The Bangko Sentral ng Pilipinas is coming out with more stringent cybersecurity rules for banks which will, among others, hold the lending institutions’ top management and board members responsible for all cybersecurity concerns.
BSP Governor Nestor A. Espenilla Jr. told reporters on Wednesday that the proposed rules were undergoing legal review and would be submitted for approval to the Monetary Board, the BSP’s policymaking body, later.
“This one actually strengthens the message that at the board level, they should be paying attention to cybersecurity, because we observe that these cybersecurity concerns are left to the attention of technologists,” Espenilla said.
Despite rising cybersecurity risks, Espenilla noted that such concerns were not part of most banks’ business strategies.
“If the top management or those in the board don’t pay attention to cybersecurity matters, they will not invest enough resources in this concern, making a bank or any financial institution fundamentally vulnerable to cybercrime,” Espenilla stressed.
Also, the enhanced rules will include prescriptive measures based on international cybersecurity standards, Espenilla added.
Cyber attacks like hacking put not only sensitive information but also huge sums of money at risk. The hacking of the Bangladeshi central bank’s account from the Federal Reserve Bank of New York in February last year led to the laundering of $81 million in stolen money in Philippine casinos after entering the country through the financial system.
In April, the BSP ordered all financial institutions in the country to implement “multi-factor authentication” (MFA) especially for sensitive transactions amid bigger risks coming from cyberattacks.
The Monetary Board has approved amendments to existing rules that put in place “more stringent security controls” that BSP-supervised financial institutions must adopt. Focus will be on MFA techniques due to the “increasing propensity and sophistication of cyberattacks involving fund transfers, payments and other transactions via online channels.”
The MFA is mandatory for transactions considered “sensitive communications and/or high-risk such as enrollment in transactional e-services, payments and fund transfers to third parties, online remittance, account maintenance and use of payment cards in e-commerce websites, among others,” the BSP said.
The BSP earlier explained that the MFA employed a combination of at least certain authentication factors, namely: inherence or something that is inherent to the user such as fingerprint and retinal pattern; knowledge or something that the user knows such as password or PIN, and possession or something that the user has in his/her possession, including payment card or a one-time password generated through a security token or sent via SMS.
The MFA “provides for a more reliable authentication method and a stronger fraud deterrent mechanism that limits unauthorized access.”
Also, it “protects the integrity of customer data and transaction details,” which the BSP had said “in turn contributes to increased customer confidence leading to more prevalent usage of digital financial services which is aligned with the National Retail Payment System’s objective of a cash-light economy by 2020.”