BSP set to issue bank rules on reporting of cyber attacks

A circular that will require banks to report as soon as possible any cyber attack and other information technology-related incidents in their systems is expected to be released in September, a ranking Bangko Sentral ng Pilipinas (BSP) official said.

BSP governor Nestor A. Espenilla Jr.

BSP deputy governor Chuchi Fonacier told reporters their legal division is currently studying the details of the proposed regulation. “(It is) undergoing legal review before approval of the Monetary Board,” she said.

Fonacier, however, declined to elaborate, saying she is not privy to the details of the proposed circular.

Earlier, the central bank official said they are working with the Bankers Association of the Philippines (BAP) on a measure that will require banks to submit reports on any cyber-related problems within 24 or 48 hours after the incident. This is an apparent reaction to the IT glitches experienced by certain banks some months ago, which affected their customers.

BSP has stepped up regulations and required banks to further enhance their IT security systems for them not to fall victims to cyber criminals. It now rates the financial institutions in terms of their IT security strength and their risk management framework among others.

Earlier, BSP governor Nestor A. Espenilla Jr. said the central bank has an established process “wherein we deploy enforcement action all the way from corrective action for the worst cases to no action.” He said banks’ ratings are “getting better” but declined to give specifics.

The BSP has released several circulars on banks’ IT-related processes and these include Circular No. 808 issued in August 22, 2013, which classify bank’s IT risk profile as either “complex” or “simple’, and is based primarily on banks’ degree of adoption of technology.

Espenilla said that since the standards were put in place in 2013, enhancements have been introduced and will continue to be improved to ensure that these prevent the rising number of risks. — Joann Villanueva (PNA)

Comment on this post