To boost cybersecurity measures and as part of stricter guidelines, the central bank urged all banks and financial entities to set up 24/7 centers that will actively monitor and prevent cyber-attacks.
The Monetary Board last week approved a circular covering information security management, which elevates expectations on the safeguards employed by these firms. The Bangko Sentral ng Pilipinas (BSP) said in a statement issued over the weekend, “This is to address the growing concerns on the fast-evolving cyber-threats that continue to confront global as well as domestic financial communities.”
BSP added, “If not properly managed, cyber-threats and attacks launched against Bangko Sentral supervised financial institutions (BSFIs) may result in operational, legal, reputational, and systemic risks.”
The new regulations seek to upgrade Circular 808 issued four years ago, which set minimum standards on information technology (IT) risk management. Earlier this year, the BSP has been actively stepping up cybersecurity rules, having introduced multi-factor authentication and the creation of internal rules on social media use. The new rules require financial firms to adopt “advanced” controls and countermeasures versus hacking and other digital crimes, and even mandates the creation a 24/7 security operations center to “proactively monitor emerging and highly sophisticated cyber-threats and attacks.”
In general, standards imposed on banks and financial firms will be classified into “simple,” “moderate,” and “complex” exposures to cyber-related threats, which would likewise determine the intricacy of cybersecurity measures required of them. BSFIs with complex IT profile classification have to adopt “advanced cybersecurity tools and processes” such as the monitoring centers.
Cybersecurity should also be a board-level concern by enforcing sound information security governance and culture within an organization.
The BSP said all financial firms will be given one year to fully comply with the new regulation, although plans of action and timelines will be collected by the regulator by next month.