BSP steps up guard vs cybercrime
The Bangko Sentral ng Pilipinas (BSP) has tightened its rules to guard against cybercrime and related risks amid growing concerns on the fast-evolving cyber threats that continue to confront global as well as domestic financial communities.
The central bank’s Monetary Board has approved pioneering guidelines on information security management that place a renewed focus on cybersecurity in order to promote cyber-resilience of the entire banking industry.
BSP Governor Nestor Espenilla Jr. said the enhanced information security framework to strengthen cybersecurity controls in line with a rapidly evolving cyberthreat landscape surrounding financial institutions was issued as part of its mandate to maintain financial stability.
“It is vital that we preserve the balance between innovation and risk management,” he said.
The new guidelines, one of the first in Southeast Asia, cover a holistic framework on information security risk management as an integral part of the banks’ information security program, enterprise risk management system and governance mechanisms.
The new circular incorporates, to the extent possible, key principles and concepts from leading standards, technology frameworks and global best practices on information security.
According to the BSP, the cyberthreat landscape has continuously evolved with more threats surfacing in the cyberrealm in an increasingly complex and sophisticated fashion.
It added various researches and publications projected global cybercrime losses to increase exponentially with the financial services industry remaining to be a prime target across all industries.
“If not properly managed, cyberthreats and attacks launched against Bangko Sentral-supervised financial institutions may result in operational, legal, reputational, and systemic risks,” the central bank said.
The amendments highlight the role of the banks’ board and senior management in spearheading sound information security governance and strong security culture within their respective networks.
Likewise, banks and financial institutions are mandated to manage information security risks and exposures within acceptable levels through a dynamic interplay of people, policies, processes, and technologies following a continuing cycle.
“The circular also encompasses key elements of cyber resilience such as participation in information sharing and collaboration fora, enhancing situational awareness capabilities as well as adoption of advanced cybersecurity controls and countermeasures,” the BSP said.
The regulator required supervised institutions to set-up a 24/7 security operations center (SOC) equipped with advanced technologies and manned by competent analysts to proactively monitor emerging and highly sophisticated cyberthreats and attacks.
The BSP has decided to expand the IT profile classification has been expanded to three namely: complex, moderate, and simple wherein banks with complex IT profile classification would warrant adoption of advanced cybersecurity tools and processes such as the setting up of an SOC.
The regulator is giving supervised institutions one year to fully comply with the provisions of the new guidelines.