Banks told to heighten alert vs data breaches

MANILA, Philippines — Risks on data breaches or leaks have become a significant concern as the banking industry continues to increasingly leverage on digital platforms in the provision of essential financial services amid the pandemic, according to the Bangko Sentral ng Pilipinas.

BSP Deputy Governor Chuchi Fonacier said banks and financial institutions are required by the Manual of Regulations for Banks (MORB) and the Manual of Regulations for Non-Bank Financial Institutions (MORNBFI) to lay down the framework to protect data and information throughout their life cycle.

As BSFIs increasingly leverage on digital platforms in the provision of essential financial services, Fonacier said massive amounts of data and information are being accessed, stored, processed, and/or transmitted across various systems and networks by customers, third party providers and other external stakeholders.

Moreover, she said alternative working arrangements allow employees of BSP-supervised financial institutions (BSFIs) to remotely access internal systems and applications that may potentially expose sensitive and confidential information, if not properly secured and managed.

Furthermore, she said the adoption of cloud computing platforms and services by BSFIs adds complexity and challenges in ensuring data security, integrity and privacy.

“With these emerging trends in the technology and cybersecurity landscape, risks on data breaches or data leaks become a significant concern leading to reputational, operational, legal, and regulatory risks, among others,” Fonacier said.

Data breach is the intentional or unintentional disclosure of sensitive information to unauthorized recipients or a cyber-incident involving the theft of data or information.

According to the BSP, this may occur due to simple errors such as sending an email to incorrect recipients, misplacing or theft of an unencrypted storage media, or utilizing a free digital platform without understanding the terms and conditions of its use.

Furthermore, the regulator said data breach may also arise from exploits on systems and network vulnerabilities, improper access rights management, or insider misuse of information.

The central bank issued Memorandum 2021 – 043 reminding banks and financial institutions to provide adequate security policies, procedures, and standards on data classification and control; identity and access management following the principles on least privilege and segregation of duties or functions; remote work arrangements and bring your own device; vulnerability and patch management; outsourcing and vendor management to further strengthen data breach prevention and control mechanisms,

Furthermore, the BSP also reminded banks to enhance screening and hiring practices for officers and employees handling sensitive information; secure destruction and disposal of data and media as well as conduct activity monitoring, auditing, and logging.

The regulator also required BSFIs to implement security technologies and solutions such as encryption for both data-at-rest and data-in-transit; automated data discovery and classification; data loss prevention; database activity monitoring; and endpoint security.

Fonacier said banks should properly identify systems and processes involving sensitive information and commensurate implementation of controls; adopt a defense in depth approach in managing cybersecurity; and conduct information security education and awareness campaigns incorporating data protection standards and procedures.

“The fight against data breaches, and cyber-attacks in general, continues to depend on the BSFI’s ability to raise the level of its situational awareness against latest tactics, techniques and procedures of cyber threat actors, and enhancing their security capabilities as part of their overall defense-in-depth cyber security strategy,” Fonacier said.

The BSP also reminded banks and financial institution to promptly report significant data loss or massive data breach and other cyber-related incidents to the central bank as well as the National Privacy Commission (NPC).

Likewise, banks should inform their customers of possible data breaches involving sensitive personal information pursuant to applicable data privacy laws and regulations.