BSP issues new rules to combat cyber threats
Amid increasing risks from cyberattacks, the Bangko Sentral ng Pilipinas (BSP) issued stricter rules, among the first of its kind in the Asean, aimed at protecting financial institutions 24/7.
In a statement Saturday, the BSP said the Monetary Board, its highest policymaking body, last week “approved pioneering guidelines on information security management that place a renewed focus on cybersecurity.
The new guidelines are needed to “address the growing concerns on the fast-evolving cyber-threats that continue to confront global as well as domestic financial communities,” it added.
Cyberattacks like hacking put not only sensitive information but also huge sums of money at risk. The hacking of the Bangladeshi central bank’s account from the Federal Reserve Bank of New York in February last year led to the laundering of $81 million in stolen money in Philippine casinos after entering the country through the financial system.
According to the BSP, the amended rules “highlight the role of the BSP-supervised financial institutions’ (BSFIs) board and senior management in spearheading sound information security governance and strong security culture within their respective networks.”
Article continues after this advertisementAlso, “BSFIs are mandated to manage information security risks and exposures within acceptable levels through a dynamic interplay of people, policies, processes and technologies following a continuing cycle (such as identify, prevent, detect, respond, recover and test phases),” the BSP added.
Article continues after this advertisementSpecifically, the new guidelines also cover “key elements of cyber-resilience such as participation in information sharing and collaboration fora, enhancing situational awareness capabilities, as well as adoption of advanced cybersecurity controls and countermeasures,” according to the BSP.
“A good example is the requirement to set-up a 24 by 7 security operations center (SOC) equipped with advanced technologies and manned by competent analysts to proactively monitor emerging and highly sophisticated cyber-threats and attacks,” it said.
Acknowledging that BSFIs were “at varying levels of cyber-maturity and cyber-risk exposures, which may render certain requirements restrictive and costly vis-à-vis expected benefits,” the BSP expanded the IT profile classification from two previously to three—“complex”, “moderate” and “simple.”
“BSFIs with ‘complex’ IT profile classification would warrant adoption of advanced cybersecurity tools and processes such as the setting up of an SOC,” the BSP said.
As the stricter regulations were a “critical component” of its strategic roadmap on cybersecurity, the BSP said “BSFIs are given one year from the effectivity date to fully comply with the provisions.”
“Further, plan of actions with specific timelines, as well as the status of initiatives being undertaken to achieve full compliance, should be readily available upon request starting December 2017,” it added.
“Considering the need to strike the right balance between promoting innovation and managing cyber-related risks, the new guidelines, one of the first in Southeast Asia, cover a holistic framework on information security risk management (ISRM) as an integral part of the BSFIs’ information security program, enterprise risk management system and governance mechanisms,” the BSP said, adding that the circular to be issued covering the new regulation “incorporates, to the extent possible, key principles and concepts from leading standards, technology frameworks and global best practices on information security.”
“The cyber-threat landscape has continuously evolved with more threats surfacing in the cyber realm in an increasingly complex and sophisticated fashion. Various researches and publications projected global cybercrime losses to increase exponentially with the financial services industry remaining to be a prime target across all industries. If not properly managed, cyber-threats and attacks launched against BSFIs may result in operational, legal, reputational, and systemic risks,” the BSP noted. /cbb