BANKS and other financial institutions must stay vigilant against cyber fraud by strengthening the technological aspect of operations and doing risk assessments amid a growing number of fraudulent activities via e-mails and websites, the Bangko Sentral ng Pilipinas (BSP) said on Friday.
“In response to the growing concerns about cyber attacks involving fraudulent e-mails and websites, aimed at customers and employees of financial institutions, BSP-Supervised Financial Institutions (BSFIs) are advised to sustain resilience efforts and continue to perform rigorous risk assessments of their current technology environment,” incoming BSP Governor Nestor Espenilla Jr., said in a memorandum.
Espenilla said BSFIs should ensure compliance with regulatory issuances on the adoption of multi-factor authentication (MFA) measures for sensitive and high-risk communications, and guidance on risk management associated with fraudulent e-mails or websites.
BSFIs must ensure adequate access control measures are in place for systems that support the provision of electronic products and services, regardless of whether these are managed internally or by a third-party service provider, according to the memorandum.
Such systems are authentication servers, application servers and domain name system (DNS) including domain registry services.
“For outsourced systems, BSFIs, as part of their outsourcing risk management framework, should have a sufficient level of assurance that the service provider is maintaining robust security controls,” Espenilla noted.
Banks need to adopt stronger methods for sensitive and high-risk systems managed by privileged users such as network and system administrators, the BSP said.
BSFIs should also be mindful of domain hijacking that attackers employ by modifying domain name records and redirecting users to unauthorized websites, it added.
“In such cases, additional security measures such as registry lock features (for top-level domain) and MFA should be adopted,” Espenilla said.
A security conscious environment must be promoted through security awareness and training programs for all personnel and contractors and third-party users in line with banking regulations.