Objectives, principles & controls

Swift has defined a set of security objectives, which are linked to seven principles and covered by the set of controls in the Customer Security Controls Framework (CSCF). The CSCF consists of 25 mandatory and 7 advisory controls, but not all controls are applicable to all architecture types: it depends on the extent to which an organisation is integrated with Swift systems.

Swift users are required to confirm their compliance with the mandatory security controls between 1 July and 31 December of each year – whether fully compliant or not!

SWIFT Focus Areas

Third Party Risk Management – new mandatory control 2.8

Swift constantly monitors ongoing threats and evolutions in the cyber landscape, and adapts its CSP to meet the challenges that arise. In 2024, Swift’s focus area is Third Party Risk Management, as this topic is gaining importance both from a security and a regulatory perspective (e.g. DORA, NIS2).

Many organisations rely heavily on third-party vendors and service providers to meet various operational needs, and as a result give external parties access to systems and large amounts of data. This poses additional risks that need to be actively identified and controlled.  

What is expected for this control?

Swift has also defined an Outsourcing Agents Security Requirements Baseline, which establishes good practice on the controls to be implemented. In short, the aim of this new control is to maintain an effective third party risk management program. This includes:

• maintaining an overview of third parties (including outsourcing agents) and what components and controls they impact
• identifying critical vs. non-critical activity outsourcing, 
• performing periodic risk assessments on third parties, 
• establishing SLAs and NDAs (for critical activities)
• obtaining assurance over the security controls implemented by the third party. 

Swift users should ensure that security provisions are included in contracts with third parties, which at a minimum should comply with the CSP controls. Furthermore, roles and responsibilities should be documented.

Back Office Security – control 2.4A

In the past, the focus of the CSP was the so-called Swift Secure Zone – a segregated zone where the critical components reside. Now, Swift aims to ensure the security of the “first hop” of the back office, as it determined that significant risks exist related to the data exchange with (often legacy) back-office applications. This includes sensitive data confidentiality and integrity, unauthenticated system traffic and unauthorised access to data and systems. 

To achieve this, Swift intends to make control 2.4A Back-Office Data Flow Security mandatory in the coming years, and encourages its users to start looking into how to implement this control. For further information on this control and its implementation requirements, check out the Swift CSCF or reach out to your BDO contact person.

For the year 2024, we recommend identifying the back-office first hops and evaluating the security of existing data exchanges. Next, a gap assessment should be performed to identify the actions that will be needed to reach the desired state. Initially, Swift will focus on new flows created between the back office and Swift systems. In a second phase, legacy flows should also be protected – although these will most likely require the biggest investment, so users should not wait too long with the gap assessment and implementation.

Want to know more?