Summary of SWIFT CSCF v2024

Under their Customer Security Programme (CSP), SWIFT have updated the required client standards and published their Customer Security Controls Framework (CSCF) v2024 requirements. This article sets out a summary of what these are and how you can prepare for them.

The financial sector remains one of the most attractive targets for cyber criminals, which is why compliance requirements are constantly being adapted. As such, every year, SWIFT releases an update to its CSCF, potentially influencing the structure of payments operations and technology. This affects all organisations who use SWIFT. The CSCF standard requires independent review to ensure and confirm that at least all the mandatory controls are in place and meet the SWIFT requirements, before you complete your 2024 attestation. 

What is the Customer Security Control Framework (CSCF)?

It comprises 32 security controls, consisting of 25 mandatory and 7 optional ones, organised by objectives to enhance the prevention and detection of fraudulent SWIFT infrastructure usage managed by customers. These controls form the foundation for the independent SWIFT security assessment and the obligatory KYC-SA (Know Your Customer-Security Attestation) security certificate that SWIFT customers must establish.

What are the Main New Features of SWIFT CSCF v2024?

Your SWIFT architecture now considers the architecture of your outsourcing agent, if you use one, and they become part of your audit. You will need to gather data to reflect the work they undertake for you.

Control “2.8 Outsourced Critical Activity Protection” has become mandatory for all architectures. You must provide reasonable comfort that services and activities are performed to the same standards and care as if operated by you, with demonstrated SLAs and NDAs. SWIFT infrastructure providers must be registered in the SWIFT SIP or Lite2 application directories. All SWIFT related third parties must undergo an information security risk assessment in addition to any financial due diligence you perform.

Control “2.4A Back Office Data Flow Security” requires you to document the flows in greater detail. A table of each flow must be maintained and how it is secured, or how it will be secured in a two-phase approach. The security of each transmission has to correspond to one of four methods.  

Minor Changes and Clarifications

• Control 1.3 makes it clear that it covers cloud platform infrastructure.
• Control 2.3 explicitly requires you to secure USB ports, as far as possible.
• Control 2.9 provides clarity that controls can be at a business level.
• Control 3.1 now includes the reuse and disposal of SWIFT equipment.
• Control 5.2 now applies to soft tokens such as OTP SMS messages, as well as hard tokens.
• Control 6.2 makes it clear that software must be verified after download, before implementation.
• Control 6.4 logging and monitoring is cross-referenced in several other controls, providing a minimum scope of what must be logged and monitored.

Download our full summary of changes to SWIFT CSCF v2024 here.

Are you Ready for Compliance v2024?

Ensuring that SWIFT users align their security measures with the CSCF guidelines and verifying their compliance annually is paramount. SWIFT mandates an independent assessment of, at a minimum, all obligatory controls within the attestation to enhance trustworthiness, consistency, and accuracy of these validations. 

Ensure timely resolution of any non-compliance issues prior to the end of 2024 with our SWIFT Compliance Assessment. AJC offers comprehensive cybersecurity services encompassing assistance in evaluating the SWIFT customer security programs. Our in-depth SWIFT assessment delivers an appraisal of your present status and provides clear recommendations to guarantee adherence to the 2024 standards.

Please contact us on 020 7101 4861 if you think we can help.

Image accreditation: Philipp Katzenberger (January 2019) from Unsplash.com. Last accessed on 16th February 2024. Available at: https://unsplash.com/photos/closeup-photo-of-turned-on-blue-and-white-laptop-computer-iIJrUoeRoCQ