The Securities and Exchange Commission (SEC) has advised corporations to strengthen their cybersecurity as more Filipinos turn to digital transactions amid the Covid-19 pandemic.
The agency on June 9 issued a notice encouraging corporations to assess their exposure to cybersecurity risks and craft the appropriate policies and measures, in light of recent reports of hacking incidents.
“Digital transformation benefits businesses, allowing them to improve their productivity and realize greater efficiencies, but not without risks,” SEC chairperson Emilio B. Aquino said.
The Covid-19 pandemic has amplified the advantages of digital technologies, as companies shifted to low-touch and online-only services in response to the stringent social distancing and quarantine measures imposed across the world.
In the Philippines, digital technologies have allowed some companies to sustain their operations while the country was placed under enhanced community quarantine. As digital transactions increased, however, reports of phishing attempts, data breaches and other cyberattacks likewise emerged.
“Cybersecurity is more than an IT matter,” Aquino noted. “It is a corporate governance issue that companies should give serious attention to and proactively manage, as cyberattacks could damage their reputation, disrupt their operations, and eventually jeopardize their profitability and enterprise value.”
In this light, the SEC urged the boards of directors and senior management teams, in particular, to ensure they understand and can effectively confront the cybersecurity risks faced by corporations.
“The boards of directors of companies must ensure that a robust cybersecurity strategy is in place and that existing cybersecurity measures, including regular penetration testing and risk assessments, remain effective amid the evolving security landscape,” Aquino said.
The SEC has been pushing cybersecurity and data privacy in the corporate sector, integrating best practices and standards in various rules and regulations. For one, the corporate governance codes issued by the agency recommended that corporate boards establish audit committees, whose duties and responsibilities include the monitoring and evaluation of the security of information assets.
In the capital market, the SEC requires broker dealers, exchanges, clearing agencies, securities depositories and other participants to have a comprehensive information technology plan. Capital market participants are further mandated to subject their IT, business continuity, and disaster recovery plans, and risk management systems to regular review and audit by independent firms.
In 2016, the SEC also required capital market participants to report their compliance with data privacy and protection regulations. Republic Act No. 10173, or the Data Privacy Act of 2012, for one, requires organizations both in the government and the private sector to develop their privacy manuals.