SWIFT CSCFv2025 - The Three Most Important Questions About the Update

12. September 2024

Users of the SWIFT network are required to demonstrate compliance with the mandatory security controls through an annual independent audit in accordance with the Customer Security Control Framework (CSCF). As part of this SWIFT Assessment, the security of an organization's SWIFT infrastructure and systems is examined in detail to ensure adequate protection against potential security risks and vulnerabilities.

Recently, an update of the framework, namely CSCFv2025, was published. Tobias Weber, Managing Security Consultant at usd AG and auditor of several international security standards, took a closer look at the new framework for us:

Tobias, when will the new framework be applicable?

The frameworks are typically published in the summer of each year, but are not applicable until the following year. So all assessments from July 2025 onwards will be based on the CSCFv2025. SWIFT Assessments conducted in 2024 will be audited against the framework v2024 published last year. SWIFT is thus creating a transition phase of 1 year for the companies.

My personal tip for my customers: The timely release of the future frameworks allows us as auditors to include the upcoming requirements in this year's assessment.

You have had a look at the new framework. What changes should I be aware of?

In brief: CSCFv2025 does not contain any major changes. The update mainly consists of minor adjustments and clarifications, e.g. with regard to the scope of individual controls.

Contrary to expectations, no further advisory control was raised to “mandatory”. According to SWIFT, the requirement level should remain stable after having been continuously raised in recent years.

Does this mean that affected companies will not need to make any significant changes for 2025?

From this perspective, no. It should be noted that the transition phase for Control 2.4A (Back Office Data Flow Security) continues with this update. Further developments are scheduled for the v2026 framework. However, I recommend preparing for this ahead of time, as bridging servers and new direct data flows between the secure zone and back-office first hop must then also be protected. From v2028, this will also be extended to legacy flows.


Do you have any questions or need support with your upcoming SWIFT assessment? Contact us, we will be happy to help.

Also interesting:

DORA Countdown: One Month Left Until the Deadline

DORA Countdown: One Month Left Until the Deadline

DORA, the Digital Operational Resilience Act, will fully apply as of 17 January 2025. We have summarized everything you need to know about the EU regulation, preparation and best practices from our news blog.

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

PCI DSS v4.0: In March 2024, version 4.0 of the Payment Card Industry Data Security Standard became mandatory after a two-year transition phase. Just a few months later, version 4.0.1 was released as a minor update of the standard, which will become mandatory on...

Top 3 Vulnerabilities in SSO Pentests

Top 3 Vulnerabilities in SSO Pentests

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...

Categories

Categories