BSP shortens banks’ reporting time on cybersecurity breaches
Beginning next month, all banks will be reporting any cybersecurity issues to the central bank within two hours of first detection and to submit an updated report inside 24 hours.
In a statement, the Bangko Sentral ng Pilipinas (BSP) said the follow-up report is crucial for the close monitoring of cyber-related issues and for the BSP to decide actions to stop IT control issues from further getting out of hand.
“After the initial notification, the affected BSFIs (BSP-supervised financial institutions) are mandated to submit a follow-up report within 24 hours from the incident containing information such as the manner and time of initial detection, impact of the incident, and initial remedial response,” said the BSP.
The BSP then will assess the situation and proceed with necessary “appropriate supervisory actions if warranted, until full resolution of the incident.” It added that they may “swiftly issue appropriate advisories, security bulletins, and/or policies to prevent recurrence of the incident and promote enterprise and industry-wide operational resilience.”
It was announced earlier that the central bank is tightening its reporting rules and reducing the prescribed days in the reporting of cybersecurity issues from 10 days to within two hours after discovery of the operational disruptions.
“This is necessary in view of the speed of exploitation, proliferation of attack tools and actors, and potentially massive extent of damage from cyber-related incidents,” the BSP said Friday. It said that quick access to information on these incidents will enable the BSP to alert other banks, industry associations and other relevant stakeholders that may be affected by a specific attack.
The BSP said prompt reporting gives them “enhanced visibility” of the ever-changing IT risk environment. It will also allow them to swiftly act to minimize the impact and resulting risks of cybersecurity breaches and to spot potential systemic risks.
Last year, the BSP issued a more comprehensive rules on information security management and strengthened its cyber-threat surveillance capabilities.