Banks ordered to boost defense vs cyberattacks attacks
MANILA, Philippines — Banks and other financial institutions will have to regularly assess how prepared they are against cyberattacks under new rules issued by the Bangko Sentral ng Pilipinas (BSP). In a circular signed by BSP Governor Eli Remolona Jr., the Monetary Board approved changes to existing rules on information technology risk management to improve the central bank’s monitoring of cybersecurity risks in the banking and financial sector.
The circular introduces the Cybersecurity Maturity Framework, which will guide banks and BSP-supervised financial institutions (BSFIs) in measuring how strong their cybersecurity systems are and what areas need improvement.
The BSP said the framework aims to support financial institutions “in strengthening both institutional and sector-wide cyber resilience in light of increasing digitalization and the evolving threat landscape.”
Under the new rules, BSFIs will be required to conduct “periodic and rigorous self-assessment exercises” as part of their information security risk management system.
These assessments will be done through the Cybersecurity Control Self-Assessment (CCSA), a tool that will allow institutions to review their current activities, internal processes and cybersecurity practices.
The tool contains questions that will help determine the maturity of a financial institution in key cybersecurity areas, while also helping the regulator track cyber trends and practices across the industry.
“The assessment tool contains activity and capability-based questions intended to reflect the BSFI’s maturity in a particular control area and to gather cyber trends and practices,” the central bank said.
The results of the self-assessment, together with other supervisory activities, will be used by the BSP to classify institutions under four maturity levels: foundational, established, managed and optimized.
A foundational rating means an institution has only minimal adoption of cybersecurity controls. In this stage, risk assessments may be irregular, informal or not yet considered in business decisions.
An established rating means the institution already has policies, procedures or guidelines approved by its board or relevant committee. These controls provide baseline protection for customer information, systems and operations, although implementation may not yet be consistent across all business units.
A managed rating applies to institutions that have fully adopted relevant requirements, regularly test the effectiveness of their controls and integrate cybersecurity considerations across the business.
At the highest level, an optimized institution is expected to use advanced tools, technologies and threat intelligence to identify and respond to emerging cyber threats. Cybersecurity risks should also be fully considered in strategic planning and enterprise-wide decision-making.
The BSP said the expected maturity level will depend on the size and complexity of an institution’s IT profile.
Financial institutions with simple IT operations are expected to fall within the foundational to established levels. Those with moderate IT profiles should be within the established to managed levels, while those with complex IT operations are expected to reach the managed to optimized levels.
The central bank also updated its reporting requirements. BSFIs must submit their annual IT profile within 25 calendar days after the end of the reference year.
Meanwhile, the CCSA must be submitted on or before March 31 following the end of the reference year by institutions classified by the BSP as having moderate or complex IT profiles. The BSP may also require other institutions to submit the report.
The reports will be filed through the BSP’s Advanced SupTech Engine for Risk-based Compliance platform.
The BSP said more detailed procedures on the submission of the self-assessment and the maturity assessment would be issued separately.
“To prepare for and familiarize BSFIs with the new requirement, the submission of the initial CCSA shall be due 60 calendar days from the release of the reporting guidelines,” the BSP said.
- Latest
- Trending
