BSP readies banks’ cybersecurity upgrades

Cyber criminals continue to look for ways  to hit information technology (IT) systems of companies and various institutions.

In the case of Philippine banks, these institutions have upped their system especially since the Bangko Sentral ng Pilipinas (BSP) now rate these financial institutions in terms of their IT security strength and their risk management framework among others.

“There is an established process wherein we deploy enforcement action all the way from corrective action for the worst cases to no action,” BSP Governor Nestor A. Espenilla Jr. said.

The central bank chief declined to give figures on banks’ cybersecurity ratings but stressed that these are “getting better.”

He explained that regulators “are also adjusting to the environment” since “cybercriminals are becoming more and more aggressive.”

“And it’s a full time operation. It’s their business (that) they do nothing but attack so what we are doing is elevated standards as well.
These standards cover, among others, electronic banking (e-banking) transactions.
Among these circulars is Circular No. 808 issued in August 22, 2013, which classify bank’s IT risk profile as either “complex” or “simple’ and is based primarily on banks’ degree of adoption of technology.
Espenilla said since the standards were put in place in 2013 enhancements have been introduced and will continue to be improved to ensure that these prevent the rising number of risks.
“But now it’s a major overhaul of the standards to bring it to the next level…So those who were doing well in the old standard will probably have some running to do in the new standard,” he said.
The BSP chief said a plus towards this measure is top executives’ and not just IT personnel’s understanding on the need to put the necessary measures to thwart risks.
He said that if the banks’ Board of Directors does not realize the need to enhance cybersecurity then “they will not invest enough resources in this, which is the one that makes a bank or financial institution fundamentally vulnerable to cybercrime.”
“And then there are some prescriptive measures there in terms of what are the expectations and we just basically adopted international, prevailing international standards on this,” he added.