SWIFT CSCF v2025 Increases the Pressure: Only Cyberresilient is Compliant

SWIFT rules currently without new obligations, but Control 2.4A is approaching

The good news first: with SWIFT CSCF v2025, the SWIFT Customer Security Controls Framework v2025, the scope remains stable. This means that neither new controls nor additional system components will be applied. This means that the security standards will remain at the same level as the standards in 2024.

Control 2.4A is not yet mandatory until 2026. Nevertheless, SWIFT recommends identifying the affected data flows at an early stage and classifying them in terms of security. This will be particularly relevant for organizations of architecture type B, as the definition of "customer-client connectors" will be expanded to include client endpoints in the future.

Compliance reporting under pressure: SWIFT CSCF v2025 expands the obligation to provide evidence

A key change in CSCF version 2025 is the emphasis on regular internal and external audits.

SWIFT requires its participants to provide ongoing proof that they meet all security and compliance requirements. Control 1.3 requires more than an annual audit. Depending on the risk situation, audits may also be required during the year to demonstrate ongoing compliance.

The audits from previous years can be reused in part, provided they are still relevant and no significant changes have been made to the IT architecture or security protocols (Control 1.3). The test is also evidence-based in CSCF v2025.

Mandatory penetration testing: those who test regularly are secure

With the increasing threat of cyber attacks, CSCF v2025 places a clear focus on reviewing and adapting security protocols. Penetration tests (Control 5.2) are a mandatory part of the audit in order to specifically test the resilience of the systems. Institutions are required to regularly test, document and, if necessary, adapt all cyber security controls - not selectively, but as an integral part of a sustainable security strategy.

Focus on security awareness: test, pass and prove

In addition to the technical and operational checks, employee training (Control 2.1, Mandatory Security Awareness Program) also plays a crucial role. Regular training and refresher courses on the latest security standards and compliance requirements are mandatory. Financial institutions must ensure that all relevant training is documented and the results tracked.

Promoted controls: strengthening security measures

Although no new mandatory controls have been introduced, there is a greater focus on "promoted controls". These include:

• Centralized security policies: Financial institutions must develop consistent policies across all business lines to ensure a coherent security strategy. (Control 1.1, Governance Framework, overarching governance framework for security measures)
• Risk-based access controls: Only authorized persons should have access to critical systems and data. These accesses must be regularly reviewed and adjusted based on the specific risks. (Control 4.1, User Access Management, access controls to sensitive SWIFT environments)
• Monitoring and reporting: Institutions are required to implement real-time monitoring mechanisms to quickly detect and report security incidents. (Control 6.4, Logging and Monitoring, security-related events are monitored and logged in real time)
• Regular security checks: Security measures should be evaluated at least annually, with external service providers also being reviewed. (Control 5.1, vulnerability scanning, regular vulnerability scans and reviews of security measures including third-party providers).

Compliance without complete evidence? Unthinkable.

The improved reporting requirements of CSCF v2025 demand detailed reports from institutions on their compliance and security measures. Particular emphasis is placed on transparency, both towards internal stakeholders and supervisory authorities (Control 1.3, Independent Assessment, reports on compliance with security requirements to SWIFT and relevant authorities).

Financial institutions are expected to have access to relevant data at all times to demonstrate compliance with the standards.

v2025 focuses on audit depth and cyber resilience

Even if CSCF v2025 does not introduce any new mandatory controls, the requirements for audit depth, verifiability and cyber resilience are increasing significantly. The increased focus on cyber security and transparency promotes a proactive security culture. The consideration of audit results from previous years offers an opportunity to reduce the effort required, provided the security situation has remained stable.

Financial institutions that invest now in clarity, structure and early indicators not only ensure audit security, but also efficiency in implementation.

Act now, pass later - we support your CSCF implementation

Act now - InfoGuard is your reliable partner on the road to SWIFT Compliance 2025. Our SWIFT Compliance Assessment provides you with a sound analysis of your current security situation. What's more, our independent SWIFT Advisory Service complements the SWIFT Compliance Assessment with specific recommendations and targeted support in implementing the CSCF requirements.

Caption: Image generated with AI