BSP to upgrade cyber risk management framework
THE BANGKO SENTRAL ng Pilipinas (BSP) will scale up guidelines on cybersecurity by imposing standards on data encryption and elevating these issues as a board-level concern, the incoming central bank chief said, with draft rules expected to be released in July.
BSP Deputy Governor Nestor A. Espenilla, Jr. said upgrades to the existing cyber risk management framework is currently under industry consultations.
“By next month, we are also set to issue the enhanced guidelines on information security... The amendments present a holistic framework on information security management,” the incoming central bank governor said during his speech at a forum hosted by the Financial Executives Institute of the Philippines yesterday at the Dusit Thani Hotel in Makati.
“Likewise, the BSP’s supervisory expectations on the role of board and senior management in the information security risk management framework is further clarified and enhanced to cover information security governance and security culture.”
These changes will raise the standards provided under BSP Circular 808 issued in 2013, which is the first set of guidelines on information technology risk management released by the regulator.
Mr. Espenilla said the new rules seek to promote a “risk- based approach” to cybersecurity, as it prods banks and financial entities to make use of digital channels to broaden access to services while also ensuring that data breaches would not compromise consumer experience and balances.
“It covers not just cybersecurity but even the use of cloud computing. Similar to Circular 808, it’s an upgrade IT risk management framework. It enables the use of newer technology for creating business, but at the same time, it also upgrades cybersecurity standards, including encryption standards,” Mr. Espenilla also told reporters on the sidelines of the event.
These updated guidelines is a significant response to “growing” concern on cyber-attacks, versus the pursuit of crafting new financial products to make customer experience more efficient.
“Out of the blue, a cyber-threat can happen. As recent events have shown, they have a very uncomfortable way of escalating
very rapidly… we have no choice but to deal with that reality,” the BSP official said. “While the BSP enforces regulations promoting safety and security, we also need to be careful not to stifle the industry’s quest in developing new products and services.”
These changes come after several banks faced technology-related troubles earlier this month, which Mr. Espenilla said to have caused a “reputational” blow towards these lenders although sound their sound profiles and solid capitalization remain intact.
Some 1.5 million customers of the Bank of the Philippine Islands saw incorrect account balances between June 7-8, while Security Bank Corp. disclosed late postings of transactions last week. At least 95 clients of BDO Unibank, Inc. also reported unauthorized transactions after card skimming cases.
During the forum, cybersecurity experts flagged that various cyber-threats are picking up speed, with emerging trends on online fraud, e- mail phishing (where scammers communicate to steal client information), ransomware, and card skimming, to name a few.
The central bank has been actively beefing up cybersecurity rules, having introduced the multi-factor authentication and the creation of internal rules on social media use earlier this year. It has also issued reminders for banks in handling malware and ransomware, where hackers encrypt the files on an infected computer, rendering them unusable until the user settles ransom money.