BSP set to release new IT security rules next month
Bangko Sentral ng Pilipinas (BSP) Governor Nestor A. Espenilla Jr. yesterday said the upgraded regulations on its information technology (IT) risk management framework will be released in September after months of consultations with the financial sector.
"What is new is that it will have enhanced expectations on cybersecurity risk management,” Espenilla said after FINTQ of PLDT’s “On Q” session, the financial technology firm’s first roundtable talks on the industry.
The BSP earlier announced that it will come out with an updated version of BSP Circular No. 808 which it first released in 2013 to tackle so-called multi-layered security controls for cyber-risk prevention, detection and response. The central bank was already working on the circular changes when the country’s two biggest banks, Bank of the Philippine Islands and BDO Unibank, Inc. reported different IT-related banking issues in June and July, an internal control systems problem for the former and an ATM-concentrated attack for the latter.
Espenilla said they are upgrading the existing circular which he considers their basic IT risk mangement rules. The updated circular, he said, will “further opened up the used cases for cloud technology in banking applications,” among others.
“It will further strengthen the governance responsibilities of a bank’s board and management to make sure that the IT systems of their IT institutions are robust and resilient to cyber crime or able to be resilient to disasters so it can continue on in the face of (these disasters). So, basically strengthening the expectations (for IT risk management),” according to Espenilla.
Since the banking community has been consulted on this, there will be no surprises when the circular is released next month.
“To be fair to the industry there’s been a lot of investments by banks to level up their IT risk management compliance,” he said. “Banks today are less concerned by regulatory requirements than their own risks because even without regulations, if you don’t take care (then) a bank is very vulnerable to cyber crime and you can directly lose money there, much more than any penalty that the BSP can impose.”
“On their own banks realize the need to upgrade the risk management standards so that’s why … we’ve closely consulted banks so it is not going to be a surprise to them,” added Espenila. “It’s something they are already doing on their own since it is in their best interest to do so.”
The BSP has long since recognized the importance of banks’ cybersecurity amid the growing threat in digital, mobile and internet banking from hackersfor-hire and cyber syndicates.