SWIFT Customer Security Controls Framework
The mandatory and advisory security controls that SWIFT users must implement and self-attest against each year.
What SWIFT CSCF actually is.
The CSCF sets security expectations for every SWIFT user across three objectives - secure your environment, know and limit access, and detect and respond. Users self-attest annually against mandatory controls; compliance is independently assessed on a risk-tiered rhythm. Non-compliance with mandatory controls can be reported to regulators and trigger counterparty de-risking. The framework is revised each year; customers attest against the version active at the attestation date.
All SWIFT-connected entities - banks, payment institutions, central securities depositories and qualifying intermediaries.
The control areas the framework covers.
Summary of the control families and outcomes the framework drives. Always validate against the official publication for the authoritative wording.
-
01
Restrict internet access
Segregate the SWIFT environment from the general IT estate and restrict internet access.
-
02
Reduce attack surface
Harden and patch systems hosting or supporting SWIFT, including operator PCs.
-
03
Physically secure the environment
Prevent physical tampering with SWIFT-related assets.
-
04
Prevent compromise of credentials
MFA, password policy, least privilege and privileged-access controls.
-
05
Detect anomalies and respond
Monitor, log and alert on SWIFT-related activity, and have a documented incident response plan.
Read it from the issuing body.
For anything with a regulator or certification body behind it, the authoritative text is what counts - not our summary.
SWIFT Customer Security Controls Framework
swift.com/myswift/customer-security-programme-csp
Content on this page is a plain-language summary for programme planning. It is not legal or regulatory advice, and it does not replace a current copy of the issuer's publication.
How Vectra delivers against SWIFT CSCF.
Assessment, engineering and operational services that line up with the framework's control areas.
Penetration Testing
Find it before the attackers do - CREST-certified engagements that deliver actionable findings, not compliance checkboxes.
Managed Detection & Response
Sovereign Australian XDR powered by nine global SOCs, AWS Australia hosting and 24x7 human-verified response.
ISO 27001 Compliance & Audits
Implement, certify and maintain the international standard for information security management - end-to-end across the three-year cycle.
Where SWIFT CSCF shows up.
Sectors where Vectra most commonly applies this framework. Click through for the industry-specific program view.
Security, engineered around you.
Talk to an engineer - not a call centre. Most Vectra conversations start with a 30-minute technical briefing and end with a written plan.