BSP readies cybersecurity guidelines

THE BANGKO SENTRAL ng Pilipinas (BSP) will soon release enhanced guidelines on cybersecurity that will elevate such concerns to top management of banks and financial firms, even as its head assured that there has been no “serious” recent attack so far.

BSP Governor Nestor A. Espenilla, Jr. said monetary authorities will release stricter standards for financial entities against cyber threats, mandating banks to pour funds into fortifying their digital firewalls amid rising risks in the electronic space.

“We are set to issue in a few weeks enhanced standards with regard to BSP’s expectations on cybersecurity arrangements in a regulated institution,” Mr. Espenilla said during a luncheon hosted by the European Chamber of Commerce of the Philippines on Wednesday.

“The BSP is very focused on cybersecurity issues. It’s one of those things that can affect even the best, well-capitalized bank at any given point in time. We keep communicating that message,” he added.

“[O]ur last standard was promulgated in 2013,” Mr. Espenilla recalled, saying it was subsequently strengthened “in bits and pieces… but now it’s a major overhaul of the standards to bring it to the next level.”

The BSP issued Circular 808 four years ago to set minimum standards on information technology risk management, which has since been upgraded through succeeding regulations.

The central bank has been beefing up cybersecurity rules, having introduced multi-factor authentication and rules on social media use earlier this year.

It has also released warnings on malware, among others.

The central bank chief said that while financial losses from hacking and fraud attempts may be contained, “reputational risks” could cause banks irreparable damage.

Offhand, Mr. Espenilla said the new rules — which are now undergoing legal review — will require banks’ boards and senior management to “pay attention” to cybersecurity issues.

“[I]n our observation, many of this cybersecurity (issues) are left to the attention of technologists… It is not embraced as part of the business strategy of the bank, and to us, that is risky,” Mr. Espenilla told reporters when asked to elaborate.

“If top management or board… don’t really pay attention, that means they will not invest enough resources in this, which is the one that makes a bank or financial institution fundamentally vulnerable to cybercrime.”

The BSP chief said the rules will broadly align local regulations to international standards against fraud.

Mr. Espenilla said banks are currently being graded by the BSP on the strength of their security and risk management frameworks, which will also be the basis for possible sanctions or corrective action imposed by the regulator.

At the same time, he assured that neither the BSP nor banks has monitored any “significant” hacking attempt lately, even as he clarified that no one can never be “too cautious” against such risks. — Melissa Luz T. Lopez