Banks have given one year to implement tighter cybersecurity measures under new rules issued by the Bangko Sentral ng Pilipinas (BSP).
A circular aimed at establishing an information and security risk management framework for banks has been approved by the Monetary Board and covered entities have been directed to have their action plans ready before the end of the year.
“The cyber-threat landscape has continuously evolved with more threats surfacing in the cyber realm in an increasingly complex and sophisticated fashion,” the BSP said in a statement on Friday.
If not properly managed, cyber-threats and attacks launched against Bangko Sentral-supervised financial institutions (BSFIs) may result in operational, legal, reputational and systemic risks, it said.
The new rules highlight the role of the BSFI boards and senior management in spearheading sound information security governance and a strong security culture within their respective networks.
BSFIs, the central bank said, should manage risks via “a dynamic interplay of people, policies, processes, and technologies following a continuing cycle (i.e. identify, prevent, detect, respond, recover and test phases).”
It also called for participation in information sharing and collaboration forums, enhanced situational awareness capabilities as well as the adoption of advanced cybersecurity controls and countermeasures.
One requirement is the establishment of a 24/7 securities operations center (SOC) equipped with advanced technologies and manned by competent analysts who will proactively monitor cyber-threats and attacks.
The rules recognize that BSFIs have varying degrees of cyber maturity and exposure to cyber risk, so profile classifications have been expanded to “complex”, “moderate” and “simple” to allow for compliance flexibility.
Those classified as “complex”, for example, will definitely have to adopt advanced cybersecurity tools and processes such as the setting up of an SOC.
“While not a silver bullet, the new regulation serves as one of the critical components in BSP’s Strategic Roadmap on cybersecurity”, the central bank said.
BSFIs have one year from the effectivity date of the circular to fully comply.
Also, action plans with specific timelines as well as the status of initiatives being undertaken should be readily available upon request starting December 2017, the BSP said.