Cybersecurity firm Kaspersky said Philippine banks should use the Bangko Sentral ng Pilipinas (BSP)’s new cybersecurity self-assessment requirement to address weaknesses in their systems instead of treating it as a compliance exercise.
The warning came after the BSP issued Circular No. 1232, which replaced its previous cybersecurity rating system with the Supervisory Assessment Framework (SAFr).
The new framework introduces the Cybersecurity Control Self-Assessment (CCSA), requiring BSP-supervised financial institutions to regularly evaluate and report the strength of their cybersecurity measures.
“The Philippine government is taking concrete steps to raise the bar for cybersecurity across the financial system, and banks must move with the same urgency,” said Heng Lee, director of government affairs and public policy for Asia Pacific at Kaspersky.
“Compliance is no longer a box to tick. Institutions that use the CCSA to drive real improvements will not only meet regulatory expectations but will be far better positioned to defend their customers against the growing threat landscape.”
Kaspersky cited findings from the 2025 Security Operations Center Capability Maturity Model (SOC-CMM) report, which showed that 58 percent of organizations worldwide are falling short of their own cybersecurity maturity targets.
The company said the BSP framework could expose similar gaps among Philippine banks.
According to Kaspersky, banks should treat weaknesses identified through the CCSA — including gaps in security operations center maturity, detection systems, and incident response readiness — as operational issues that require immediate action.
The company also urged banks to go beyond the BSP’s minimum requirements by using internationally recognized assessment tools such as SOC-CMM to measure security maturity across people, processes, and technology.
Kaspersky added that many security operations centers remain too focused on reacting to threats instead of preventing them, often processing large volumes of alerts without addressing underlying detection issues.
The firm also said banks should broaden how they measure cybersecurity performance, noting that response speed alone should not define effectiveness.
Detection quality and overall resilience of a security program, it said, are equally important indicators under the BSP’s new framework.
