SWIFT's Customer Security Controls Framework changed in a way that is easy to underrate. From the 2026 cycle, Control 7.3A no longer reads as a single annual scan. The guidance now describes a set of testing scenarios to be exercised across a rolling three-year cycle, covering the messaging interface, the secure zone and its segmentation, and the operator-workstation paths that real intrusions exploit (SWIFT 2025). The control is advisory, but for any institution that self-attests against it, the assessor will expect a coherent record of scope, method, findings and remediation, not a certificate.
That is the moment to make a choice that quietly decides your testing budget for the next three years.
The expensive way, and the excellent way
The expensive way reads each regulation as a separate job. You scope the SWIFT test narrowly, then commission a separate resilience test for the Digital Operational Resilience Act, answer New York's annual-testing rule with a third exercise, and prepare evidence for a Canadian supervisor on a fourth timetable. Four engagements, four reconnaissance phases, four remediation cycles, and four sets of evidence that do not fit together. Worse, none of the four sees your institution the way an adversary does, end to end.
The excellent way starts from a fact most teams miss: these are not four different tests. SWIFT's sharpened 7.3A guidance, DORA's threat-led penetration testing, New York's 23 NYCRR Part 500, and Canada's OSFI Guideline B-13 are four supervisory expressions of one idea. Supervisors everywhere now want intelligence-led, threat-informed testing that proves your controls work, not testing that proves they exist. Design to the most demanding of them, record the result against a shared framework, and the others fall out as a by-product.
What excellent looks like
Excellent is risk-led, not compliance-led. The penetration test is the instrument you use to find and retire your most consequential exposures, and passing the control is what happens when you do that well. Four moves make the difference.
First, scope by consequence. Inventory your SWIFT estate and rank the paths by the damage a compromise would cause, not by how easy they are to test. That is the scope a real attacker would choose, and it is the consequence-led posture both OSFI B-13 and the New York rule reward.
Second, frame with threat intelligence. Let current intelligence on the actors who target financial messaging shape the scenarios, so the test rehearses plausible intrusions rather than generic ones. This single step is what turns a penetration test into a threat-led test, and it is what makes the same exercise creditable under DORA and B-13.
Third, measure detection and response, not only findings. The point is not just the list of vulnerabilities. It is whether your own monitoring saw the test happen and whether your team contained it. That measurement is the evidence the modern frameworks actually ask for.
Fourth, file the result once. Record scope, scenarios, attack narrative, findings, remediation and detection performance against the NIST Cybersecurity Framework 2.0, the one reference recognised on both sides of the Atlantic and across the United States and Canada, then tag it to each regime. You have not passed a test. You have built a reusable resilience evidence asset.
The mapping, in one line each
SWIFT 7.3A wants a scenario-based, secure-zone-aware test over three years. DORA wants intelligence-led testing at least every three years for significant entities, with NIS2 standing aside for financial firms. New York wants penetration testing at least annually, from inside and outside the boundary. OSFI B-13 wants intelligence-led, outcome-based testing for institutions with significant technology footprints. Design once to the strongest column in each, and one engagement answers all of them.
Where this leaves you
If your 2026 SWIFT assessment is approaching, the question is no longer whether to run a penetration test. It is whether to run it four times or once. The institution that scopes by consequence, frames with intelligence, measures its own defences and files the evidence against a shared spine spends less and proves more.
Our SWIFT CSP assessment service scopes and runs the 7.3A test to this standard, and PenTeva validates and tracks the findings to closure so the evidence holds up under any of the four regimes. The full reasoning, with the regime-by-regime mapping and the references, is in our working paper, Test once, satisfy many.
If you would like a scoping conversation before your attestation window, talk to our assessment team.