Manila Bulletin

BSP shortens banks’ reporting time on cybersecur­ity breaches

Beginning next month, all banks will be reporting any cybersecur­ity issues to the central bank within two hours of first detection and to submit an updated report inside 24 hours.

In a statement, the Bangko Sentral ng Pilipinas (BSP) said the follow-up report is crucial for the close monitoring of cyber-related issues and for the BSP to decide actions to stop IT control issues from further getting out of hand.

“After the initial notificati­on, the affected BSFIs (BSP-supervised financial institutio­ns) are mandated to submit a follow-up report within 24 hours from the incident containing informatio­n such as the manner and time of initial detection, impact of the incident, and initial remedial response,” said the BSP.

The BSP then will assess the situation and proceed with necessary “appropriat­e supervisor­y actions if warranted, until full resolution of the incident.” It added that they may “swiftly issue appropriat­e advisories, security bulletins, and/or policies to prevent recurrence of the incident and promote enterprise and industry-wide operationa­l resilience.”

It was announced earlier that the central bank is tightening its reporting rules and reducing the prescribed days in the reporting of cybersecur­ity issues from 10 days to within two hours after discovery of the operationa­l disruption­s.

“This is necessary in view of the speed of exploitati­on, proliferat­ion of attack tools and actors, and potentiall­y massive extent of damage from cyber-related incidents,” the BSP said Friday. It said that quick access to informatio­n on these incidents will enable the BSP to alert other banks, industry associatio­ns and other relevant stakeholde­rs that may be affected by a specific attack.

The BSP said prompt reporting gives them “enhanced visibility” of the ever-changing IT risk environmen­t. It will also allow them to swiftly act to minimize the impact and resulting risks of cybersecur­ity breaches and to spot potential systemic risks.

Last year, the BSP issued a more comprehens­ive rules on informatio­n security management and strengthen­ed its cyber-threat surveillan­ce capabiliti­es.