SWIFT CSCFv2025 - The Three Most Important Questions About the Update

12. September 2024

Users of the SWIFT network are required to demonstrate compliance with the mandatory security controls through an annual independent audit in accordance with the Customer Security Control Framework (CSCF). As part of this SWIFT Assessment, the security of an organization's SWIFT infrastructure and systems is examined in detail to ensure adequate protection against potential security risks and vulnerabilities.

Recently, an update of the framework, namely CSCFv2025, was published. Tobias Weber, Managing Security Consultant at usd AG and auditor of several international security standards, took a closer look at the new framework for us:

Tobias, when will the new framework be applicable?

The frameworks are typically published in the summer of each year, but are not applicable until the following year. So all assessments from July 2025 onwards will be based on the CSCFv2025. SWIFT Assessments conducted in 2024 will be audited against the framework v2024 published last year. SWIFT is thus creating a transition phase of 1 year for the companies.

My personal tip for my customers: The timely release of the future frameworks allows us as auditors to include the upcoming requirements in this year's assessment.

You have had a look at the new framework. What changes should I be aware of?

In brief: CSCFv2025 does not contain any major changes. The update mainly consists of minor adjustments and clarifications, e.g. with regard to the scope of individual controls.

Contrary to expectations, no further advisory control was raised to “mandatory”. According to SWIFT, the requirement level should remain stable after having been continuously raised in recent years.

Does this mean that affected companies will not need to make any significant changes for 2025?

From this perspective, no. It should be noted that the transition phase for Control 2.4A (Back Office Data Flow Security) continues with this update. Further developments are scheduled for the v2026 framework. However, I recommend preparing for this ahead of time, as bridging servers and new direct data flows between the secure zone and back-office first hop must then also be protected. From v2028, this will also be extended to legacy flows.


Do you have any questions or need support with your upcoming SWIFT assessment? Contact us, we will be happy to help.

Also interesting:

Top 3 Vulnerabilites in System Pentests

Top 3 Vulnerabilites in System Pentests

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...

DORA Deep Dive: Reporting of ICT-Related Incidents

DORA Deep Dive: Reporting of ICT-Related Incidents

The Digital Operational Resilience Act (DORA) requires major ICT-related incidents to be reported to the German Federal Financial Supervisory Authority (BaFin) from January 2025. Why should you take a close look at this requirement now? Where in DORA is this...

Categories

Categories