What is SWIFT Security Control 2.8: Outsourced Critical Activity Protection?

For those financial institutions involved in international transactions, compliance with the security requirements set forth by the Society for Worldwide Interbank Financial Telecommunication (SWIFT)—otherwise known as its Customer Security Programme (CSP), which aims to better secure the global financial community against cyber threats. One part of the Programme includes the SWIFT Customer Security Controls Framework (CSCF), which was updated in 2024 and now mandates controls around the protection of outsourced critical activity.

As organizations beholden to the SWIFT CSP will need to comply with this—and other new controls—you’ll need a thorough understanding of the new mandates. Being SWIFT CSP assessors that often perform the requisite independent evaluations for organizations that need them, we’re very familiar with the requirements, so we can help.

In this article, we will highlight some of the key components of this newly promoted control and its importance in supporting your organization’s SWIFT infrastructure resiliency against threats originating from activities provided by third parties.

How to Comply with SWIFT’s Requirements Regarding Outsourced Critical Activity

Before we begin, let’s first establish that by “outsourced critical activity,” SWIFT refers to your third parties—also known as “outsourced agents.” Going forward, we’ll use both terms interchangeably.

Concerns about third parties have grown alongside the trend of outsourcing critical organizational information technology, information security, and development activities. Clearly, the risks are now at a point where SWIFT has chosen to promote this control from advisory to mandatory. Now, SWIFT requires that all SWIFT network users be held responsible for their third party’s compliance with the CSCF.

The idea is to better ensure that the security of your outsourced critical activities is maintained at a level equivalent to that of SWIFT network users. To help achieve this, the newly required control can be broken down into four key steps.

1. Identification of Critical Activities

Compliance with this control will start with each SWIFT network user conducting a thorough exercise to identify all activities outsourced to a third party—only then can you determine and understand if the activities are critical as they relate to the SWIFT infrastructure.

(An exemplary listing of those critical activities is provided within the control context in the current version of the CSCF.)

2. Determination of Third-Party Compliance with Other Relevant Standards

Once you’ve identified the critical third parties, SWIFT network users must determine whether each one is covered by either:

• The SWIFT Shared Infrastructure Program (SIP); or
• The Alliance Lite for Business Applications (L2BA) Programme.

Why is this important? Because if the third party has been assessed under one or more of these SWIFT programs, it may be possible to rely upon their registration for the security controls that fall within the outsourced agent’s responsibility.

3. Evaluation of Third-Party Compliance with SWIFT Requirements

That being said, in the cases where you’ve outsourced critical activities to an agent that is not registered with either of the SWIFT programs listed above, SWIFT network users are responsible for ensuring that the outsourced agent provides reasonable comfort of compliance with the portions of the CSCF for which they have responsibility.

You can achieve this “reasonable comfort of compliance” in one of three ways:

• Providing reports for your outsourced agents’ previously completed security attestations or assessments alongside your SWIFT independent assessment;
• Including the outsourced agent in your SWIFT independent assessment, or
• Having each outsourced agent provide a copy of their independent assessment report and completion letter.

All this being said, SWIFT network users will remain responsible for and must still attest to the security of their infrastructure, regardless of whether it’s outsourced or not—i.e., you won’t have the option to check “Not Applicable” in your SWIFT KYC-SA attestation should that control be outsourced to someone else. Ultimately, SWIFT network users must implement the necessary controls to support secure data flows between themselves and each third party.

4. Due Diligence and Contracting

Whether your outsourced agents are compliant with the SWIFT program to which they are registered or the CSCF, you’ll also need to continuously monitor each to ensure they maintain that compliance.

And aside from confirming the real-time and ongoing satisfaction of the relevant requirements by your third parties, SWIFT network users must also establish formal agreements with their outsourced agents. These formal agreements must contain Service Level Agreements (SLAs) that define the standard of care required and the third party’s cybersecurity obligations—including compliance and incident notification—as well as a non-disclosure agreement (NDA).

You should also include a contractual obligation compelling each outsourced agent to undergo a risk assessment prior to the signing of any document so that you can assess their cybersecurity posture. Once that’s done, you should continue to have their risks assessed regularly.

Next Steps for Your SWIFT Independent Assessment

Compliance with SWIFT CSCF control 2.8 is now mandatory for all SWIFT architecture types and will be a mandatory component of your independent assessment starting in 2024. Though we’ve provided some insight here, you can find further guidance in satisfying this control within the Outsourced Agents Security Baseline.

Once you’ve made the necessary implementations and changes to comply with control 2.8 and the other updates within the 2024 version of the CSCF, your organization will be ready to move forward with engaging an assessor to conduct your independent assessment, and Schellman may be the right fit for you.

To find out—and learn more about our methodology and credentials—contact us today.