Banks told to strengthen cybercrime defenses
The Bangko Sentral ng Pilipinas (BSP) will require banks to further beef up their defenses against cybercrimes as threats remain.
“We are now working on supplemental or additional regulations to further strengthen and increase the level of security of Philippine banks and other financial institutions,” Bangko Sentral ng Pilipinas (BSP) Deputy Governor Nestor A. Espenilla Jr. told reporters Tuesday.
The cyberheist that led to $81 million in stolen money from the central bank of Bangladesh being laundered in Philippine casinos last February highlighted the cyberthreats being faced by financial systems globally.
Espenilla noted that “financial institutions everywhere are routinely being attacked by cybercriminals.”
In the case of Philippine banks, Espenilla said a comprehensive review down in 2014 made the BSP aware of issues, while showing that, in general, local banks were resilient to cyberattacks.
Article continues after this advertisementBut the BSP is still on its toes as it acknowledged that cybercrimes have been evolving from simple crimes such as ATM fraud and credit card skimming to more complex heists.
Article continues after this advertisement“For a long time, the dominant threat is still those related to ATM fraud, except that trend-wise, those are on the decline already,” Espenilla noted, pointing out that they expected such cases to further decline when the EMV chips on ATM cards are deployed starting January next year.
“We are trying to raise the standards through the issuance of regulations and at the same time we are also strengthening the supervisory capacity of the BSP,” Espenilla said. “We are elevating now the IT standards because there are new regulations coming from the international front. We cannot guarantee that there will be no attacks. What we can do is to minimize the system being breached and at the same time strengthen resilience.”
For one, Espenilla said they would require banks to immediately report to the BSP any cyberattack.
“Of course they want to first investigate and check. But that is not the principle of incident management. If something happens, before doing anything else, report to the BSP. Because that also alerts us. The approach there is formal reporting to the BSP, but we also encourage them as an industry to talk more and communicate with one another,” Espenilla said.
For the part of the BSP, Espenilla said its systems have become cyberattack-proof.
“We better take care of our own defenses. We have to walk the talk. The BSP has pretty much invested in our own security and defenses. Knock on wood, the Bangladesh incident would not happen on the BSP,” he said.