BANKS must craft new strategies on information security to manage, detect, and respond to cyber-attacks which could bog down operations, as part of tighter rules imposed by the Bangko Sentral ng Pilipinas (BSP).
The BSP has upgraded its standards on cyber-risk management through Circular 982, which details the regulator’s expectations for banks and other financial players in addressing and mitigating security threats.
“In line with their growing technology usage and dependence at the back of a dynamic operating and cyber-threat environment, BSFIs (BSP-supervised financial institutions) should establish robust and effective technology risk management processes, governance structures, and cybersecurity controls,” read the circular issued on Nov. 9.
“This is to ensure that the benefits derived from technological innovations can be fully optimized without compromising financial stability, operational resilience, and consumer protection.”
As a practice, all financial players must have systems to identify and counter a wide array of digital attacks, which include skimming, phishing, malware, and persistent threats to their systems through an established information security program that is “commensurate” with the complexity of a firm’s reliance to digital tools.
Banks and BSFIs also need to introduce minimum baseline security standards to be followed across their back-end systems and branches, which cover the use of operating systems, access to databases and mobile devices.
The strategic plan must regularly identify, prevent, detect, respond, recover, and test attempts to hack into internal systems or to steal from its clients, the BSP said. Entities must also get into cyber threat intelligence and collaborate with fellow industry players and regulators to share notes on emerging trends to boost industry-wide protection.
The same circular requires financial firms with “complex” information technology systems to set up 24/7 security operations centers to monitor potential cyber attacks.
In cases where a firm’s firewalls are breached, banks must have an established incident response plan ready to “minimize and contain” the financial and reputational damage, which would also allow the restoration of critical systems and facilitate an investigation on the case.
Periodic testing schemes must also be in place to evaluate security levels, which include simulated attacks and breach assessments.
Banks are given one year following the issuance of the circular to fully comply with these provisions. — Melissa Luz T. Lopez