The Block Box

By Donald Lim

STOCK PHOTO | Image from Freepik

In boardrooms across the Philippines, cybersecurity is often discussed — yet still misunderstood. For too many companies, it remains seen as a technical issue, a cost center, or an IT department’s “problem to solve.” That thinking is dangerously outdated. In today’s digital economy, cybersecurity is not merely an operational concern — it is a core business risk, a compliance obligation, and, increasingly, a matter of corporate survival.

The reality is stark: cyberattacks are no longer confined to large multinationals or technology firms. Filipino corporations in manufacturing, retail, logistics, healthcare, and even education are finding themselves in the crosshairs. In recent years, we’ve seen high-profile breaches in major banks, telcos, hospitals, and government databases, including the 2023 PhilHealth ransomware attack that compromised millions of members’ personal data and disrupted services nationwide. Just last year, the Commission on Elections faced renewed scrutiny over alleged vulnerabilities in its systems, a reminder that even the democratic process can be threatened by cyber insecurity. These are not isolated incidents — they are part of an accelerating trend.

A single breach can cripple operations for days, sometimes weeks. Data can be stolen, destroyed, or locked behind ransom demands. Confidential contracts, intellectual property, and customer information can be leaked online within hours. The immediate financial damage is often compounded by the slower, more corrosive harm to a company’s reputation and customer trust. Once that trust is gone, it can take years — and millions in marketing and legal fees — to restore.

The legal repercussions are equally serious. The Philippines’ Data Privacy Act of 2012 imposes strict requirements on how organizations collect, process, and protect personal data. Failure to comply, or to report breaches in a timely manner, can lead to administrative fines, civil damages, and even criminal liability. Beyond the Data Privacy Act, companies in regulated sectors — such as banking, insurance, and telecommunications — face additional obligations under industry-specific laws and guidelines issued by the Bangko Sentral ng Pilipinas, the Insurance Commission, and the National Telecommunications Commission. Non-compliance can trigger penalties, suspension of licenses, and the loss of regulatory trust.

In the modern business environment, the CEO and board of directors cannot claim ignorance. Cybersecurity governance is now part of good corporate governance. Regulators and investors are increasingly expecting boards to understand their organization’s cyber posture, ensure adequate investment in security measures, and establish clear accountability. Delegating cybersecurity entirely to the IT department is not only risky — it’s negligent.

When a cyberattack hits, it’s not just servers that go down. It’s sales. It’s supply chains. It’s customer relationships. The damage often extends to shareholder confidence, credit ratings, and employee morale. These are strategic matters that fall squarely within the responsibilities of the CEO and the board.

The risks fall into four broad categories. First is business risk — the direct financial losses from theft, fraud, or operational downtime. For companies with tight margins, even a few days of lost productivity can mean missing quarterly targets. Second is reputation risk — the loss of customer trust, media backlash, and brand damage that can follow a high-profile breach. Third is compliance and legal risk — failure to adhere to laws like the Data Privacy Act or industry-specific regulations, leading to penalties, lawsuits, and the loss of licenses. Fourth is strategic risk — the long-term erosion of competitive advantage when intellectual property is stolen, or confidential strategies are exposed.

For these reasons, cybersecurity must be elevated to the highest levels of corporate strategy. This means the CEO should personally champion the issue, ensuring it is discussed regularly at board meetings and included in enterprise risk management frameworks. The board should have at least one member with cybersecurity expertise — or access to independent advisors who can provide informed oversight.

Establishing a cybersecurity governance mechanism is essential. This begins with defining clear roles and responsibilities across the organization, from the boardroom to the front line. Policies must be regularly updated to reflect evolving threats, and incident response plans should be tested through simulations, so everyone knows their role when — not if — a breach occurs. Cyber risk assessments should be conducted at least annually, and the results should be reported to the board.

Investment in cybersecurity should be treated as an investment in business continuity and competitive advantage — not as an expense to be minimized. This includes adopting multi-layered defenses such as endpoint protection, intrusion detection, network segmentation, and secure cloud configurations. Equally important is investing in people: employees remain the first and last line of defense, and they need continuous training to recognize phishing attempts, handle data securely, and follow incident protocols.

Another critical aspect is supply chain security. Many breaches occur not through the targeted company itself, but through its vendors, contractors, or technology partners. CEOs must ensure that third-party risk management is part of their cybersecurity framework, with vendors required to meet specific security standards.

The private sector must also work hand in hand with government agencies, industry associations, and cybersecurity councils to share threat intelligence, coordinate responses, and advocate for stronger policies. Cybercrime is a moving target; only by pooling knowledge and resources can we hope to stay ahead.

Some executives may still believe that cybersecurity is purely defensive — designed only to stop attacks. That mindset underestimates its potential as a business enabler. A company known for protecting customer data and respecting privacy can differentiate itself in a crowded market. Strong security can also open doors to partnerships, foreign investment, and access to new markets, particularly in sectors where compliance with global data protection standards is a prerequisite.

The call to action for CEOs is clear. Cybersecurity can no longer be a delegated technical task buried in the IT department. It is a leadership priority. It is a governance issue. And it is a strategic investment in the resilience and future of the business.

Companies that ignore this reality are not only risking financial loss — they are gambling with their reputation, their compliance standing, and, ultimately, their survival. In an era where cyber threats are constant and evolving, the companies that thrive will be those whose leaders take ownership of security, embed it into corporate culture, and make it part of their strategic DNA.

Cybersecurity is not just about protecting data. It is about protecting the trust that keeps customers loyal, the confidence that keeps investors engaged, and the resilience that keeps businesses running — no matter what the digital world throws at them. And that responsibility begins, and ends, at the very top.

 

Dr. Donald Lim is the founding president of the Blockchain Council of the Philippines and the lead convenor of the Philippine Blockchain Week. He is also the Asian anchor of FintechTV.

RELATED ARTICLESMORE FROM AUTHOR