the upcoming assessment?
SWIFT Customer Security Programme – are you ready for the upcoming assessment?
Published on 20 Apr 2020 | by Cornelia Bucher | Data Governance | 0 comments

The new year has only just begun, but there is no time to be sitting in neutral – quite the opposite in fact. [...]
Cyber Security Culture – “Us and the Others” within the Organisation
Cyber Security Culture – “Us and the Others” within the Organisation
Published on 14 Mär 2022 | by InfoGuard | Security Awareness | Cyber Security | 0 comments

Most security managers feel the need to embed cyber security in the organisational culture. To achieve this [...]

Exciting articles, the latest news and tips & tricks from our experts on all aspects of Cyber Security & Defence.
Blog update subscription
Social Media
Neuer Call-to-Action
Categories
Subscribe
Newsletter
InfoGuard
Job Alert
Job Alert

HEADQUARTER

InfoGuard AG
Lindenstrasse 10
6340 Baar
Schweiz/Switzerland
Tel. +41 41 749 19 00
info@infoguard.ch

Office Bern

InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Schweiz/Switzerland
Tel. +41 31 556 19 00

Office Munich

InfoGuard Deutschland GmbH
www.infoguard.de

Office Vienna

InfoGuard GmbH
www.infoguard.at
© 2024 InfoGuard AG