BSP orders coordinated action among banks vs cyberthreats

MANILA, Philippines — The Bangko Sentral ng Pilipinas (BSP) has ordered banks and financial institutions to establish a collective, coordinated and strategic cyber response through information sharing and collaboration to further strengthen the industry’s resilience amid growing cyberthreats.

Restituto Cruz, sector-in-charge of the central bank’s Financial Supervision Sector, issued Memorandum 2019-016 reminding banks about cyberthreat intelligence and collaboration.

Cruz reminded banks and financial institutions about Circular 982 issued in November 2017 mandating moderate to complex BSP supervised financial institutions to actively participate in information sharing organizations and fora within the financial services industry.

Cruz said major players in the banking industry should participate in the Cybersecurity Incident Database (BAPCID) hosted by the Bankers Association of the Philippines (BAP) as cyberattacks could be launched even against banks with simple information technology profiles.

According to Cruz, the industry-wide cyberthreat and best practices sharing platform would raise the level of situational awareness as information on latest tactics, techniques and procedures of cyberthreat actors targeting financial institutions, including those in the dark web.

“The BSP, as an advisory member of the BAPCID, shall also use the BAPCID platform in the issuance of specific cyberthreat advisories and memoranda,” he said.

He added the platform would lead to a much faster and secure way of alerting banks and providing concrete guidance in preventing and remediating imminent cyberthreats and attacks.

Last October, the BSP raised the bar for its campaign against cybercrime by requiring banks and financial institutions to report security breaches within two hours.

The central bank has approved pioneering guidelines on information security management that place a renewed focus on cybersecurity, promoting the cyber resiliency of the entire banking industry.

The enhanced information security framework strengthened cybersecurity controls in line with a rapidly evolving cyberthreat landscape surrounding financial institutions.

The new guidelines, one of the first in Southeast Asia, cover a holistic framework on information security risk management as an integral part of the banks’ information security program, enterprise risk management system and governance mechanisms.

The cyberthreat landscape has continuously evolved with more threats surfacing in the cyberrealm in an increasingly complex and sophisticated fashion.

The Philippines was used as a conduit when hackers stole $81 million from the account of the Bangladesh Bank in the US. The stolen funds laundered in casinos entered the country via Rizal Commercial Banking Corp. (RCBC) that was later slapped with a record P1 billion fine.

President Duterte has signed Republic Act 10927 amending RA 9160 or the Anti-Money Laundering Act of 2001 stating that cash transactions of casinos in excess of P5 million must be reported to the Anti-Money Laundering Council.