The Society for Worldwide Interbank Financial Telecommunication (SWIFT) program serves as the backbone for secure global transactions. In this article, we will delve into the intricacies of transitioning to the new version of the SWIFT program, equipping technical specialists with key insights and guidance.
SWIFT recently published updates to its CSCF (Customer Security Control Framework), which outlines mandatory and advisory security controls for organizations. The latest version of SWIFT CSCF contains 23 mandatory and 9 advisory controls, compared to the previous version, which contained 21 mandatory and 10 advisory controls. However, it is not simply the case that controls have been added or removed as the CSCF has also adapted several existing measures to streamline the compliance process and account for new security issues.
New advisory control 1.5A Customer Environment Protection
This is a new advisory that details the requirements needed to secure the Customer Connector; this is analogous to the Secure Zone, a segmented and controlled environment tied to the SWIFT CSP control framework. SWIFT defines “Connectors” as “local software designed to facilitate communication with an external messaging interface or a communication interface (or both), or to a service provider (handling as such the external connection).” These types of interfaces can often be the target of a cyber-attack as they provide a point of access.
This new advisory is relevant for the A4 architecture type but also applies to the other three architecture types (A1, A2, and A3). Worth noting is that A4 architecture was introduced in CSCF v.2021 to cover customers with a non-SWIFT footprint to support new technology such as cloud and APIs. Note that the ‘Secure Zones’ are now clarified in v.2022 to support this update.
Transaction Business Controls 2.9 mandatory
SWIFT added 2.9 Transaction Business Controls, to CSCF v.2021 as an advisory control only. However, from CSCF v.2022, this control is now mandatory. This reflects the serious nature of the increasing threat of payment fraud. This mandate will apply to all architecture types and will significantly reduce fraudulent payments. To achieve this, CSCF v.2022 specifies that all financial institutions must restrict and monitor the data flows in payment transactions. Also worth noting is that control 2.9 aligns with the Committee of Payments and Market Infrastructures (CPMI) strategy to prevent payment fraud.
Limiting traffic outside of business hours is one of the core requirements of this now mandatory control. Some of the sub-controls include the ability to issue and check confirmation messages as well as reconcile accounting records with end-of-day statement messages.
Scope extension to 1.2 Operating System Privileged Account Control
Security hygiene opens vulnerabilities in a system and allows cybercriminals to exploit processes. To help mitigate security hygiene-related issues, CSCF control 1.2 (Operating System Privileged Account Control) has been extended in v.2022. This extension ensures that control 1.2 now covers basic security hygiene on end-user devices, and extends the scope to include general-purpose operator PCs as well as including architecture B. This control remains advisory rather than mandatory, however, this should be viewed as a best practice to mitigate payment fraud.
Mandatory independent assessment of CSCF
Previously, self-assessment in readiness for attestation of compliance with CSCF was allowed. However, from 2021 the CSCF assessment must now be performed by an independent assessor. This mandatory condition is carried out by “Community Standard Assessment” as part of the Independent Assessment Framework (IAF), which SWIFT requires to improve the accuracy of an attestation. This new mandate requires attestations to be assessed through either an internal or/and an external assessment.
The latest version of the CSCF also makes minor amendments to existing controls to “improve the usability and comprehension of the document and help to implement the framework as intended”. These are unlikely to change organizations’ compliance status but could help them improve existing processes. The requirements became mandatory in July, with organizations being required to adopt these controls by the end of the year.
CSCF Assessments with MAKINSIGHTS
Our SWIFT CSCF compliance assessment compares your technology controls with CSCF and helps you to meet your business objectives. MAKINSIGHTS has a team of specialists with extensive experience in cybersecurity projects in the financial services sector and we are listed in the SWIFT directory of CSP assessment authorized providers worldwide. Please feel welcome to book a consultation with us via ideas@makinsights.com or through calendly HERE.
Schedule a complementary conversation now!
Implementing FAIR's ontology perspective is a proactive step towards building a resilient and secure digital ecosystem.
Contact us