The Society for Worldwide Interbank Financial Telecommunications — SWIFT — is the global primary means of interbank transactions.

More than 10 billion payments are processed through the SWIFT system each year and this figure increases with every passing year. It is natural that the entire SWIFT system must be secured from all kinds of cyber threats.

In April 2017, SWIFT released a set of requirements for all banks and service providers. These requirements are called the SWIFT Customer Security Controls Framework (CSCF).

In 2017, documents describing the procedure for banks to confirm their compliance with these requirements were also issued. A software system has been developed and implemented for all SWIFT users to send the audit data reports.

The SWIFT requirements (CSCF) are not totally unique as they were developed based on the experience of international standards such as PCI DSS and ISO 27001.
A comparison chart of PCI DSS, NIST, ISO 27001 and SWIFT standard requirements is available in the appendix to the SWIFT document (CSCF).

In total, SWIFT (in CSCF v2023) has published 32 requirements (24 mandatory and 8 recommended), which are segregated into three objectives and eight principles.

Objective #1. Secure IT infrastructure.
This includes 4 principles, such as:1) Restriction of Internet access. 2) Separation of critical systems from general bank IT infrastructure. 3) Limitation of opportunities for hacker attacks and elimination of vulnerabilities. 4) Restriction of physical access to IT systems.

Objective #2 Understand who has access to the system and control it.
This includes the following 2 principles:1) Prevention of credential compromise. 2) Credential management and access level mediation.

Objective #3 Detect attacks and respond to incidents.
This objective also includes 2 principles: 1) Detecting anomalies within IT systems and transactional records. 2) Planning incident response and sharing information about incidents with the SWIFT user community.

Summary of all SWIFT requirements (CSCF):
● Use of firewalls to separate SWIFT elements from other banking systems.
● Maximum limitation of authority for both system administrators and ordinary users. All actions must be performed within the framework of certain official powers and strict records of all significant changes in the IT infrastructure must be kept.
● Encryption of critical data while transferring it over the network.
● Secure configuration of all IT systems subject to manufacturer recommendations.
● Introduction of strict password requirements and multi-factor authentication for access to critical systems.
● Observation of database and program integrity.
● Virus and spyware protection.
● Network and system security, including physical security.
● Detection of incidents and anomalies in IT systems.
● Performing regular vulnerability scanning and penetration tests.
● Development of incident response procedures.
● Staff training and increased readiness to repel a variety of cyberattacks.

Implementation of any of these requirements can be challenging and difficult as each bank has a unique structure and organization.

For many years, the ІТ Specialist consultants have been successfully building information security systems in banks subject to the requirements of international standards and financial regulators.
We will quickly and reliably help your bank meet all SWIFT requirements.
Representatives of your bank are welcome to receive a no-cost consultation.