The Bangko Sentral Ng Pilipinas (BSP) has renewed its guidelines on information security management with a renewed focus on cybersecurity.
Its Monetary Board recently approved pioneering guidelines with the new focus in order to address growing concerns about cyber threats that affect both domestic and global financial communities.
The amendments are part of the company's Strategic Roadmap on cybersecurity.
The BSP says many security research reports show that global cybercrime losses will increase ‘exponentially' and the financial services industry will continue to be a prime target.
It warns that without proper management, Bangko Sentral supervised financial institutions (BSFIs) may result in “legal, reputational and systemic risks”.
The amendments to BSP guidelines include a stronger role for BSFI's Board and senior management. They will be responsible for spearheading sound information security governance and strong security culture within their respective networks.
BSFIs will also mandated to manage information security risks and exposure ‘within acceptable levels' through people, policies, processes and technologies. They will be required to follow the continuous cycle of ‘identify, prevent, detect, respond, recover and test'.
They are also encouraged to include cyber resilience elements such as participation in information sharing and collaboration, enhance situational awareness capabilities and adopt advanced cybersecurity controls and countermeasures.
The BSP suggests that 24/7 security operations centers (SOCs), which are equipped with advanced technologies and controlled by analysts who can monitor emerging and sophisticated cyber attacks.
“The new guidelines recognize that BSFIs are at varying levels of cyber-maturity and cyber-risk exposures which may render certain requirements restrictive and costly vis-à-vis expected benefits,” BSP states.
“Thus, the IT profile classification has been expanded from two (2) to three (3), namely: “Complex”, “Moderate” and “Simple” to provide greater flexibility in complying with the requirements. BSFIs with complex IT profile classification would warrant adoption of advanced cybersecurity tools and processes such as the setting up of an SOC.
BSP acknowledges that its Strategic Roadmap on cybersecurity must balance the promotion of innovation and cyber risk management..
“The new guidelines, one of the first in Southeast Asia, cover a holistic framework on information security risk management (ISRM) as an integral part of the BSFIs' information security program, enterprise risk management system and governance mechanisms. The new Circular incorporates, to the extent possible, key principles and concepts from leading standards, technology frameworks and global best practices on information security,” BSP concludes.
BFSIs have one year to comply with the provisions. Action plans and timelines will be made available on request from December 2017.