IBM Country Manager tells Manila Times forum
Industry sizes, particularly among financial institutions, do not matter in dealing with cybercrimes but deeper collaboration between stakeholders would provide a powerful weapon to combat these kinds of security risks, the chief of IBM Philippines said.
For their part, banking regulators said strong measures are already in place to reduce the industry’s vulnerability to cybercrimes.
In the recently concluded The Manila Times 4th Business Forum, IBM President and Country Manager Luis Pineda said that cybercrime is a threat that has reached crisis level and no geography or industry is immune.
He noted that fraud and financial crimes are causing an estimated annual revenue loss of $3.5 trillion across all industries, which created a major impact on the global economy.
Estimates of the cost of cybercrime to the global economy may range from $375 billion to $575 billion per year.
In the local scene, Pineda said current events such as the $81 million electronic theft from
Bangladesh’s central bank in February and the hacking of the Commission on Elections’ voter information database highlight the country’s vulnerability in cyber threats.
“The current events highlighting the country’s vulnerability serves as a wakeup call putting security at the center of discussion,” he said.
The IBM chief said as a result, the scale and knowledge to defend from threats have really gone up but the Philippines do not have many security experts.
“Even leaders of organizations have not updated their understanding of threats itself and greater efforts on awareness and education should be really put in place. To combat global cyber crime threats, organizations will need to think globally and act globally,” he said.
Pineda stressed that organizations must build security intelligence, and look at the company’s information and business critical systems from an attackers’ point of view and then ask themselves how an attacker could cause the most damage.
“Develop a security strategy with policies and technology designed to proactively protect the assets and information you identify as most valuable,” he said.
On top of all these, he said organizations must deploy security solutions that can actively monitor and correlate data activity across multiple technologies.
Pineda also stressed that companies need to adopt an integrated approach. Enterprises really need to think about cyber security as an integral part of their infrastructure rather than deploy new product solutions to combat specific problems.
Developing expertise, and putting a plan in place for a long term and that includes deciding who is going to monitor, manage and execute their security policies is likewise critical, he said.
“Does size really matter in cyber threats and fraud? With every bank now targeted, size really doesn’t matter,” he said.
In conclusion, Pineda said surviving the tide of competition, cyber threats and money laundering requires the exercise of timeless Filipino virtue “bayanihan.”
“Ironically and fortunately, this old age virtue of bayanihan is applicable in today’s modern
digital world,” he said.
The IBM executive pointed out that competition, cyber threats, and fraud are challenges that should be tackled by all industries and all different areas of society.
“Collaborative sharing of information is a powerful weapon to combat risks and threats. A great willingness of businesses, government organizations and other parties to collaborate must be achieved to elevate Philippines defense against these threats,” he said.
There is a dichotomy that needs to be resolved, he concluded, stressing that external parties need to do more; government needs stronger oversight in loss; industry collaboration must increase; and cross border information sharing must be strengthened.
BSP reducing vulnerability
“We actually already have strong measures in place that reduce our vulnerability [to cybercrimes],” said Bangko Sentral ng Pilipinas Deputy Governor Nestor Espenilla Jr.
He said banks must comply with Circular 808 issued in 2013, which prescribes the information technology risk management standards that Philippine banks have to follow.
This includes the migration to EMV chip cards from magnetic strip card for example, he said.
In 2014, the central bank approved the implementing guidelines for banks’ migration to EMV chip-enabled cards in line with its continuing efforts to strengthen the banking system’s electronic retail payment network against card fraud, such as skimming and cloning.
EMV or Europay Mastercard Visa is the global standard for chip-based credit and debit transactions, and is said to be more secure than magnetic strip cards. The chip contains information needed to use the card for payment, and is protected by various security features.
Banks are expected to shift to the more secure chip-based credit and ATM cards before the January 2017 deadline.
Furthermore, Espenilla said that the BSP is very serious in implementing the cyber security standards locally.
“We are now developing additional regulations to further enhance the cyber security posture of our banks against constantly evolving threats,” he said.
This includes the type of highly sophisticated hacking perpetrated against Bangladesh Bank, he said.
The BSP official added that the regulator has also helped organize the Information Security Officers Group (ISOG) of banks as a coordinated and cooperative group to facilitate information sharing against emerging threats being encountered and also to promote best practices.
In particular, Espenilla said the BSP is looking at the Bangladesh Bank case as a strong reminder of the need for vigilance by all banks, central banks included, against cybercrime.
“What happened to Bangladesh Bank can happen to any bank if it’s not careful,” he said, noting that the Philippine side of this story is primarily an issue of Anti-Money Laundering-Combating the Financing of Terrorism (AML-CFT) compliance gaps.
He said the BSP regulated financial institutions involved have been investigated and will be all held accountable for their failure to comply with AML-CFT rules and regulations.
The enforcement actions are now in various stages, he highlighted, noting that beyond these actions, the BSP is also drawing lessons to plug potential loopholes through amendments to the Anti-Money Laundering Act (AMLA) as well as its implementing rules and regulations.
“This is where the proposed designation of casinos as covered persons under the AMLA and the formal designation of BSP as regulator of money service businesses (MSBs) for AMLA purposes come in. These require AMLA amendment,” he explained.
On the other hand, Espenilla said the memorandum to banks issued by BSP in April is but a reiteration of an existing regulation requiring banks to be very cautious in dealing with MSBs and to deal only with those MSBs registered with both BSP and the AMLC Secretariat (AMLCS).
“We will also be amending soon Circular 471, issued in 2005, to tighten further the BSP oversight over MSBs. The draft is currently under industry exposure,” he added.
Another regulation is under study to regulate virtual currency operations in the Philippines as a special type of MSB to ensure their compliance with the AMLA, Espenilla said.
“Consultations on this have been completed,” he noted.
Statistics showed that the Philippines is apparently third in the world in terms of Bitcoin applications, with a growth rate of over 100 percent as of the first half of 2015.
In the Philippines, bitcoin exchanges or estimated transactions passing through the registered companies range between $2 million to $3 million per month.