SWIFT CSCF assessment

The financial sector continues to be a prime target of highly sophisticated and customized cyber attacks. The interbank messaging network SWIFT (Society for Worldwide Interbank Financial Telecommunications) was recently under attack resulting in millions of dollars in losses for member organisations. To protect members against such attacks, SWIFT introduced the Customer Security Programme (SWIFT CSP) that all SWIFT member organisations who use the interbank messaging network must comply with by implementing the SWIFT Customer Security Control Framework (SWIFT CSCF) and reporting their compliance to SWIFT on an annual basis. SWIFT has introduced the programme with the aim of improving information sharing between members, enhancing SWIFT-related tools and providing the community with a standardised assurance framework.

What is SWIFT CSP?

The SWIFT CSP requires each organisation to define, document, implement and attest that their SWIFT environment is compliant with SWIFT’s CSCF objectives, principles and controls as listed in the table below.

The SWIFT CSCF includes mandatory and optional security controls for SWIFT users. As a response to a constantly changing cyber threat landscape, SWIFT security controls are regularly reviewed and updated. It is recommended that the currently optional controls be made mandatory and new security controls be initially introduced as optional. The number of controls that a SWIFT member organisation must follow depends on the design of the SWIFT organisation’s environment.

SWIFT compliance requirements

Since 2021, SWIFT has required its members to attest their compliance with CSCF by independent assessments either by internal resources or by an external independent auditor. What matters is that sufficient evidence is collected and reviewed by an independent party. An internal assessment can be carried out by the organisation's risk management or internal audit units. However, an external assessment can provide clear independence in a SWIFT compliance assessment, giving assurance to internal and external stakeholders.

All SWIFT members must annually attest their compliance with at least the CSCF mandatory controls requirement by 31 of December.

What we offer and our tools

KPMG can help clients assess the design and implementation of the SWIFT CSCF controls the organisation has applied in their local SWIFT environment. We can help organisations pinpoint possible areas needing improvement and suggest actions to improve the security of the organisation’s local SWIFT environment to achieve compliance with the SWIFT controls requirements.

KPMG assessment of compliance with SWIFT CSCF

The KPMG SWIFT CSCF engagement starts with a client meeting to understand the client’s business and gather necessary information so that we can develop a detailed plan for the assessment. During the planning phase, the scope and limitations of the engagement are defined, points of contact identified and key deadlines agreed on. The planning phase lasts around two weeks.

After the completion of the planning activities, the assessment fieldwork begins. The fieldwork includes interviews with key contacts and representatives of the organisation, review of documentation, as well as onsite physical security and configuration reviews. The fieldwork takes about 3-5 days depending on the design of the organisation’s SWIFT environment.

Success of the fieldwork phase depends on the availability and co-operation of the client’s employees. Most of the fieldwork activities can be carried out via remote interviews but some activities, such as physical security reviews, are performed on-site. After fieldwork, a SWIFT CSCF assessment report with assessment results is written. The reporting phase takes two weeks: KPMG performs required quality assurance activities and provides progress updates to the client.

Deliverables

The key deliverables of SWIFT CSCF assessment are the assessment report provided in accordance with the SWIFT CSCF reporting template and an independent assessment completion letter. The CSCF report includes the description of the design and implementation of controls applied within the local SWIFT environment as well as the level of compliance with CSCF requirements. Where appropriate, areas needing improvement with suggestions to increase the level of security for the local SWIFT environment are included.

To ensure that the required assessment is carried out before the year end, we recommend that the independent SWIFT CSCF assessment is performed in Q3 or Q4. This leaves sufficient time to remediate any identified nonconformities and perform required follow-up activities before the end of current year‘s attestation period.

Turn threats into opportunities

Provide a safe and sustainable business environment for your company! We will help you build a resilient and reliable digital world, even in the face of changing threats.

KPMG Baltics OÜ

+372 626 8700
itaudit@kpmg.ee
Ahtri 4, 10151 Tallinn, Estonia
${item.title} KPMG Baltics KPMG Küberkaitse KPMG Global Privacy Policy

Oma veebilehel kasutame küpsiseid. Küpsised aitavad analüüsida veebiliiklust ning annavad meile statistilist teavet.

HR assessment

HR assessment focuses on mapping the skills and increasing the competencies of the weakest link in cyber security: the users, the employees.

Threat assessment

Threat assessment is a tactical and technical service that allows a company to get a quick overview of external threats.

Maturity assessment

Maturity assessment helps plan IT investments and design further steps to mitigate vulnerabilities and ensure better security.

Est

Eng

SWIFT CSCF assessment

What is SWIFT CSP?

SWIFT compliance requirements

What we offer and our tools

KPMG assessment of compliance with SWIFT CSCF

Deliverables

Turn threats into opportunities

KPMG Baltics OÜ

Võta meiega ühendust

${i18n('ask_more')}

HR assessment

${i18n('ask_more')}

Threat assessment

${i18n('ask_more')}

Maturity assessment