Beyond compliance: why Swift CSP should be a continuous discipline

Annual attestation proves the controls existed on a given day. The more interesting question is what they're doing in the three months that follow.

For many Swift-connected organisations, the Customer Security Programme (CSP) has settled into a comfortable annual rhythm:

• Scope the environment
• Run the assessment
• Close the gaps
• Submit the attestation
• Move on

It's a rhythm that works, until it doesn't.

The Customer Security Controls Framework CSCF) was never built as an annual exercise. If you read it carefully, it describes the security posture a Swift user is expected to maintain across the infrastructure supporting their Swift activity - the verb matters. Maintenance implies ongoing effort. Demonstration implies a moment in time. The two are often confused, and the difference is clear in almost every breach analysis we've ever read.

The gap between attestation and operational reality

An attestation is a snapshot. It confirms that on the day of the assessment, the organisation could evidence compliance with the mandatory controls applicable to its architecture type. What it does not confirm - and was never designed to confirm - is whether those same controls were still working the following Tuesday.

A lot can change on a Tuesday.

Environments shift. Engineers leave. New joiners pick up access they shouldn't keep. Privileged accounts proliferate. Logging pipelines break in the dull, unglamorous way logging pipelines tend to - a syslog forwarder pointed at the wrong destination, with nobody watching the dashboard because nobody owns the dashboard. Patches get deferred for sensible-sounding reasons that nobody revisits. A control that sailed through assessment in March can slide out of effectiveness by July without anyone in the room realising, until either next year's assessor finds it or, more awkwardly, somebody else does.

The CSCF itself anticipates this. The control descriptions use “continuous” language everywhere: ongoing monitoring, anomaly detection, integrity checking, regular access review. Swift built the framework knowing that attackers don't work around the assessment calendar. But the way most organisations operationalise CSP doesn't reflect that. The framework gets treated as a compliance artefact when it's really a description of how the environment should actually behave on any given day.

The cost of treating CSP as an annual event

When CSP gets bolted on rather than baked in, three things tend to happen.

1. The evidence becomes performative. Teams spend the weeks before an assessment producing screenshots, policy extracts, configuration dumps and meeting minutes. Almost all of it is real, in the sense that the controls exist. But the evidence reflects what was assembled for the assessor, not what was being observed by the operator throughout the year. There's a difference, and experienced assessors can usually spot it.

2. Remediation becomes reactive. Gaps surface during the assessment window, which is also the worst possible time to fix them. The pressure to attest before 31 December collides with the cost of meaningful remediation, and organisations end up closing gaps tactically - patching the symptom, while ignoring the underlying condition. The same gap often reappears the following year, dressed slightly differently.

3. The environment around the Swift connection ends up under-protected. This is the one that matters most. CSCF scope covers the operator workstations, the segmented network zones, the privileged access pathways, the data exchange layer - the infrastructure surrounding the Swift connection itself. That infrastructure is also exactly what an attacker who has identified the organisation as Swift-connected will go after. Securing it well enough for an assessor in October is a different bar from securing it well enough to withstand a determined intrusion in February.

What "continuous CSP" really means

The shift, when organisations make it, is less technical than orientational.

It means having comprehensive visibility into whether the controls are working, today, rather than reconstructing whether they were working at the time of the last attestation. It means treating the Swift-adjacent estate - operator endpoints, segmented zones, and identity pathways - with the same detection and response rigour applied to the rest of the business, because that's where the threat is. And it means the annual independent assessment stops being the entire programme. It becomes the moment you confirm something you already knew.

The technical work is largely the same, but the orientation is different. And the difference is most obvious during the months when nobody is watching.

How we approach it

Talanos Cybersecurity provides cyber security services related to the Swift Customer Security Programme. We perform community-standard independent assessments aligned to Swift's Independent Assessment Process Guidelines, and the engagement concludes with an independent assurance letter issued on Talanos letterhead. This is the document your team uploads to KYC-SA alongside the attestation. Talanos Cybersecurity Limited is included in Swift's Directory of cyber security service providers for selected regions across Europe, Africa and Asia-Pacific.

But the assessment is only the part that's visible from outside. The work that makes the attestation defensible - and the environment genuinely more resilient - happens in the months either side of it. CSCF gap assessment and remediation planning sets the baseline. Identity, access management, privileged access and cloud security services close the structural gaps that produce repeat findings. Our 24/7 managed SOC, MDR and detection capabilities monitor the environment between assessments, so the controls evidenced in Autumn are still working in February.

Cyber resilience for Swift-connected organisations isn't a one-off project. It's a year-round operational discipline, and the firms that treat it that way carry materially less risk than those who don’t.

Learn more about our Swift CSP cyber security support.

SWIFT does not certify, warrant, endorse or recommend any service provider listed in its directory and SWIFT customers are not required to use providers listed in the directory.