SWIFT Customer Security Programme
An Independent Attestation for SWIFT Users in Financial Services
For senior and top management in financial institutions, understanding these changes and the importance of independent assessments is crucial.
Independent assessments play a pivotal role in the SWIFT compliance process. Unlike internal reviews, these assessments provide an unbiased evaluation of an institution’s security measures. They ensure that the implemented controls are not only in place but are also effective and aligned with SWIFT’s stringent standards. This objectivity is vital for maintaining the trust and reliability of the global financial community.
Independent assessments contribute to:
The 2024 update to the SWIFT CSP includes several significant changes aimed at addressing the evolving cyber threat landscape. Some of the key updates are:
New Mandatory Control: The 2024 update introduces a new mandatory control, specifically Control 2.8: Outsourced Critical Activity Protection, focused on third-party risk management to ensure an adequate level of security and compliance by third-party or service providers.
So what constitutes outsourced critical activities? SWIFT listed some examples such as security and change management of the CSP components and underlying virtualization infrastructure, RMA and business transactions management, monitoring of events generated by users, network management, and security administration.
Control 2.3: Now includes USB port protection policies and improvements to application whitelisting. These enhancements are designed to reduce the attack surface and prevent unauthorized access to critical systems.
Control 2.9: Business controls can now be performed outside the safe zone, providing more flexibility while maintaining security standards. This change allows institutions to adapt their security measures to their specific operational needs without compromising on security.
Control 3.1: Contains new recommendations for the disposal of devices and token security. Proper disposal of devices and secure management of tokens are essential to prevent unauthorized access and data breaches.
SWIFT is looking to promote Control 2.4A Backoffice Data Flow Security from an advisory control to a mandatory control. SWIFT intends to make this control mandatory in the coming years to ensure that data exchanged between back-office applications and the SWIFT interface are protected and secured.
To start preparing for this change, institutions should identify back-office (BO) first hops and specify how it is secured or how it will be secured in a phased approach which will be included in future releases of SWIFT (dates not yet determined):
At Forvis Mazars, we understand that compliance is not just about meeting requirements but about enhancing overall security in a cost-effective manner. Our strategy focuses on:
Get in touch with our team of cyber security experts to learn more about our services and how they can enhance your business' resilience to cyber threats.
This website uses cookies.
Some of these cookies are necessary, while others help us analyse our traffic, serve advertising and deliver customised experiences for you.
For more information on the cookies we use, please refer to our Privacy Policy.
This website cannot function properly without these cookies.
Analytical cookies help us enhance our website by collecting information on its usage.
We use marketing cookies to increase the relevancy of our advertising campaigns.