SWIFT CSCF Assessment

The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is the world’s leading provider of secure financial messaging services and is headquartered in Belgium.

SWIFT’s international governance and oversight ensure the neutral, global nature of its cooperative structure. SWIFT operates a global office network with a presence in all major financial centers.

What is SWIFT’s Customer Security Program (CSP)?

SWIFT’s Customer Security Program (CSP) was established to enhance cybersecurity within the SWIFT user community and lead collaborative efforts across the financial industry in addressing evolving cyber threats.

The CSP helps financial institutions ensure their defenses against cyberattacks remain current and robust, safeguarding the integrity of the global financial network.

A key component of the CSP is the SWIFT Customer Security Controls Framework (CSCF), which consists of both mandatory and advisory security controls for users. The framework helps protect not only individual institutions’ networks but also the SWIFT community as a whole.

Who are SWIFT users?

SWIFT users include a variety of financial institutions and organizations involved in the financial industry, such as:

• Supervised Financial Institutions: Banks, investment firms, insurance companies, and other regulated financial entities.
• Non-Supervised Entities: Organizations active in the financial sector but not necessarily under the same regulatory supervision.

• Closed User Groups (CUGs) and Corporate Entities, including:

  • Corporates
  • Financial Market Regulators
  • Payment System Participants
  • Securities Market Data Providers
  • Securities Market Infrastructure System Participants
  • Service Participants within Member-Administered Closed User Groups
  • Treasury Counterparties

Are SWIFT users required to have an assessment of SWIFT CSCF compliance?

Yes, SWIFT mandates that, at a minimum, all mandatory controls outlined in the SWIFT Customer Security Controls Framework (CSCF) must be independently assessed. This assessment must be conducted within the official attestation window, which typically runs from early July to December 31 of each year.

What is the mandatory framework in Kuwait governing SWIFT CSCF compliance?

According to the Cybersecurity Framework for the Kuwaiti Banking Sector, Control No. 4.5.2, item (d), the Central Bank of Kuwait requires regulated entities to comply with the latest versions of applicable best practices and standards, such as the SWIFT CSCF. This ensures that local financial institutions meet the global cybersecurity standards set by SWIFT.

What is the latest version of the SWIFT CSCF, and what changes have been introduced?

The latest version of the SWIFT Customer Security Controls Framework (CSCF) is v2025, released in July 2024. This version introduces several updates aimed at enhancing the security of SWIFT users:

• New Mandatory Control 2.8: Outsourced Critical Activity Protection: This control emphasizes the importance of managing risks associated with third-party providers and service providers. It requires organizations to implement measures to protect outsourced critical activities, reflecting the growing focus on third-party risk management.
• Focus on Back Office Data Flow Security (Control 2.4A): While not yet mandatory, SWIFT has highlighted the significance of securing data exchanges with on premises or remote users of swift infrastructure components. Organizations are encouraged to prepare for the future implementation of this control, which aims to address risks related to the confidentiality and integrity of sensitive data.

What are the principles of the SWIFT CSCF?

The SWIFT Customer Security Controls Framework (CSCF) is now structured around three overarching objectives:

1. Secure Your Environment
2. Know and Limit Access
3. Detect and Respond

What is the deadline for achieving SWIFT CSP compliance?

SWIFT customers must submit their annual attestation by December 31 each year. This attestation confirms that the institution has met all relevant compliance requirements outlined in the SWIFT CSP.

What is the scope and timing for the SWIFT CSCF assessment?

The scope of the SWIFT CSCF assessment must cover all mandatory controls for the applicable year and architecture type. The timing for the attestation submission is from early July until the year-end deadline of December 31.

What is the added value to business entities from SWIFT CSCF compliance?

Achieving compliance with the SWIFT Customer Security Controls Framework (CSCF) provides several key benefits for business entities:

• Regulatory Compliance: Ensure compliance with SWIFT’s cybersecurity standards and relevant local regulations.
• Enhanced Stakeholder Confidence: Improve trust in the reliability and security of the financial institution’s technology infrastructure.
• Risk Management: Proactively identify and manage cybersecurity risks within SWIFT-connected systems, ensuring business continuity.

Why Baker Tilly?

Baker Tilly Kuwait stands out due to its specialized experience in cybersecurity and SWIFT compliance. The firm offers several key advantages to its clients:

• Global Expertise with Local Presence: A global consulting firm with a strong local presence in Kuwait, offering access to a network of over 250 cybersecurity experts worldwide.
• State-of-the-Art Tools: Baker Tilly Kuwait uses world-class laboratories and the latest tools for vulnerability assessments and to detect cyberattack risks.
• Up-to-Date Cybersecurity Knowledge: The firm maintains updated databases of emerging cyberattack methods and tools to mitigate those threats.
• Bilingual Team: The team provides services in both Arabic and English, ensuring seamless communication with local and international clients.