BSP wants faster action on cyber threats
By Melissa Luz T. Lopez
Senior Reporter
THE CENTRAL BANK is looking at a prescriptive period for banks to report glitches and hacking in a bid to strengthen action against cyber threats that could put lenders’ reputation and financial footing at risk.
Bangko Sentral ng Pilipinas (BSP) Deputy Governor Chuchi G. Fonacier said changes to cyber security regulations being drafted by the central bank require, among others, banks and other financial service providers to promptly report data breaches or technical glitches, with the regulator eyeing a two-day window from discovery of an incident.
“We will have new upcoming ones because we are also trying to enhance our regulations on IT (information technology)… Even the minor attacks we can consider, it should be reported,” Ms. Fonacier told reporters on the sidelines of an event on Wednesday.
“We don’t peg the reports on the amounts, but there is this requirement to report to the BSP — report everything when it’s IT-related,” she added.
“Maybe the industry and the BSP can agree on a timeline. If it’s something really IT-related, it’s something that must be immediately reported. We are looking at maybe 48 hours, something like that.”
Newly seated BSP Governor Nestor A. Espenilla, Jr. tagged rising cyber security concerns as among the biggest threats faced by the banking industry, hence, the central bank’s latest move.
This comes after recent incidents faced by big banks such as the data processing error at the Bank of the Philippine Islands that resulted in incorrect account balances for 1.5 million clients, reports of card skimming experienced by customers of BDO Unibank, Inc. and delayed posting of account credits encountered by Security Bank Corp. which all occurred last month.
These incidents dealt the banking industry a “reputational” blow, Mr. Espenilla said, even as he noted that the Philippine banking system should be able to weather rough patches with its healthy balance sheets, ample capital buffers and strong profits.
Two bankers welcomed the BSP’s initiative, even as one of them said the two-day deadline could be too short for lenders to observe.
“I’m for it because IT breach can put a bank in danger,” Rolando R. Avante, president and chief executive officer at Philippine Business Bank, said in a text message when sought for comment.
At the same time, Mr. Avante said “48 hours might be too limiting as there may be cases where it will take longer to assess the situation.”
Ildefonso R. Jimenez, UCPB senior vice-president and corporate secretary, said his bank supports the central bank’s initiative in this regard since “it will enable the BSP to immediately determine the appropriate action to take, including sharing the info[rmation] with other banks and/or the public, if warranted.”
“This is especially important due to advances in technology,” Mr. Jimenez said.
“In order to allow for timely reporting of incidents that occur on a weekend, we believe a two-working day deadline is doable, at least with the initial information thus far gathered by the bank, with the complete report to be given after a full investigation,” he added.
“We also suggest that the amendment specify the IT-related breaches/incidents covered by the regulation.”
While the BSP has been putting in place an “enabling” environment for financial technology, Ms. Fonacier said that banks should also keep their guard up against digital fraud and hacking.
The planned new measure is being prepared for consultation with all affected sectors and is expected to be finalized over the next “three to four months,” the BSP official said, adding that it may be in place within the year.
Ms. Fonacier said this will complement requirements for affected lenders to disclose to the central bank damage incurred from cases of theft and fraud, among others.
Separately, Mr. Espenilla has said that the BSP has been looking at how to maximize new technologies for its regulatory work, including use of chatbots to assess customer complaints as well as of electronic forms to collect data from supervised firms.
