Ivan Spiteri
Do CSP controls only apply to local SWIFT hardware?
No. Organisations with an indirect link to the SWIFT network also need to comply with the controls. The components in scope are documented in the CSCF within each control. For example, regular computers used by employees of the Treasury department (to access Alliance Lite2 GUI, for instance) are also in scope, as these are the General Purpose Operator PCs (GPOPC).
We are already ISO 27001 or PCI-DSS certified. Can we refer to our certification and avoid a CSP assessment?
No. However, having a certification such as ISO 27001 means your organization is mature in terms of its internal control framework and its documentation, which will greatly facilitate the assessment. Policies and procedures will likely already be in place, and your employees will know what it’s like to be audited and what we, as assessors, will ask as evidence of the implementation of controls. In rare cases, a compliance analysis could be conducted, which would entail performing a mapping exercise between the SWIFT framework and the certification you have. However, it is likely that gaps between both will still exist, meaning that the CSP assessment will need to take place for the remaining controls.
If I outsource my SWIFT connection or the hosting of my SWIFT components, does that have an impact on my architecture type?
Outsourcing the connection or hosting of SWIFT components to a third party does not change your architecture type. For instance, if you use a SaaS Treasury Management System (TMS), you are still responsible for the security of your own enterprise network and the connection to the SaaS TMS. Although you do not own the hardware, you are responsible for its security in the eyes of SWIFT. Therefore, you will need to ascertain that your supplier is CSP compliant, or even review their CSP security controls yourself.
What happens in cases of non-compliance with the SWIFT CSP?
SWIFT reserves the right to report member organizations who have not attested compliance to both the to the supervisory/regulatory entities as well as entities with which the non-compliant member is transacting. As such, non-compliance can result in hefty regulatory fines as well as loss of business.
Do I need a cyber security audit or assessment?
A cyber security audit is a review of an organisation’s cyber security policies, procedures and technology, following auditing standards as imposed by the Institute of Internal Auditors, for example. The goal is to ensure compliance with specific regulations and/or internal policies by looking back at a certain period of time and verifying the operating effectiveness of the controls.
In contrast, a cyber security assessment is a more high-level review of an organisation’s cybersecurity posture to identify potential risks and areas for improvement. As an assessment does not need to follow strict testing and reporting requirements, unlike an audit, the cost is often lower.
Swift recommends conducting an assessment instead of an audit to reduce the cost and workload for internal staff. All the while ensuring quality of the assessment is maintained and focused on the evaluation and review of security controls, and putting less emphasis on scoping, risk assessments and reporting.
Can I rely on a previous assessment (“delta assessment”)?
The assessment in 2024 can potentially rely on an assessment performed in 2023, if four conditions are fulfilled for each control:
- Last year’s assessment was performed against last year’s version of the CSCF (or more recent)
- Last year’s assessment was not itself reliant on the year before or on an external assurance report *
- The new CSCF version does not materially affect the implementation
- The control design and implementation and Swift user environment have not materially changed
* Note that you can rely on Third Party Assurance reports such as SOC2, ISAE3000, PCI-DSS 4.0 or ISO 27001, as long as the scope of the report covers the Swift CSP controls, and the timing of the report is recent enough – the period covered by the report must be no more than 18 months before the attestation is submitted (e.g. an attestation submitted on 24/12/2024 can still rely on a SOC2 Type II report for the period ending 30/06/2023.
What is the deadline for submitting my compliance to Swift?
Users are required to confirm their compliance with the mandatory security controls between 1 July and 31 December of each year (whether fully compliant or not!). New joiners or BICs must complete their attestation before accessing the Swift network. The KYC Security Attestation application (KYC-SA) is used to submit security attestations. Swift releases the new version of the controls each year in early July, and these controls are then attested against between July and December the next year.
What happens if I am not compliant with a certain control?
We strongly urge all Swift users to implement and ensure compliance with the CSP controls as soon as possible. The CSP controls establish a baseline for security hygiene and should be within the capability of each organisation that processes financial transactions. Failing to implement CSP controls puts the organisation at an increased risk of cyber attacks, which can result in severe financial and operational losses and reputational impacts.
Nevertheless, if you submit a non-compliant attestation, you will not be kicked out of the Swift network. Your non-compliance status will, however, be listed in the KYC-SA directory for your counterparties to see, and Swift will communicate your non-compliance to your financial supervisory authority. Swift does ask each user to submit an attestation, even if it is non-compliant. Failure to do so is in breach of your contractual obligations according to the Cloud Service Provider (CSP) Policy and Swift Terms and Conditions.
What does the scope of CSP cover?
The typical scope of CSP is the secure zone, the underlying infrastructure (network security such as firewalls, IPS etc) and the middleware and file transfer servers. The back office and the connection to the Swift network are typically not within the scope of the CSP. Note that the latter will change in the near future as control 2.4A will become mandatory in the coming years. Each control has its specific in-scope components that are well-defined in the controls framework. Review this together with your assessor to ensure mutual agreement on the scope of the assessment and to better prepare your staff.
Most of my Swift infrastructure is outsourced – what are my responsibilities?
In this case, you will most likely be an architecture type A4 or B. Depending on the depth of outsourcing, the responsibilities will be split between you and the third party providing your services (the outsourcing agent). In the end, your architecture type determines the CSP control in scope, but all responsibility for the assessment remains with you: you must obtain assurance on the compliance of your third parties.