The Bangko Sentral ng Pilipinas (BSP) issued a public advisory and a memo on Friday reminding banks to ensure uninterrupted banking services during the two-week stricter lockdown and to exercise extra vigilance against cyber attacks and data breaches.
“The BSP will closely coordinate with the banking industry to ensure continuous delivery of banking services during the Enhanced Community Quarantine (ECQ) from August 6 to 20, 2021,” the central bank said in a statement. “BSP reminds banks to adopt necessary protocols against the transmission of the COVID-19 virus. This is in line with efforts to maintain banking industry operations despite alternative work arrangements and heightened restrictions imposed in Metro Manila and other localities during this period,” it added.
BSP Deputy Governor Chuchi G. Fonacier also just signed a new memo (BSP Memorandum No. M-2021-043) reminding banks to not only keep vigilance against cyber-related crimes, but also to keep up with the evolving trends of cyber-attacks and data breaches, now that most financial consumers are migrating to digital transactions.
All BSP supervised financial institutions (BSFIs) are reminded to promptly report to the BSP any significant data loss or massive data breach and other cyber-related incidents, and to also notify the National Privacy Commission and their customers for data breaches involving sensitive personal information pursuant to applicable data privacy laws and regulations, said Fonacier in the memo.
“The fight against data breaches, and cyber-attacks in general, continues to depend on the BSFI's ability to raise the level of its situational awareness against latest tactics, techniques and procedures of cyber threat actors, and enhancing their security capabilities as part of their overall defense-in-depth cyber security strategy,” she said.
The memo detailed some data breach prevention and control mechanisms for BSFIs to do such as the regular conduct of information security education and awareness campaigns incorporating data protection standards and procedures.
BSFIs are also reminded to have the following adequate security policies, procedures and standards such as: data classification and control; identity and access management following the principles on least privilege and segregation of duties/functions; remote work arrangements and bring your own device or BYOD; vulnerability and patch management; outsourcing and vendor management; enhanced screening and hiring practices for officers and employees handling sensitive information; secure destruction and disposal of data and media; and activity monitoring, auditing, and logging.
The memo said BSFIs should also have stronger implementation of security technologies and solutions such as: encryption for both data-at-rest and data-in-transit; automated data discovery and classification; data loss prevention; database activity monitoring; and endpoint security.
In the meantime, Fonacier said banks should always be alert with proper identification of systems and processes involving sensitive information and commensurate implementation of controls, and in the adoption of a defense in depth approach in managing cybersecurity.
Fonacier said with digitalization, there are “massive” data and information that are being accessed, stored, processed, and/or transmitted across the banking networks by its customers and third party providers.
“(The) alternative working arrangements allow BSFIs' employees to remotely access internal systems and applications which may potentially expose sensitive and confidential information, if not properly secured and managed. Likewise, the adoption of cloud computing platforms and services by BSFIs adds complexity and challenges in ensuring data security, integrity and privacy,” said Fonacier.
With advances in BSFIs’ technology and cybersecurity, the risks of data breaches or data leaks are also rising which Fonacier warned could lead to reputational, operational, legal, and regulatory risks.
Data breach, as described by the BSP, is the “intentional or unintentional disclosure of sensitive information to unauthorized recipients or a cyber-incident involving the theft of data and/or information.” Data breach can also come from “exploits on systems and network vulnerabilities, improper access rights management, or insider misuse of information.”
“This may occur due to simple errors such as sending an email to incorrect recipients, misplacing or theft of an unencrypted storage media, or utilizing a free digital platform without understanding the terms and conditions of its use,” said Fonacier.