SWIFT Customer

Security Programme
The essentials

December 2020

What is the SWIFT Customer
Security Programme (CSP)?
SWIFT has introduced its Customer
Security Controls Framework
(CSCF) to drive security
improvement and transparency
across the global financial
community.The SWIFT CSP
focuses on three mutually
reinforcing areas: protecting and
securing your local environment,
preventing and detecting fraud in
your commercial relationships, and
continuously sharing information
and preparing to defend against
future cyber threats.
While all customers remain
primarily responsible for protecting
their own environments, SWIFT’s
CSP aims to support its community
in the fight against cyber-attacks.
Why is it important?
In response to a number of cyber
attacks and breaches throughout
2016, in 2017 SWIFT identified, 16
mandatory and 11 optional security
controls for all of its 11,000
customers worldwide. All customers
are asked to attest to meeting the
controls on an annual basis, and the
results of same are shared with
counterparts and regulators.
How will this impact
SWIFT customers?
The SWIFT CSP has evolved, and will
continue to do so, since inception.
Customers will need to continue to
implement security controls and raise
the bar to ensure compliance with the
CSCF. Previously, SWIFT customers
were required to self-attest to the
CSCF V2019 by 31 December 2019.
This updated framework contained 19
mandatory and 10 advisory
security controls.
In 2020*, SWIFT promoted 2 existing
advisory controls to mandatory and
introduced 2 new advisory controls
resulting in 21 mandatory and 10
advisory controls in the CSCF
V2020. For 2021, SWIFT promoted 1
control to mandatory resulting in 22
mandatory and 9 advisory controls in
the CSCF v2021. As from mid-2021,
organizations will need to support
their attestation against CSCF
v2021 with an independent internal
or external assessment.
What are the success factors?
To be successful, organisations must
take a thoughtful and systematic
approach, requiring collaboration
across the three lines of defence,
strong leadership and a diverse
organised team. Are you ready for
this increased level of mandatory
requirements?

How is the SWIFT CSP framework structured?

Security principles Controls objectives Controls

Description – Includes items such Validation measures – Includes the

as control frequency, who or what
performs the action, what action was
performed and what action or effect
is the result.
Components – Includes specific
people, process and technology
elements associate with the control.
method by which control design and
effectiveness will be validated, the
frequency and associated artefacts
Owner – Includes information related
to the control owner such as name
and functional title.

*Given the global COVID-19 situation SWIFT has published updated guidelines on 18 June 2020 regarding
changes to CSP self-attestation and independent assessment requirements for 2020. SWIFT has announced that
in 2020, customers can self-attest against the 2019 version of the SWIFT CSP and can optionally support the
self-attestation with an independent assessment. In 2021, independent assessment will be a mandatory
requirement and customers will be required to attest against the 2021 version of the CSP framework.
What milestones should you be aware of?
2020 2020 2021 2021

Annual attestation Self-attestation SWIFT CSP v 2021 Independent assessment

Comply with the CSCF v2019 submission
or optionally against the CSCF SWIFT will require all
v2020 framework organisations to submit their
attestation for 2020 by
31 Dec 2020
Customers must comply with SWIFT requires all customers
CSCF v2021 including to support their attestation with
22 mandatory and 9 an independent assessment by
the end of 2021
advisory controls

PwC capabilities
How can Pwc help to meet SWIFT’S Independent assessment?
SWIFT CSP assessment Embedded in internal audit
A detailed independent assessment of Work alongside your Internal Audit,
SWIFT CSP controls by leveraging our Information Technology, and/or Risk
CSP accelerator functions to report on SWIFT CSP controls

Additional cyber security services

Cybersecurity Vulnerability Security Awareness

Governance and Risk Assessments and Training using PwC’s
Incident Response
Assessments Penetration Testing Game of Threats

Why PwC? Contacts

Proven CSP assurance experience Carolyn Bell-Wisdom
We have performed numerous SWIFT CSP assessment Partner, Risk Assurance Services
engagements across multiple territories and industries. M: +1(876)383 8949
E: [email protected]

Cohesive team who understands SWIFT Anthony Zamore

We understand SWIFT like no other and our team consists Director, Advisory Services
of qualified IT security experts with experience conducting M: +1(868)331 7707
reviews on SWIFT systems. Our regional teams are also E: [email protected]
supported by PwC SWIFT CSP experts.
Alessandro Frenza
Adapting to your requirements Global SWIFT CSP Lead (Cyber Security)
PwC will leverage inhouse accelerators and our extensive M: +44(0)7493 319240
SWIFT CSP expertise to ensure that your needs are met E: [email protected]
ahead of SWIFTs required independent assessment due on
31 December 2021.

For further information refer to:

pwc.com/tt/swift

This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.
© 2020 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see
www.pwc.com/structure for further details.