SWIFT Customer Security Framework(CSCF) and Customer Security Program(CSP) were together introduced in 2017 due to the cyber incident in 2016 which was cited as the biggest robbery in banking history carried out by cyber attackers. Since then, CSCF has been a user reference point while implementing security measures. The continuous evolvement of cyber threats and the cyber security field has brought numerous changes in the sphere of CSCF and CSP accordingly throughout the years. Generally, the CSCF undergoes new changes and modifications each year, prepared one year before the latest changes are implemented. 

CSCF is continuously evolving to enhance the security and resilience of financial institutions against cyber threats. Through regular updates, the CSCF incorporates the latest best practices and technological advancements to protect financial data and transactions. Each change introduces more controls, reforms existing controls, and improves guidelines to address emerging threats and vulnerabilities. This ongoing refinement process helps SWIFT users stay ahead of cybercriminals, ensuring the security framework remains effective and relevant under any cyber threats. Here’s a snippet of CSCF control changes from its inception in the year 2017 till 2024:

CSCF v2017 had 16 mandatory and 11 advisory controls where SWIFT customers had to self-attest annually by 31 Dec 2017.

CSCF v2018 had 16 mandatory and 11 advisory controls which SWIFT customers had to compliance by 31 Dec 2018.

CSCF v2019 had 29 controls (19 mandatory and 10 advisory) which SWIFT customers had to compliance by 31 Dec 2019.

The implementation of the 2020 SWIFT CSCF was initially scheduled for 2020. However, the COVID-19 pandemic caused a delay, pushing the launch to 2021. Consequently, CSCF v2021 incorporates enhancements and minor modifications to the 2020 version, facilitating a smoother transition for SWIFT customers from earlier versions to the newest update which had 31 controls (22 mandatory controls and 9 advisory controls) which the users had to comply by 31 Dec 2021. CSCFv2022 had 23 mandatory and 9 advisory controls in place. CSCFv2023 consisted of 32 controls (24 mandatory and 8 advisory controls.)

Changes in v2024

The 2024 version of the Swift Customer Security Controls Framework (CSCF) is an incremental update from CSCF v2023. Any kind of updates related to the SWIFT Customer Security Controls Framework are carried out by the CSCF Working Group which has evaluated various 'Change Requests' (CRs), including changes to scope, clarifications of guidance, cosmetic updates, and addressing open questions in CSCF v2024.

Mandatory & Advisory controls

To address the increasing trend of outsourcing and cloudification within the community, control 2.8 (Outsourced Critical Activity Protection) is now mandatory with specific clarifications provided.

For a phased approach to making control 2.4A (Back Office Data Flow Security) mandatory, several updates have been implemented to ensure:

• Identification of servers connecting the back office to the user’s secure zone.
• Security mechanisms for data flow exchange, which can be through end-to-end data protection and by securing each flow segment and the supporting 'bridging servers'

Though control 2.4A remains advisory, Swift advises identifying and assessing these flows and their security posture.

Minor Updates 

Additional minor updates have been made to various controls and the overall CSCF framework to enhance usability and comprehension, aiding users in proper implementation:

• Internal Data Flow Security (2.1) and Back Office Data Flow Security (2.4): Share the same risk drivers.
• USB Port Protection Guidance: Now under System Hardening (2.3).
• Application Allowlisting optical enhancement: Moved to System Hardening (2.3) from 1.1, 1.5, and 6.2.
• Transaction Business Controls (2.9): Business controls can be performed outside the secure zone.
• Token Supervision and Storage: Standardized between Physical Security (3.1) and Token Management (5.2).
• Equipment Sanitization: Added to Physical Security (3.1).
• Consistent Control Titles aligned: e.g., Password Repository Protection (5.4) and Outsourced Critical Activity Protection (2.8).
• Software Integrity Checks: Harmonized between Software Integrity (6.2) and Security Updates (2.2).
• Logging and Monitoring (6.4): Referenced in controls requiring log monitoring.
• Scenario-based Risk Assessment (7.4): Relies on existing Information Security Risk Management processes.

Appendix Updates

• Glossary (Appendix D): Clarifies terms for service providers and third parties.
• Industry Standards Mapping (Appendix E): Updated to the latest security standards.
• Scope and Components (Appendix F): Updates CREST GUI/Gateway info; specifies securing WebAccess web servers as customer connectors.

Corrections & Updates

The first two security principles combined resulted in seven supported framework objectives. CSCFv2024 has aligned the Swift Secure Zone, Customer Secure Zone, and co-hosting components paragraphs in the Scope of Security Controls section to clarify expectations for non-Swift systems or components in a secure zone. The correction has been made in the title of control 5.4 in the Security Controls Summary Table. The control statement of Control 5.2 has been aligned with its objective. The correction has been made in Appendix A (Risk Driver Summary Matrix) for controls 2.1 and 2.4A.

Prajeeta Parajuli