Businesses have continued to rely heavily on the use of Information Technology (IT) for efficient delivery of products and services in response to emerging market trends and evolving client needs. However, as financial institutions tend to keep pace, there is also an increased exposure to cyber-threats and attacks.
Recently, the public has been quick to raise concerns over suspicious and unauthorized transactions involving their deposits in certain large Philippine banking corporations.
With the use of social media platforms, customer complaints have spread and have become publicized quickly. Accordingly, cyber threats and attacks confronting the financial services industry pose added risks that can undermine public trust and confidence in the financial system, which, then, may lead to adverse effects on the overall economic and financial stability of the country.
Recognizing the risks in the rapidly evolving technology landscape, the Monetary Board of the Bangko Sentral ng Pilipinas (BSP) issued Circular No. 982, Series of 2017, on Enhanced Guidelines on Information Security Management (the Guidelines) covering BSP Supervised Financial Institutions (BSFI).
Pursuant to the Guidelines, the BSP shall determine the IT profile of each BSFI, and thereafter classify them as “Complex,” “Moderate,” or “Simple” by considering several factors such as, but not limited to, the degree of automation of core processes and applications; the size of branch networks; the aggressiveness in providing digital financial products and services; the extent of outsourcing services; the systemic importance of a BSFI, and the volume, type, and severity of cyberattacks and fraud targeting a specific BSFI.
The goal of the guidelines is to ensure that every BSFI shall have an information security appropriate to its IT profile. As such, the Guidelines require the establishment of Information Security Strategic Plan (ISSP), aligned with the BSFI’s business plan. It is essentially a road map guiding the transformation of the current state of the IT security to the desired state.