In order to promote cyber resilience of the entire banking industry, the Monetary Board (MB) recently approved pioneering guidelines on information security management that place a renewed focus on cybersecurity. This is to address the growing concerns on the fast-evolving cyber-threats that continue to confront global as well as domestic financial communities.
The cyber-threat landscape has continuously evolved with more threats surfacing in the cyber realm in an increasingly complex and sophisticated fashion. Various researches and publications projected global cybercrime losses to increase exponentially with the financial services industry remaining to be a prime target across all industries. If not properly managed, cyber-threats and attacks launched against Bangko Sentral supervised financial institutions (BSFIs) may result in operational, legal, reputational, and systemic risks.
The amendments highlight the role of the BSFIs’ Board and senior management in spearheading sound information security governance and strong security culture within their respective networks. Likewise, BSFIs are mandated to manage information security risks and exposures within acceptable levels through a dynamic interplay of people, policies, processes, and technologies following a continuing cycle (i.e. identify, prevent, detect, respond, recover and test phases). The Circular also encompasses key elements of cyber resilience such as participation in information sharing and collaboration fora, enhancing situational awareness capabilities as well as adoption of advanced cybersecurity controls and countermeasures. A good example is the requirement to set-up a 24 by 7 security operations center (SOC) equipped with advanced technologies and manned by competent analysts to proactively monitor emerging and highly sophisticated cyber-threats and attacks.
The new guidelines recognize that BSFIs are at varying levels of cyber-maturity and cyber-risk exposures which may render certain requirements restrictive and costly vis-à-vis expected benefits. Thus, the IT profile classification has been expanded from two (2) to three (3), namely: “Complex”, “Moderate” and “Simple” to provide greater flexibility in complying with the requirements. BSFIs with complex IT profile classification would warrant adoption of advanced cybersecurity tools and processes such as the setting up of an SOC.
While not a silver bullet, the new regulation serves as one of the critical components in BSP’s Strategic Roadmap on cybersecurity.
Considering the need to strike the right balance between promoting innovation and managing cyber-related risks, the new guidelines, one of the first in Southeast Asia, cover a holistic framework on information security risk management (ISRM) as an integral part of the BSFIs’ information security program, enterprise risk management system and governance mechanisms. The new Circular incorporates, to the extent possible, key principles and concepts from leading standards, technology frameworks and global best practices on information security.
BSFIs are given one (1) year from the effectivity date of the Circular to fully comply with the provisions therewith. Further, plan of actions with specific timelines, as well as the status of initiatives being undertaken to achieve full compliance, should be readily available upon request starting December 2017.