SWIFT audit: our 10 certified assessors to run your annual assement

I-TRACING is proud to announce that it belongs to the ten global companies with SWIFT CSP certified assessors. With 10 of its employees being SWIFT CSP certified assessors, two of whom are the first in France. This marks a milestone in our ability to support our current and future clients under the SWIFT CSP (Client Security Program).

What is the SWIFT compliance program (CSP)?

Created in 1973, the Society for Worldwide Interbank Financial Telecommunication (SWIFT) is the international interbank messaging network, allowing all financial institutions to make international payments. It has over 11,000 users worldwide, in more than 200 countries.

Importance of financial transactions security

Every day, the SWIFT network is used to execute millions of payment orders, purchase orders and transactions. It significantly increases the speed of financial transactions on a global scale.

However, this is also what makes the SWIFT intra-banking network a prime target for cybercriminals. The annual SWIFT audit is therefore an even more necessary defence assessment. In 2018, the North Korean hacker group Lazarus targeted SWIFT to hijack more than $80 million from the Bank of Bangladesh.

Goal of the SWIFT CSP program

This SWIFT CSP helps financial institutions ensure that their defenses against cyber-attacks and fraud are up-to-date and effective. Thus it helps protect the integrity of the broader financial network. In practice, users of SWIFT solutions and platforms compare the security measures they have put in place with those detailed in the Client Security Control Framework (CSCF) and can then attest to their level of compliance on an annual basis.

What is a SWIFT CSP audit ?

Prepare for your SWIFT audit

Understanding the architecture of the Customer Security Control Program (CSCP) of the SWIFT CSP is essential to a successful SWIFT audit.

The SWIFT CSP security controls framework is organized around 3 main objectives to prevent, monitor and respond to cyber attacks. These objectives result in 7 safety principles that are similar to operational safety recommendations:

Secure your IS to prevent cyber attacks

• Ensuring the physical safety of the environment
• Restrict access to the internet and be able to isolate critical systems from the rest of the general computing environment
• Identify vulnerabilities and reduce attack surface

Manage the attack surface

• Identity, access and privilege management
• Protect Compromise Identities

Detect and respond to cyber attacks

• Detect abnormal behaviour and activities
• Define and deploy a cyber security incident response plan, and a crisis communication plan

A SWIFT audit adapted to your deployed architecture

These 7 safety principles in the SWIFT CSP security framework result in 32 controls, 25 of which are mandatory in a SWIFT audit. The scope and assessment criteria differ depending on the SWIFT service deployment architecture chosen by each financial institution.

• Architecture A1: you have the SWIFT communication and messaging interface.
• Architecture A2: you only have the messaging interface, but not the SWIFT communication interface.
• Architecture A3: a SWIFT connector is used in your environment to access an interface with a service provider or with SWIFT services.
• A4 Architecture: you use a server to establish an external connection with a service provider’s SWIFT-related interface, application or solution.
• Architecture B: you do not use any specific SWIFT components in your environment. You access SWIFT services through an application or back-office of a service provider.

What to know to for your 2024 SWIFT audit

Key steps in your SWIFT CSP audit

1. Apply SWIFT CSP security controls: with the 2024 update, the security controls framework now includes 25 mandatory controls and 7 advisory controls.
2. Internal audit: Similar to an internal audit, it is carried out by the Audit department of your company and independent from the body that issues the certificate of compliance to the SWIFT CSP
3. Annual audit and assessment: Similar to an external audit and performed by a service provider such as I-TRACING who will perform an independent SWIFT audit of compliance with the 32 controls of the SWIFT CSCP.
4. Correction and reassessment: if your evaluation reveals non-compliance with any of the 25 mandatory control points, apply the necessary corrections.
5. Submit annual SWIFT CSP audit attestation
6. Continuous adaptation: adjust the security of your deployed SWIFT architecture to updates and new features within the framework of SWIFT CSP security controls.

News and updates in the 2024 SWIFT CSP program

• As organizations increasingly use cloud hosting and services, or even outsource their information systems, control 2.8 ” Outsourced Critical Activity Protection ” in the SWIFT audit has become mandatory. 
• To facilitate the execution of control 2.4 “Back Office Data Flow Security” some changes have been made regarding server security, data exchange security mechanisms and network segmentation.
• Control 2.3 “System Hardening” now include the requirements for USB port protection.
• Control 2.9 “Transaction Business Controls” now allow transaction controls to be performed outside the secure area.
• Control 7.4 on “Scenario-based Risk Assessment” control allows to leverage existing risk management processes.

Choosing a certified autitor: the guarantee for a complete SWIFT audit

Requirements to select your SWIFT audit provider

The repository of SWIFT CSP certified companies is visible to all user customers. The latter are now required to carry out a SWIFT CSP certified assessment annually by a service provider that has at least two certified consultants.

Rely on I-TRACING for your SWIFT audit

The current SWIFT CSP certified assessment exercise started in July 2024, and our clients can benefit from our ten SWIFT CSP certified assessors. I-TRACING can run your mandatory annual assessment worldwide, thanks to our global footprint with our presence in Europe, North America and Asia (Hong Kong, Malaysia, Singapore).