SWIFT CSCF v2023 – New Changes for Enhanced Cyber Security

Author
Cornelia Bucher
Published
10. August 2023
The SWIFT Customer Security Programme (CSP) motto has now been changed to “maintaining the right level of cybersecurity hygiene”, as opposed to its previous iteration as “raising the bar on cybersecurity”. As every year, the Customer Security Controls Framework (CSCF) once again involves certain changes that impacted financial companies would be best advised to address sooner rather than later. This article sets out what these are and how you can prepare for them. 

The financial sector remains one of the most attractive targets for cyber criminals, which is why compliance requirements are (thankfully!) constantly being adapted. Accordingly, version 2023 of the SWIFT Customer Security Control Framework (CSCF) again involves some changes.

In summary: first, there is a new mandatory control 1.5 (only for architecture type A4 “Middleware/File Transfer Server as Connector”); second, the differences between the various architecture types have been better documented. New controls have been introduced for the other architectures (except A4), but some have been adapted slightly in terms of content. An excerpt:

  • The requirement to control systems’ connections (e.g. USB connections) has been moved from control 3.1 (Physical Security) to control 2.3 (System Hardening).
  • Control 2.2 (Security Updates) aligns the vulnerability remediation timeframes to common standard for security patching, also taking regular update deliveries into account.
  • Control 6.1 (Malware Protection) specifically mentions, as optional enhancement, to consider all the general operator PCs, not only the Windows OS based ones.

There have also been some changes to the Independent Assessment Framework, which are discussed in more detail below.

CSCF v2023: What needs to be borne in mind?

The following changes to SWIFT CSCF v2023 need to be taken into account:

Architecture typ A4

  • New mandatory conrol 1.5: Customer Environment Protection (equivalent to control 1.1, which is mandatory for the other A* architecture types).
  • Further specification of A4 architecture type compared to type B: emphasis that the distinction lies in the type of endpoint (server or client).

Back-office systems (e.g. core banking system, ERP system):

  • It is pointed out that adequate protection of back-office systems (e.g. core banking system, ERP system), responsible for generating transactions, is strongly recommended. This is becoming increasingly important with the increase in APIs.

SWIFT Assessment

New mandatory control 1.5 (Customer Environment Protection) – for architecture type A4

Following the introduction of customer connectors and architecture type A4 (by splitting architecture A3) in SWIFT CSCF v2021, control 1.5 (Customer Environment Protection) is now mandatory to bring architecture A4 in line with A3 and protect all connectors equally.

Distinction between architecture types A3, A4 and B

The architectural drawings have been revised and expanded to clarify the division between the different A3, A4 and B architectures.

Architecture type A3
  • SWIFT connectors, e.g.: Lite 2 AutoClient, SIL – Alliance Cloud, SIL – CFS, SIL – gpi connector, SWIFT API connector, SWIFT Microgateway

Infoguard Cyber Security Blog Architekturtyp A3

Source: SWIFT Customer Security Controls Framework v2023, Customer Security Programme (Version 01.07.2022)

Architecture type A4
  • Customer connectors, e.g. middleware server (e.g. MQ Server, Kafka)
  • File Transfer Server (SFTP Server)
  • Customer API connectors (internally developed application that uses the API specifications or integrates the Swift SDK)

Infoguard Cyber Security Blog Architekturtyp A4

Source: SWIFT Customer Security Controls Framework v2023, Customer Security Programme (Version 01.07.2022)

Infoguard-cyber-security-blog_cscf_v2023_compared_to_v2022-3

Source: SWIFT Customer Security Controls Framework v2023, Customer Security Programme (Version 01.07.2022)

Architecture type B

  • Users only access SWIFT messaging services via a GUI application at the service provider (user-to-application).
  • A user’s back-office applications (core banking system, ERP system) communicate directly with the service provider (application-to-application) using APIs from the service provider, a middleware client (e.g. an MQ, Kafka or Solace client/broker) or a secure file transfer client without connecting directly to SWIFT or independently transmitting business transactions.

Infoguard Cyber Security Blog Architekturtyp B

Source: SWIFT Customer Security Controls Framework v2023, Customer Security Programme (Version 01.07.2022)

Update of Independent Assessment Framework – removal of Delta Assessment

The Delta Assessment, as it was known last year, has been completely cancelled by SWIFT. All controls must be (re)assessed at each assessment. However, it is still possible to rely on the assessment of the control(s) from the previous year’s independent assessment (whether internal, external, mixed or SWIFT-mandated). Either way, an annual certification must be supported by an independent assessment, whether or not that certification is based on a previous audit in part or in full.

SWIFT has developed a new mandatory assessment report template to be completed by the assessor in addition to the familiar assessor templates for easier documentation of the chosen testing approach.

SWIFT Assessment – are you ready for compliance v2023?

Be prepared to address any non-compliance issues in good time before the end of 2023 with our SWIFT Compliance Assessment. We offer comprehensive cyber security services and support in assessing SWIFT customer security programmes. Our comprehensive SWIFT Assessment provides you with an evaluation of your ACTUAL state and clear recommendations for v2023 compliance. Secure your SWIFT transactions and stay compliant in the ever-changing financial world!

SWIFT Assessment

Share article