BSP tightens rules on cyber risk reporting
In response to the increasingly persistent, sophisticated and targeted attacks launched against financial institutions, the Monetary Board (MB) recently approved amendments to existing regulations which tighten the reporting regime for Bangko Sentral supervised financial institutions (BSFIs) on cyber-related incidents and operational disruptions. Prompt reporting of these incidents by BSFIs will allow the Bangko Sentral to have an enhanced visibility on the changing IT risk landscape and to proactively ensure that their impact and resulting risks are minimized and contained to avert potential systemic risks to the financial system.
From ten calendar days prescribed under existing regulations, BSFIs are now required to report major cyber-related incidents and disruptions of financial services and operations within two hours from discovery of the incident.
After the initial notification, the affected BSFIs are likewise mandated to submit a follow-up report within 24 hours from the incident containing information such as the manner and time of initial detection, impact of the incident, and initial remedial response. The BSP shall closely monitor the situation, coordinate with the concerned BSFI, and undertake appropriate supervisory actions if warranted, until full resolution of the incident. Further, the BSP may swiftly issue appropriate advisories, security bulletins, and/or policies to prevent recurrence of the incident and promote enterprise and industry-wide operational resilience.