Founded in 1973 in Belgium, SWIFT (Society for Worldwide Interbank Financial Telecommunication) is a cooperative society whose purpose is to set standards for data exchange between financial institutions. SWIFT is owned by its members, which include some of the world's largest banks. Today, SWIFT provides a global interbank messaging network to more than 11,000 financial institutions in nearly 200 countries for use by banks, trading rooms and large corporations.
Since 2017, SWIFT has implemented the Customer Security Program designed to counter the growing risk of cyber threats that target data exchange operations between financial institutions. The CSP regularly introduces new requirements.
Starting 2021, self-assessment of compliance with the mandatory SWIFT CSP security controls is no longer sufficient. Members must submit an independent SWIFT compliance audit by December 31 of each year in addition to the self-assessment.
SWIFT implemented the CSP in 2017 with the aim of limiting the risks associated with cyber threats via mandatory security controls, but also through the sharing of information between network members. The CSP requires that the infrastructure of entities connecting to the SWIFT network comply with the points defined in the Customer Security Controls Framework. In 2021, new requirements have been introduced for compliance assessment, based on 8 security principles:
Version 2024 of the SWIFT Customer Security Controls Framework (CSCF) builds on the previous version (CSCF 2023) with a number of modifications related to the evolving security needs of the financial sector (scope adjustments, clarifications and enhancements). These adjustments reinforce the emphasis placed on protecting outsourced services and the cloud in particular.
Here is how we organize our SWIFT audits.
The various SWIFT CSP control points need to be upgraded by the customer. It should be noted that it is the responsibility of the SWIFT network user entities to optimize the security and protection of their own environment. Thus, the various control points (some mandatory and some optional) must be the object, annually, of a self-assessment by the customer. But this is no longer sufficient, according to the new guidelines of this standard.
With the introduction of the Independent Assessment Framework (IAF), a new independent assessment model, the self-assessment must be supplemented by an annual SWIFT audit by an independent external provider. If an organization is not in compliance with the requirements, all members of the network will be notified, which will severely limit the organization's ability to transact business and make payments over the SWIFT network.
In addition to the CSP, organizations integrating a SWIFT infrastructure can use our pentest services to evaluate the concrete security of all or part of their IT infrastructure against attacks.
Specialists in information security and pentest in Lyon, Paris, Saint-Etienne and throughout France
You've enabled "Do Not Track" in your browser, we respect that choice and don't track your visit on our website.