InfoGuard AG (Headquarter)
Lindenstrasse 10
6340 Baar
Switzerland
InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Switzerland
InfoGuard Deutschland GmbH
Landsberger Straße 302
80687 Munich
Germany
The financial sector remains one of the most attractive targets for cyber criminals, which is why compliance requirements are (thankfully!) constantly being adapted. Accordingly, version 2023 of the SWIFT Customer Security Control Framework (CSCF) again involves some changes.
In summary: first, there is a new mandatory control 1.5 (only for architecture type A4 “Middleware/File Transfer Server as Connector”); second, the differences between the various architecture types have been better documented. New controls have been introduced for the other architectures (except A4), but some have been adapted slightly in terms of content. An excerpt:
There have also been some changes to the Independent Assessment Framework, which are discussed in more detail below.
The following changes to SWIFT CSCF v2023 need to be taken into account:
Architecture typ A4
Back-office systems (e.g. core banking system, ERP system):
Following the introduction of customer connectors and architecture type A4 (by splitting architecture A3) in SWIFT CSCF v2021, control 1.5 (Customer Environment Protection) is now mandatory to bring architecture A4 in line with A3 and protect all connectors equally.
The architectural drawings have been revised and expanded to clarify the division between the different A3, A4 and B architectures.
Architecture type A3Source: SWIFT Customer Security Controls Framework v2023, Customer Security Programme (Version 01.07.2022)
Architecture type A4Source: SWIFT Customer Security Controls Framework v2023, Customer Security Programme (Version 01.07.2022)
Source: SWIFT Customer Security Controls Framework v2023, Customer Security Programme (Version 01.07.2022)
Architecture type B
Source: SWIFT Customer Security Controls Framework v2023, Customer Security Programme (Version 01.07.2022)
The Delta Assessment, as it was known last year, has been completely cancelled by SWIFT. All controls must be (re)assessed at each assessment. However, it is still possible to rely on the assessment of the control(s) from the previous year’s independent assessment (whether internal, external, mixed or SWIFT-mandated). Either way, an annual certification must be supported by an independent assessment, whether or not that certification is based on a previous audit in part or in full.
SWIFT has developed a new mandatory assessment report template to be completed by the assessor in addition to the familiar assessor templates for easier documentation of the chosen testing approach.
Be prepared to address any non-compliance issues in good time before the end of 2023 with our SWIFT Compliance Assessment. We offer comprehensive cyber security services and support in assessing SWIFT customer security programmes. Our comprehensive SWIFT Assessment provides you with an evaluation of your ACTUAL state and clear recommendations for v2023 compliance. Secure your SWIFT transactions and stay compliant in the ever-changing financial world!