Header logo

The global provider
of secure financial messaging services

Skip to main content
  • English
    Discover SWIFT
  • Español
    Descubra nuestros contenidos en español
  • Français
    Découvrez notre contenu disponible en français
  • 中文
  • 日本語
SWIFT announces updates to the Customer Security Controls Framework for attestation in 2019

SWIFT announces updates to the Customer Security Controls Framework for attestation in 2019

Customer Security Programme,
13 August 2018 | 3 min read

The updated framework provides additional guidance on the implementation guidelines and includes changes to the existing controls

The Customer Security Programme (CSP), launched by SWIFT in 2016, is designed to help customers implement the practices that are critical to help defend against, detect and recover from cybercrime. The security of our community requires everyone’s participation and starts with each individual organisation’s own security. To help with this, in March 2017 SWIFT published the Customer Security Controls Framework (CSCF) as part of the CSP. This is a set of security controls – 16 mandatory and 11 advisory – that set a security baseline for all SWIFT users. The security controls were developed in conjunction with industry experts and designed to be in line with existing information security industry standards: PCI-DSS, ISO 27002, and NIST. Attesting compliance with the security controls is an essential step for customers towards securing their SWIFT-related infrastructure.

The security controls are kept under constant monitoring to take into account emerging and evolving cyber threats. SWIFT has published the new Customer Security Controls Framework (CSCF) v2019, which sets out a number of changes to the existing controls and provides some additional guidance and clarification on the implementation guidelines. As a result, the CSCF v2019 is now composed of 19 mandatory and 10 advisory controls. Three advisory controls, 2.6A, 2.7A and 5.A4, have been promoted to mandatory and two new advisory controls have been introduced to address a) virtualisation platform protection and b) SWIFT-related applications hardening. The CSCF v2019 can now be consulted but will only become effective in the KYC-SA, the online repository for customer attestations, in July 2019. All SWIFT users must attest against the mandatory controls of this new version by the end of 2019.

Customer Security Programme

In the meantime, users must attest their compliance against the current set of controls no later than the end of 2018, dependent on the expiry date of their current attestation.

As part of the Change Management process for the CSCF, controls updates are usually announced mid-year, with attestation and compliance against the mandatory controls of any new version required between July and December of the following year, dependent on the expiry date of the attestation. This is intended to allow enough time, up to 18 months, for customers to budget, plan and implement potentially needed updates. The Change Management process can also include emergency releases if certain changes to the CSCF cannot wait until the next scheduled release but we anticipate emergency releases to be a rare occurrence.

Customer Security Programme

For more information about the Customer Security Programme, here.