THE Bangko Sentral ng Pilipinas (BSP) said on Tuesday it would upgrade by July regulations on information technology (IT) risks in financial institutions, amid concerns over recent incidents of cyber attacks and systems glitches.
“By next month, we are set to issue the enhanced guidelines on information security, incoming BSP governor Nestor Espenilla Jr. said during a Financial Executives Institute of the Philippines (Finex) cybercrime forum held in Makati City on Tuesday.
Espenilla said the new guidelines would be tighter and more comprehensive than the existing BSP Circular 808, the central bank’s main framework on IT risk management and supervision released in 2013.
Circular 808 provides guidelines and standards to ensure that banks implement security controls to adequately protect their information assets from unauthorized access, and deliberate misuse or fraudulent modification, insertion, deletion, or substitution.
“[The upgraded framework] covers not just cybersecurity but even the use of cloud computing. So it is broader. It is an upgraded IT Risk Management Framework. It enables the use of newer technologies for creating business, but at the same time, it also upgrades the cybersecurity standards, including encryption standards,” Espenilla explained.
The incoming BSP chief, a veteran banking regulator, said the framework would incorporate the latest standards on information security in line with technological developments and innovation, “dynamic risk profiles,” and rapidly evolving cyber threats surrounding banks.
“The amendments present a holistic framework on information security management, integrated with the banks’ information security program or ISP and enterprise risk management system,” he told Finex members.
Espenilla also said the new regulations clarify the central bank’s expectations on the role of banks’ board of directors and senior management on their information security risk management framework, which should cover information security governance, responsibility and accountability, among others.
“In response to the growing concerns on cyber attacks, the amendments highlight the need to integrate cybersecurity controls and measures into that ISP,” he said.
Espenilla said banks were asked to comment on the new regulations.
“We are getting industry to comment on it because we need the inputs of the sector to create a regulation that is actually useful to the industry. So that is why we are actively consulting,” he said.
Ayala-led Bank of the Philippine Islands was hit by a systems glitch early this month, which the lender said was caused by human error, not by hacking. Security Bank was later hit by a transaction posting delay in its systems.
Last week, Sy-led Banco de Oro Universal Bank admitted some of its automated teller machines (ATM) were “compromised” by skimming, or the unauthorized copying of information on an ATM card’s magnetic strip.
The BSP has ordered banks to replace ATM magnetic strips with EMV or chip-based technology by mid-2018.
Incorporate IT security in business plan
Reacting to Espenilla’s speech, Philippine National Bank Senior Vice President and Chief Information Officer Roland Oscurro highlighted the need for financial institutions to invest in IT security.
“Unfortunately, the threat of cyber crimes are escalating and will continue to escalate. You need to be aware because the weakest link in terms of security risk are your businesses,” he said.
Oscurro said IT security has to be incorporated in every business plan of any institution.
“It is no longer an IT matter. It is an operational and it is a business concern. You can leverage security to sell your business as trust is a very critical commodity nowadays,” he said.