Hands on laptop keyboard with digital network overlay, symbolizing cybersecurity, data flow, and secure SWIFT transactions.

SWIFT CSCFv2025 - The Three Most Important Questions About the Update

12. September 2024

Users of the SWIFT network are required to demonstrate compliance with the mandatory security controls through an annual independent audit in accordance with the Customer Security Control Framework (CSCF). As part of this SWIFT Assessment, the security of an organization's SWIFT infrastructure and systems is examined in detail to ensure adequate protection against potential security risks and vulnerabilities.

Recently, an update of the framework, namely CSCFv2025, was published. Tobias Weber, Managing Security Consultant at usd AG and auditor of several international security standards, took a closer look at the new framework for us:

Tobias, when will the new framework be applicable?

The frameworks are typically published in the summer of each year, but are not applicable until the following year. So all assessments from July 2025 onwards will be based on the CSCFv2025. SWIFT Assessments conducted in 2024 will be audited against the framework v2024 published last year. SWIFT is thus creating a transition phase of 1 year for the companies.

My personal tip for my customers: The timely release of the future frameworks allows us as auditors to include the upcoming requirements in this year's assessment.

You have had a look at the new framework. What changes should I be aware of?

In brief: CSCFv2025 does not contain any major changes. The update mainly consists of minor adjustments and clarifications, e.g. with regard to the scope of individual controls.

Contrary to expectations, no further advisory control was raised to “mandatory”. According to SWIFT, the requirement level should remain stable after having been continuously raised in recent years.

Does this mean that affected companies will not need to make any significant changes for 2025?

From this perspective, no. It should be noted that the transition phase for Control 2.4A (Back Office Data Flow Security) continues with this update. Further developments are scheduled for the v2026 framework. However, I recommend preparing for this ahead of time, as bridging servers and new direct data flows between the secure zone and back-office first hop must then also be protected. From v2028, this will also be extended to legacy flows.


Do you have any questions or need support with your upcoming SWIFT assessment? Contact us, we will be happy to help.

Also interesting:

AI Vulnerability Storm: When a Lack of Speed Becomes a Risk

AI Vulnerability Storm: When a Lack of Speed Becomes a Risk

Current developments in AI systems show that vulnerabilities are found more quickly, suitable exploits are developed more quickly, and attacks are increasingly implemented automatically. This significantly reduces the time between discovery and exploitation. What used...

Bafin Publishes 9th Amendment to MaRisk

Bafin Publishes 9th Amendment to MaRisk

On 30 June 2026, all credit institutions and financial services institutions in Germany received an important circular: Following the consultation phase, the German Federal Financial Supervisory Authority (Bafin) published the 9th amendment to its Minimum Requirements...

usd AG Listed as EPI Partner for Mobile Security Evaluations

usd AG Listed as EPI Partner for Mobile Security Evaluations

The popularity of mobile payments is growing, and with it, the demand for verified security. usd AG is expanding its activities in the EPI environment and will also conduct Mobile Security Evaluations in the future. This places us among the few EPI-listed Security...

Categories

Categories