SWIFT Customer Security Programme
An Independent Attestation for SWIFT Users in Financial Services
Your Local Partner for SWIFT CSP 2025 Compliance
In the ever-evolving landscape of global finance, security and compliance are paramount. The SWIFT Customer Security Programme (CSP) 2025 introduces critical updates designed to bolster the integrity, consistency, and security of financial institutions worldwide.
For senior and top management in financial institutions, understanding these changes and the importance of independent assessments is crucial.
The Importance of Independent Assessments
Independent assessments play a pivotal role in the SWIFT compliance process. Unlike internal reviews, these assessments provide an unbiased evaluation of an institution’s security measures. They ensure that the implemented controls are not only in place but are also effective and aligned with SWIFT’s stringent standards. This objectivity is vital for maintaining the trust and reliability of the global financial community.
Independent assessments contribute to:
- Integrity: By providing a third-party perspective, they help identify potential vulnerabilities that internal teams might overlook.
- Consistency: They ensure that all institutions adhere to the same high standards, fostering a uniform security posture across the network.
- Security: Regular assessments help in early detection and mitigation of risks, thereby enhancing the overall security framework.
New SWIFT CSP 2025 Requirements: Is Your Institution Prepared?
The 2025 update to the SWIFT CSP includes several significant changes aimed at addressing the evolving cyber threat landscape. Some of the key updates are:
Customer client connector architecture type change
SWIFT users with the customer 'client' connector must now attest as Architecture Type A4. The applicable controls for the customer 'client' connector for this year are still advisory, but they will become mandatory in 2026.
Phased roadmap for Control 2.4A – Back Office Data Flow Security
Since 2024, SWIFT has recommended identifying the first backoffice hops and assessing the existing data exchange security. To ensure robust protection, SWIFT has introduced a two-phase plan:
Phase 1 (2026): SWIFT users will be required to secure the bridging servers and the data flow exchange between the bridging server and the secure zone component, including new direct data flows.
Phase 2 (Tentatively 2028): SWIFT users will need to secure the existing data flows between the backoffice first hop and the bridging server, as well as any existing direct data flows if the backoffice is directly connected to the secure zone component.
Minor updates on the implementation guidance
Minor updates to the implementation guidance for several key controls:
Controls 1.1 & 1.5 (Environment Protection): Updated to accommodate environments with co-hosted components.
Control 1.3 (Virtualisation/Cloud Platform Protection): Now advised for Architecture Type B when using virtual desktops.
Controls 2.1, 2.4, 2.5, 2.6: Reaffirmed that data flows may span hybrid environments (on-premises, cloud, or both).
Control 2.7 (Vulnerability Scanning): Now explicitly includes OS and application-level scans.
Control 2.8 (Outsourced Critical Activity Protection): Clarifies expectations when relying on SWIFT connectivity providers.
Control 7.1 (Cyber Incident Response Planning): Expanded to include extreme events such as ransomware or supply chain attacks.
Our Value-Adding Strategy
At Forvis Mazars, we understand that compliance is not just about meeting requirements but about enhancing overall security in a cost-effective manner. Our strategy focuses on:
- Comprehensive Assessments: We offer thorough independent assessments that go beyond mere compliance checks. Our experts provide actionable insights to strengthen your security posture.
- Cost-Effective Solutions: We believe that top-notch security should not come at a prohibitive cost. Our services are designed to be affordable, ensuring that even smaller institutions can benefit from high-quality assessments.
- Ongoing Support: Compliance is an ongoing process. We provide continuous support to help you stay ahead of emerging threats and maintain compliance with evolving standards.
Our IT and Cybersecurity team includes SWIFT certified Assessor in the subject area.
Learn more about SWIFT’s Certified Assessors: SWIFT CSP Certified Assessor Directory(CSP Certified Assessors Directory)
Get in touch with our team of cyber security experts to learn more about our services and how they can enhance your business' resilience to cyber threats.
Cyber security
Our cyber security service offering is based on industry-developed best practices to provide an up-to-date assessment of your organization’s cyber security status, ensuring that risks and threats to the IT environment are routinely mitigated. Build technological resilience so you can operate with confidence.
Want to know more?
