SWIFT Customer Security Program

Beginning from mid-2021, all SWIFT users will be required to have an independent attestation of their compliance with the updated version of the Customer Security Controls Framework (CSCF v.2021) based on SWIFT’s Independent Assessment Framework (IAF). Forvis Mazars’ experience in cybersecurity and SWIFT requirements guarantees the efficient completion of these attestations.

Our Approach:

The SWIFT (Society for Worldwide Interbank Financial Telecommunication) payment network is currently the only de-facto means of carrying out legally secured cross-border payment transactions. All SWIFT users – i.e., banks, insurance, and asset management firms with a BIC (Bank Identifier Code) connected to the international payment network SWIFT – must attest to their level of compliance with a set of mandatory controls as described in the Customer Security Controls Framework (CSCF) as part of the Customer Security Program (CSP).

As of 2021, the Independent Assessment Framework (IAF) replaces the annual self-attestation, making a Community Standard Assessment (CSA) mandatory. The CSA specifies an attestation of applicable controls of the CSCF by an independent assessor. This can either be done by an external third party or an internal, independent function maintaining the appropriate competencies and certifications. Non-compliance with CSCF’s cybersecurity requirements as well as non-compliance with the annual obligation of self-attestation and independent attestation might be reported by SWIFT to local supervisory authorities.

Independent Attestation

SWIFT sets requirements in terms of independence, cybersecurity experience, and relevant certifications which usually represent a high bar for internal assessors. SWIFT users opting for an external assessment must ensure that it is performed by an independent external organisation. It is mandatory that the assessor has existing cybersecurity assessment experience and that individual assessors have the relevant security industry certification(s).

Our Services:

  • Experience in performing assessments and reviews of CSCF compliance in banking and insurance environments
  • Sufficient training and expertise in SWIFT and SWIFT security – including the SWIFT security control framework and detailed mandatory and advisory controls
  • Extensive financial service experience serving clients in cybersecurity and IT audit and advisory projects
  • Recognised industry qualifications such as Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), ISO 27001 Lead Auditor, etc.
  • Detailed Gap Analysis between the SWIFT CSCF requirements and your current control level, and provide recommendations for improvement, if necessary
  • Assessments based on ISAE 3000 (International Standard on Assurance Engagements 3000 for audit clients as long as this service does not conflict with the statutory audit in terms of independence

Do you have questions or want to know more?

Contact us

Contact