Let Forvis Mazars help your financial institution comply with the Swift Customer Security Program (CSP).
IT Risk & Compliance
Swift CSP Assessment Services
What Is Swift?
The Society for Worldwide Interbank Financial Telecommunication (Swift) was founded in the 1970s with the vision of creating a global financial messaging service and a common language for international financial messaging.
Today, Swift is a global financial infrastructure that spans every continent, more than 200 countries and territories, and services for an excess of 11,000 institutions around the world. Swift carries more than 5 billion financial messages a year.1
What Are the Swift Customer Security Program (CSP) & the Swift Customer Security Controls Framework (CSCF)?
Swift implemented the CSP in 2016 to help financial institutions strengthen their cyber defenses. The CSP establishes a common set of security controls known as the CSCF, which is designed to help Swift users (“customers”) secure their own environments and to foster a more secure financial ecosystem.
The Swift CSCF consists of both mandatory and advisory security controls that are based on industry-standard frameworks, such as NIST, ISO 27000, and PCI DSS. Mandatory security controls establish a security baseline for the entire community and must be implemented by all users on their Swift infrastructure. Advisory controls are optional best practices that Swift recommends users to implement.
The Swift CSCF is based on three objectives supported by seven principles:
| Objectives | Principles |
|---|---|
| Secure Your Environment |
|
| Know and Limit Access |
|
| Detect and Respond |
|
To help Swift users meet these objectives and principles, Swift has defined 32 security controls (25 mandatory controls and seven advisory controls) that should be in place to help mitigate cybersecurity risks.
The Swift architecture type in place at your organization, i.e., A1, A2, A3, A4, or B, determines the security controls that apply to your environment.2
What Are the Requirements & Timeline to Comply With the Swift CSP?
Your Swift independent assessment must cover at least all mandatory controls as set out in the CSCF version of the applicable year, and in line with the Swift architecture type and infrastructure that applies to your organization.
Swift users need to submit a self-attestation of compliance online in the KYC-SA application anytime between July 1 and December 31.3
How Forvis Mazars Can Help
The IT Risk & Compliance team at Forvis Mazars can assist you in identifying which Swift architecture type applies to your environment, understanding the applicable mandatory and advisory security controls, and completing your annual Swift independent assessment as required by Swift.
If you have questions or need assistance, please contact us.