In response to the increasingly persistent, sophisticated and targeted attacks launched against financial institutions, the Monetary Board (MB) recently approved amendments to existing regulations which tighten the reporting regime for Bangko Sentral ng Pilipinas (BSP) supervised financial institutions (BSFI) on cyber-related incidents and operational disruptions.
Prompt reporting of these incidents by BSFI will allow the BSP to have an enhanced visibility on the changing IT risk landscape and to proactively ensure that their impact and resulting risks are minimized and contained to avert potential systemic risks to the financial system.

From 10 calendar days prescribed under existing regulations, BSFI are now required to report major cyber-related incidents and disruptions of financial services and operations within two hours from discovery of the incident.

This was necessary in view of the speed of exploitation, proliferation of attack tools and actors and potentially massive extent of damage from cyber-related incidents.  Having quick access to information on these incidents will enable the BSP to alert other banks, industry associations and other relevant stakeholders that may be affected by a specific attack.

After the initial notification, the affected BSFI are likewise mandated to submit a follow-up report within 24 hours from the incident containing information such as the manner and time of initial detection, impact of the incident and initial remedial response.

The BSP was to closely monitor the situation, coordinate with the concerned BSFI and undertake appropriate supervisory actions if warranted, until full resolution of the incident.
Further, the BSP may swiftly issue appropriate advisories, security bulletins and/or policies to prevent recurrence of the incident and promote enterprise and industry-wide operational resilience.

The new regulations are consistent with BSP Circular 982 on enhanced guidelines on information security management issued in 2017 which identified incident reporting as part and parcel of BSFI’ incident management plans.

The new issuance is also timely as BSFI prepare for full compliance to this circular by 26 November 2018.

The new regulations further strengthen the BSP’s cyber-threat surveillance capabilities crucial for industry-wide cyber-preparedness, protection and crisis management.