Cyberthreat reporting rule to be issued by BSP
Cyberthreats encountered by banks will have to be quickly reported under soon-to-be-issued rules aimed at strengthening the industry, a senior Bangko Sentral ng Pilipinas (BSP) official said on Tuesday.
Central bank Deputy Governor Chuchi Fonacier said the BSP was looking to implement a 24-hour prescriptive period for cyberthreat reporting by supervised financial institutions.
She explained that member banks would be required to file reports to the Bankers Association of the Philippines (BAP), which will forward these to the BSP.
“This will allow the industry to have a clearer view of the situation,” Fonacier said, adding that it will also help the BAP to facilitate compliance with cybersecurity rules.
The BAP is the lead organization of country’s universal and commercial banks.
Its members include Asia United Bank, BDO Unibank Inc., BDO Private Bank Inc., Bank of Commerce, Bank of the Philippine Islands, China Banking Corp., CTBC Bank (Philippines) Corp., Development Bank of the Philippines, East West Banking Corp., Land Bank of the Philippines, Maybank Philippines Inc., Metropolitan Bank and Trust Co., Philippine Bank of Communications, Philippine National Bank, Philtrust Bank, Philippine Veterans Bank, Rizal Commercial Banking Corp., Robinsons Banking Corp., Security Bank Corp. Union Bank of the Philippines, and United Coco Planters Bank.
The BSP last year implemented implement tighter cybersecurity measures aimed at establishing an information and security risk management framework for banks.
The rules highlighted the role of the bank boards and senior management in spearheading sound information security governance and a strong security culture within their respective networks.
BSP-supervised financial institutions (BSFIs), the central bank said, should manage risks via “a dynamic interplay of people, policies, processes, and technologies following a continuing cycle (i.e. identify, prevent, detect, respond, recover and test phases).”
It also called for participation in information sharing and collaboration forums, enhanced situational awareness capabilities as well as the adoption of advanced cybersecurity controls and countermeasures.
One requirement is the establishment of a 24/7 securities operations center (SOC) equipped with advanced technologies and manned by competent analysts.
The rules recognize that BSFIs have varying degrees of cyber maturity and exposure to cyber risk so profile classifications have been expanded to “complex”, “moderate” and “simple” to allow for compliance flexibility.
Those classified as “complex”, for example, will definitely have to adopt advanced cybersecurity tools and processes such as the establishment of SOCs.
The post Cyberthreat reporting rule to be issued by BSP appeared first on The Manila Times Online.