The security of financial transactions is non-negotiable – and financial institutions operating within SWIFT and SNB SIC must continuously strengthen their cybersecurity measures to meet evolving compliance standards. While no major updates to the SWIFT CSP have been announced for 2025, some adjustments to the SIC EPS framework, including a new mandatory control, have been announced. How can organisations stay ahead and streamline their attestation process?
In an increasingly complex and evolving cyber threat landscape, the security of financial transactions remains a top priority for financial institutions worldwide. The Society for Worldwide Interbank Financial Telecommunication (SWIFT) plays a crucial role in ensuring secure global payment services, and its Customer Security Programme (SWIFT CSP) is a key measure in the fight against cyber threats. Over the past years, SWIFT has continuously strengthened its security framework by adding more mandatory controls, thus tightening compliance requirements for SWIFT participants. This requires financial institutions to regularly update their cybersecurity measures.
In Switzerland, the Swiss National Bank (SNB) has taken additional steps to reinforce cybersecurity within the Swiss Interbank Clearing (SIC) system. In 2022, the SNB introduced the Endpoint Security Framework (EPS), which aims to establish a baseline of cybersecurity controls for all participants in the SIC system. The framework ensures that financial institutions operating within the Swiss payment infrastructure meet fundamental security requirements, reducing vulnerabilities and increasing the overall resilience of the financial ecosystem. As part of this initiative, the first independent attestation of SIC EPS compliance took place in 2024, marking a significant milestone in the adoption of enhanced security measures.
What changes are expected for 2025?
Looking ahead to the 2025 assessment cycle, preparation remains key. However, in contrast to previous years, no major changes are expected for the SWIFT CSP, as no new mandatory controls have been announced. This provides a certain level of stability for institutions that have already aligned with the latest security requirements. However, some adjustments have been made regarding the evaluation of the SWIFT architecture type, especially regarding architecture type B. As a result, institutions may need to re-assess their type and potentially switch from architecture type B to type A4, which the resulting consequences.
Meanwhile, the Swiss National Bank has published their updates to the SIC EPS framework for 2025 in November 2024. There have not been any significant changes to the requirements catalogue of 2024, besides clarifications and re-arrangements. However, institutions should take note of the status change of control 7.3.2 “Third-party risk management” from “recommended” to “mandatory” with all the associated consequences. Institutions should therefore carefully assess these new requirements and take proactive steps to ensure compliance.
Ensuring compliance: how we support you
Navigating the requirements of SWIFT CSP and SIC EPS can be a complex process, especially as financial institutions must ensure continuous compliance while adapting to evolving cybersecurity threats. Since 2019, we have been supporting clients as an independent assessor for SWIFT CSP, and in 2024, we expanded our services to include SIC EPS assessments. Our expertise spans various industries, with a strong focus on the financial sector, ensuring that organisations meet the necessary security standards efficiently and effectively.
Our services include ISAE 3000 control reports, which provide organisations with a structured and independent assessment of their security controls. These reports serve as the basis for demonstrating compliance with both the SWIFT CSP and SIC EPS requirements. In addition, we issue completion letters, which can be submitted directly to SWIFT and the SNB as official proof of the executed external assessments.
To further streamline the compliance process, both SWIFT CSP and SIC EPS offer the option to conduct delta assessments every second year. This approach allows institutions to build on the previous year’s assessment results, significantly reducing costs and effort, while maintaining compliance with security standards.
Timeline for 2025 attestations and next steps
To ensure a smooth attestation process, organisations should be aware of the key steps in the assessment timeline. The attestation process for both SWIFT CSP and SIC EPS typically starts in July, with initial evaluation results available by early September. While the SIC EPS attestation could already be started at the beginning of the year, we highly recommend conducting the two attestations at the same time, leveraging the attestation work performed.
Institutions then have the opportunity to implement any necessary remediation actions before submitting their final attestation. The final deadline for completion is at the end of December, so it is critical that organisations plan and execute their assessments in a timely manner.
Given the importance of cybersecurity and the need to meet SWIFT and SIC requirements, prioritising this topic is essential. A trusted third party can ensure a seamless and effective attestation process, allowing organisations to focus on strengthening cybersecurity rather than facing last-minute compliance hurdles. This improves assurance, benchmarking, and overall compliance efficiency – helping companies stay ahead in an increasingly complex cybersecurity landscape.
