SWIFT Customer Security Programme (CSP) Compliance Solutions

Monitor insider activity. Detect anomalies. Respond to incidents. ALL-IN-ONE

Access the Demo Portal Get in Touch

The SWIFT Customer Security Programme (CSP) aims to enhance the security of interactions within the SWIFT network and protect financial entities against cyber threats and fraud.

Meeting SWIFT CSP requirements can help your organization improve overall cybersecurity resilience, avoid fines and penalties, and emphasize reliability to customers.

Benefits of using Syteca for SWIFT CSP compliance

Enhance organizational security

Detect insider threats

Avoid fines and lawsuits

Secure access to financial data

Prevent data breaches

Promptly respond to incidents

Who does SWIFT CSP apply to?

SWIFT CSP applies to financial institutions and organizations that use SWIFT services
for financial messaging and transactions:

Banks

Credit unions

Securities firms

Corporate treasuries

Payment processors

Financial service providers

Key objectives of SWIFT CSP

SWIFT CSP incorporates the Customer Security Controls Framework (CSCF) that defines the security controls and guidelines financial institutions need to implement to secure their SWIFT-related operations. SWIFT CSCF translates 24 mandatory and 8 advisory security controls into the following objectives:

Restrict internet access and protect critical systems from general IT environment
Reduce attack surface and vulnerabilities
Physically secure the environment

Prevent compromise of credentials
Manage identities and separate privileges

Detect anomalous activity to systems or transaction records
Plan for incident response and information sharing

Comply with SWIFT CSP using Syteca

Syteca is a universal insider risk management platform designed to deter, detect, and disrupt human-related threats in your IT environment. Ensure secure SWIFT infrastructure management, meet most SWIFT CSP requirements, and protect your organization’s sensitive assets by deploying Syteca. Here’s how:

Detailed mapping of SWIFT CSP security controls to Syteca features

Know and limit access

Security control required by SWIFT CSP

Corresponding Syteca functionality

Security control required by SWIFT CSP

1.1 SWIFT environment protection

MANDATORY

Ensure protection of the user’s SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment.

Corresponding Syteca functionality

Protect the SWIFT secure zone by setting up a jump server and providing access to it only to trusted administrators (see Architecture type A).
Ensure visibility and detect cybersecurity risks in your secure zone with continuous user activity monitoring.
Granularly manage user access, monitor privileged user activity, and respond to threats inside your SWIFT environment.

Security control required by SWIFT CSP

1.2 Operating system privileged account control

MANDATORY

Restrict and control the allocation and use of administrator-level operating system accounts.

Corresponding Syteca functionality

Use Syteca’s secondary authentication feature to identify and provide access to users of shared accounts, such as built-in admin accounts.
Avoid use of built-in accounts by providing privileged users with temporary access permissions and logins with mandatory manual approval from a security officer.
Monitor user activity within the secure zone to control all administrator-level activity, including sudo commands and executed scripts.

Security control required by SWIFT CSP

1.3 Virtualization or cloud platform protection

MANDATORY

Secure virtualization or cloud platform and virtual machines (VMs) that host SWIFT-related components at the same level as physical systems.

Corresponding Syteca functionality

Secure SWIFT-related components hosted on a virtual platform by deploying Syteca, which supports VMware Horizon, Microsoft Hyper-V, Citrix, Amazon WorkSpaces, AWS (Amazon Web Services), and Windows Virtual Desktops.
Simplify the deployment of Syteca in your virtual environment by integrating it into the VM’s golden image and configuring flexible floating licensing.

Security control required by SWIFT CSP

1.4 Restriction of internet access

MANDATORY

Control/protect internet access from operator PCs and systems within the secure zone.

Corresponding Syteca functionality

Use Syteca’s PAM module to configure access to resources via a jump server that has no internet access.
Leverage Syteca Connection Manager to replace the Windows Shell so that users won’t be able to access the internet.

Security control required by SWIFT CSP

1.5 Customer environment protection

MANDATORY

Ensure the protection of the customer’s connectivity infrastructure from an external environment and potentially compromised elements of the general IT environment.

Corresponding Syteca functionality

Protect the customer environment by providing user access with the help of Syteca Connection Manager.

Security control required by SWIFT CSP

2.1 Internal data flow security

MANDATORY

Ensure the confidentiality, integrity, and authenticity of application data flows between a user’s SWIFT-related components.

Corresponding Syteca functionality

Oversee data interactions and detect signs of potential data mishandling by monitoring and recording user activity in your IT environment.
Reduce the risk of unauthorized access and data manipulation by implementing Syteca’s strong access controls and authentication mechanisms.

Security control required by SWIFT CSP

2.6 Operator session confidentiality and integrity

MANDATORY

Protect the confidentiality and integrity of interactive operator sessions connecting to SWIFT infrastructure.

Corresponding Syteca functionality

Capture user activity inside operator sessions while ensuring complete confidentiality of personally identifiable information with monitored data anonymization.
Safeguard session data from unauthorized access or manipulation with Syteca’s access management capabilities, encryption, and tamper-proof audit trails.

Security control required by SWIFT CSP

2.8 Outsourced critical activity protection

MANDATORY

Ensure the protection of local SWIFT infrastructure from risks related to outsourcing of critical activities.

Corresponding Syteca functionality

Grant secure third-party access inside the secure zone without revealing credentials.
Provide third parties with one-time passwords and limit their user session time in your IT infrastructure.
Set up mandatory manual login approval from a security officer with subsequent real-time video supervision of third-party activity.

Security control required by SWIFT CSP

2.9 Transaction business controls

MANDATORY

Ensure outbound transaction activity within the expected bounds of normal business.

Corresponding Syteca functionality

Leverage user activity monitoring and access management to limit user access to specific parts of the system, ensuring that only authorized individuals can conduct business with approved entities.
Detect deviations from established policies with Syteca’s alert and incident response functionality.

Know and limit access

Security control required by SWIFT CSP

Corresponding Syteca functionality

Security control required by SWIFT CSP

4.2 Multi-factor authentication

MANDATORY

Prevent compromise of a single authentication factor allowing access to SWIFT systems by implementing multi-factor authentication.

Corresponding Syteca functionality

Secure user accounts by verifying user identities with Syteca’s two-factor authentication (2FA) feature.

Security control required by SWIFT CSP

5.1 Logical access control

MANDATORY

Enforce security principles of need-to-know access, least privilege, and segregation of duties for operator accounts.

Corresponding Syteca functionality

Enforce the principle of least privilege and segregation of duties by leveraging Syteca’s privileged access management (PAM) capabilities.
Use Syteca’s password management features to provide users with one-time access, limit their session time, and automate credential provisioning.
Set up a request and approval workflow to granularly manage access permissions.
Integrate Syteca with your ticketing system to provide purpose-based access.

Security control required by SWIFT CSP

5.1 Password repository protection

MANDATORY

Physically and logically protect the repository of recorded passwords.

Corresponding Syteca functionality

Secure your passwords by storing them in Syteca’s encrypted password vault.
Authenticate users without revealing credentials to them.
Rotate account credentials automatically without users’ involvement.

Detect and respond

Security control required by SWIFT CSP

Corresponding Syteca functionality

Security control required by SWIFT CSP

6.4 Logging and monitoring

MANDATORY

Record security events and detect anomalous actions and operations within the local SWIFT environment.

Corresponding Syteca functionality

Monitor user activity and watch live and recorded user sessions inside your local SWIFT environment.
Log user sessions in a searchable screenshot format indexed with multilayer metadata, including names of launched applications, visited URLs, entered commands, and typed keystrokes.
Collect encrypted logs of all changes in Syteca configurations to increase accountability of your system administrators.

Security control required by SWIFT CSP

6.5A Intrusion detection

ADVISORY

Detect and contain anomalous network activity within the on-premises or remote SWIFT environment.

Corresponding Syteca functionality

Get real-time notifications on security events with the help of Syteca’s customizable user activity alerts.
Leverage Syteca’s AI-powered user and entity behavior analytics (UEBA) module to automatically detect anomalous user behavior such as logging into the system outside of work hours.

Security control required by SWIFT CSP

7.1 Cyber incident response planning

MANDATORY

Ensure a consistent and effective approach to managing cyber incidents.

Corresponding Syteca functionality

Ensure a prompt response to detected threats and security incidents by blocking users, restricting forbidden USB devices, and killing suspicious processes.
Gather all security-related information in one place by integrating Syteca with your SIEM and ticketing system.
Streamline your incident management with Syteca’s reporting and incident investigation capabilities.
Export user sessions in a protected format for forensic examination purposes.

Security control required by SWIFT CSP

7.2 Security training and awareness

MANDATORY

Ensure all staff are aware of and fulfill their security responsibilities by performing regular security training and awareness activities.

Corresponding Syteca functionality

Support your security training by demonstrating data collected by Syteca in the form of educational videos.
Help users develop good cybersecurity habits by displaying warning notifications in response to forbidden actions.
Oversee how your employees have learned training materials by monitoring their behavior.

Security control required by SWIFT CSP

7.4A Scenario-based risk assessment

ADVISORY

Evaluate the organization’s risk and readiness based on plausible cyber attack scenarios.

Corresponding Syteca functionality

Conduct security audits to assess the effectiveness of your organization’s security measures against different cyber attack scenarios and identify potential vulnerabilities.

Deployment schemes

Architecture Type A: SWIFT Infrastructure within User Location

Architecture Type B: SWIFT Infrastructure outside User Location

Why Syteca?

Easy maintenance and deployment

Flexible licensing

Enterprise-ready

24/7 support from in-house team

Lightweight software agent

Highly optimized data storage formats

Complete server and desktop OS support

Privacy protection with user data anonymization

FAQ

SWIFT CSP, or SWIFT Customer Security Programme, is a comprehensive cybersecurity framework developed to enhance the security practices of financial organizations using SWIFT transactions. SWIFT CSP incorporates the Customer Security Controls Framework (CSCF), which establishes security controls and guidelines for financial institutions to protect against cyber threats. SWIFT CSP also includes guidelines and self-attestation requirements to mitigate cybersecurity risks within the SWIFT network.

Non-compliance with SWIFT CSP can have negative consequences for a financial organization, including reputational damage, legal liabilities, and even fines. The SWIFT Customer Security Programme itself can’t impose financial penalties on organizations. However, failure to secure sensitive financial data may result in fines and penalties imposed by other cybersecurity laws and regulations for the financial sector. In some severe cases of non-compliance, SWIFT may suspend an organization’s ability to conduct international financial transactions using the SWIFT network.

One of the most common challenges with meeting the requirements of SWIFT CSP is allocating the necessary resources. Finding financial, technological, and human resources and justifying them to the board can be difficult. Implementing the necessary cybersecurity measures described by SWIFT may require significant investments. It may also be challenging to track and understand the specific controls SWIFT CSP requires. Hiring external SWIFT CSP consultancy services and implementing all-in-one cybersecurity solutions like Syteca can help your organization cover the majority of requirements.

Since 2022, SWIFT requires organizations to support their self-assessments with SWIFT independent assessments. An independent external assessor should evaluate your financial institution’s compliance with SWIFT CSP requirements. Your organization can choose from a list of approved SWIFT CSP auditors or select your own assessor. Performed annually, the SWIFT CSP audit includes making an on-site assessment of your cybersecurity controls, conducting a compliance gap analysis, and compiling a detailed assessment report. Based on this report, your organization creates an action plan to address any gaps between your organization’s security measures and controls required by SWIFT CSP. Once your independent audit is finished, you provide a summary of the assessment and your remediation efforts to SWIFT.

Yes. SWIFT Customer Security Controls Framework requires organizations to restrict internet access and create a SWIFT secure zone to protect SWIFT-related critical systems from the general IT environment. It’s a segregated environment with only necessary payment systems and software that are protected by firewalls. Another essential measure enforced by SWIFT CSP is implementing identity and access management controls, including two-factor authentication, to ensure the principle of least privilege. Finally, SWIFT CSP requires financial organizations to implement security measures such as continuous user activity monitoring and robust threat detection to be able to promptly identify and respond to security threats. Syteca‘s robust insider risk management functionality can help your organization implement most SWIFT security requirements and secure sensitive financial data.

Meet other IT security requirements with Syteca

NISPOM Change 2 and H.R. 666

Let’s get the conversation started

Contact our team to learn how our insider risk management software can safeguard your organization’s data from any risks caused by human factors. Book a call with us at a time that suits you best, and let’s explore how we can help you achieve your security goals.