19.04.2021 – Beginning mid-2021, all SWIFT users will be required to have an independent attestation of their compliance with the updated version of the Customer Security Controls Framework (CSCF v2021) based on SWIFT’s Independent Assessment Framework (IAF). Mazars’ experience in cybersecurity and SWIFT requirements guarantees the efficient completion of these attestations.
SWIFT and the Customer Security Programme (CSP)
The SWIFT (Society for Worldwide Interbank Financial Telecommunication) payment network is currently the only de-facto means of carrying out legally secured cross-border payment transactions. All SWIFT users – i.e., banks, insurance, and asset management firms with a BIC (Bank Identifier Code) connected to the international payment network SWIFT – must attest to their level of compliance with a set of mandatory controls as described in the Customer Security Controls Framework (CSCF) as part of the Customer Security Program (CSP).
As of 2021, the Independent Assessment Framework (IAF) replaces the annual self-attestation, making a Community Standard Assessment (CSA) mandatory. The CSA specifies an attestation of applicable controls of the CSCF by an independent assessor. This can either be done by an external third party or an internal, independent function maintaining the appropriate competencies and certifications.
Non-compliance with CSCF’s cybersecurity requirements as well as non-compliance with the annual obligation of self-attestation and independent attestation is reported by SWIFT to local supervisory authorities or other SWIFT users.
The Customer Security Controls Framework
The framework contains – dependent on the user’s SWIFT Architecture Type – defined mandatory and advisory cybersecurity controls in the following areas:
SWIFT sets requirements in terms of independence, cybersecurity experience, and relevant certifications which usually represent a high bar for internal assessors. SWIFT users opting for an external assessment must ensure that it is performed by an independent external organisation. It is mandatory that the assessor has existing cybersecurity assessment experience and that individual assessors have the relevant security industry certification(s).
At Mazars, our auditors:
have ample experience in performing assessments and reviews of CSCF compliance in banking and insurance environments
have sufficient training and expertise in SWIFT and SWIFT security – including the SWIFT security control framework and detailed mandatory and advisory controls
have extensive financial service experience serving clients in cybersecurity and IT audit and advisory projects
hold recognised industry qualifications such as Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), ISO 27001 Lead Auditor, etc.
We will provide you with a detailed Gap Analysis between the SWIFT CSCF requirements and your current control level, and provide recommendations for improvement, if necessary.
Our assessment consists of independent testing and could be performed based on ISAE 3000 (International Standard on Assurance Engagements 3000 «Assurance Engagements other than audits or reviews of historical financial information», Type I) for audit clients. Most importantly, this service does not conflict with the statutory audit in terms of independence.