Businesses have continued to rely heavily on the use of Information Technology (IT) for efficient delivery of products and services in response to emerging market trends and evolving client needs. However, as financial institutions tend to keep pace, there is also an increased exposure to cyber-threats and attacks.
Recently, the public has been quick to raise concerns over suspicious and unauthorized transactions involving their deposits in certain large Philippine banking corporations.
With the use of social media platforms, customer complaints have spread and have become publicized quickly. Accordingly, cyber threats and attacks confronting the financial services industry pose added risks that can undermine public trust and confidence in the financial system, which, then, may lead to adverse effects on the overall economic and financial stability of the country.
Recognizing the risks in the rapidly evolving technology landscape, the Monetary Board of the Bangko Sentral ng Pilipinas (BSP) issued Circular No. 982, Series of 2017, on Enhanced Guidelines on Information Security Management (the Guidelines) covering BSP Supervised Financial Institutions (BSFI).
Pursuant to the Guidelines, the BSP shall determine the IT profile of each BSFI, and thereafter classify them as “Complex,” “Moderate,” or “Simple” by considering several factors such as, but not limited to, the degree of automation of core processes and applications; the size of branch networks; the aggressiveness in providing digital financial products and services; the extent of outsourcing services; the systemic importance of a BSFI, and the volume, type, and severity of cyberattacks and fraud targeting a specific BSFI.
The goal of the guidelines is to ensure that every BSFI shall have an information security appropriate to its IT profile. As such, the Guidelines require the establishment of Information Security Strategic Plan (ISSP), aligned with the BSFI’s business plan. It is essentially a road map guiding the transformation of the current state of the IT security to the desired state.
To implement the ISSP, a comprehensive, well-designed, and effective Information Security Program (ISP) must be put in place which shall require not only the strong support of the Board of Directors (Board) and the Senior Management, but also the cooperation of all stakeholders.
The Senior Management is generally responsible and accountable in executing the ISSP and ISP within the bounds and threshold set by the Board. Hence, both the ISP and ISSP must clearly identify the direction of the Board and Senior Management on cybersecurity.
The Senior Management also appoints the Chief Information Security Officer (CISO) who shall be responsible for the organization-wide ISP. The CISO shall have sufficient independence to perform his mandate, and thus, must be reporting to the Board or designated committee. This notwithstanding, crucial roles are expected to be properly established and performed in the entire organization specifically the IT department, business line managers, security department, and other employees.
An integral part of the ISP and enterprise-wide risk management system is the Information Security Risk Management (ISRM) framework which is a dynamic interplay of people, policies and processes, and technology.
The ISRM framework is founded upon the underlying principles of strong leadership and effective Information Security governance and oversight; integrated, holistic and risk-based approach; and cyber-threat intelligence and collaboration.
The Guidelines detail the principle of Continuing Cycle which involves the following steps:
Identify. This starting point of the cycle entails understanding of the business process and functions to determine the system’s vulnerability to cyber-related risks.
Prevent. Upon assessment of the cybersecurity and cyber risks, mechanisms for prevention or protection from cyber-threats must be designed and implemented. This involves spreading cybersecurity awareness as well as physical and technical controls to ensure confidentiality, integrity and availability of information.
Detect. This phase involves the prompt detection of anomalous activities through alerts and notifications.
Respond. Upon the confirmation of an occurrence of cyberattack, the BSFI concerned is expected to respond as quickly as possible to prevent it from further happening considering its rapid effects.
Recover. This phase encompasses the resumption of activities of the BSFI until full recovery is obtained. Recovery measures include establishment of back-up facilities and alternate sites with acceptable levels of security.
Test. The BSFIs need to assess whether the security measures implemented are effective as intended. As the goal is to have cybersecurity commensurate with the IT profile complexity of the BSFI, the BSFIs should assess their own IT profile classification on an ongoing basis notwithstanding the assessment and classification process conducted by the BSP.
In complying with the Guidelines, BSFIs are reminded to fully consider and observe relevant laws and regulations such as The Law on Secrecy of Bank Deposits (RA 1405) and the Data Privacy Act of 2012 (RA 10173). Hopefully, with the enhanced Guidelines, cyberattacks will be promptly responded to and properly addressed, if not, totally prevented.
The views and opinions expressed in this article are those of the author. This article is for general informational and educational purposes, and not offered as, and does not constitute, legal advice or legal opinion.
Anne Caroline C. Bugayong is an Associate of the Corporate and Special Projects Department of the Angara Abello Concepcion Regala & Cruz Law Offices (ACCRALAW).