With digital transformation on the rise, the Bangko Sentral ng Pilipinas (BSP) has shifted to a higher gear its fight against cyber threats with the establishment of a baseline and coordinated industry response plan to curb or minimize widespread damage and systemic risk in the event of cybersecurity breaches.
During the launch of the 2024-2029 Financial Services Cyber Resilience Plan (FSCRP) on Tuesday, Aug. 6, BSP Governor Eli M. Remolona Jr. called on banks, non-banks and all BSP supervised financial institutions (BSFIs) to implement FSCRP as it is developed because the incident response protocols and mechanisms within the plan will effectively address evolving threats and systemic cyber risk.
He emphasized that the FSCRP “is a key pillar in the industry’s cybersecurity journey” and that it is critical to “building trust, reliability, and security in financial services.”
The FSCRP compliments the Anti-Financial Scamming Act (AFASA) that was enacted into law last July 20, 2024. AFASA makes it possible to share information to curb financial crimes such as social engineering schemes and money mules.
Remolona said with the “rapid" digital transformation in financial services, cybersecurity is more important and crucial now to combat cyber systemic risk. The International Monetary Fund and Bank for International Settlements define systemic risk as the “disruption to any part of the financial system that adversely affects the rest of the economy.”
He encouraged BSFIs, relevant financial market infrastructures and cybersecurity organizations to participate in the FSCRP development since with the interconnected IT systems, a cyber attack on a single bank will impact on other banks’ payment operations and liquidity position and could lead to a systemic problem.
The FSCRP is a comprehensive roadmap and primary framework to enhance the financial services sector’s resilience against cyber threats.
The FSCRP manual, which was released on Tuesday, outlined high-level goals and strategies that BSP and BSFIs will implement in the next five years.
The launch drew more than 200 executives from BSFIs, industry associations, and government agencies such as the Department of Information and Communication Technology (DICT) and the Bankers Association of the Philippines (BAP).
The BSP said FSCRP complements and aligns with the National Cybersecurity Plan 2028, which is implemented by DICT as lead agency. Meanwhile, the BAP Cybersecurity Incident Database or BAPCID is also a critical component of the FSCRP as the industry’s cybersecurity information sharing platform.
At the moment, the BSP collects cyber threat information from BSFIs via rules that require BSFIs to immediately submit cyber incident reporting. The BSP receives more cyber intelligence from other sources including from the DICT.
Based on the FSCRP, to set an industry response plan for this year, the BSP is targeting to gather inventory and the mapping of critical financial institutions with interdependencies. This includes the identification of cyber risk concentrations.
For 2024, the BSP also plans to complete the playbook on data breach. Cybersecurity playbooks are documents that have detailed information on specific incidents and how to deal with it.
For next year, the FSCRP will establish the baseline incident response plan research and the “criticality” of BSFIs and interdependencies. This will also involve the development of the playbook on supply chain attacks.
By 2026, the BSP said it will finalize BSFIs’ incident response plan and to rollout the training and awareness program under the FSCRP. By this time, a playbook on the application programming interface should be done.
In the next two years, the BSP also aims to conduct progressive industrywide cyber testing exercises to continually improve cyber defenses and capabilities.
For the years 2027 until 2029, the BSP said it will review the emerging cyber threats to make the FSCRP relevant. As it is, the FSCRP will be reviewed every quarter starting this year.
Besides the AFASA, the BSP said it is also crucial for the FSCRP that the Amended Bank Secrecy Law is approved by 2026 or 2027.
The central bank said the Amended Bank Secrecy Law is “currently being abused by cyber threat actors and scammers”.
The BSP has identified other goals and strategies in the next three to five years including the active information sharing and collaboration especially with the banking industry through the BAP; the establishment of a strong cybersecurity culture and awareness; and the holistic cybersecurity best practices and standards.
Citing data from the IBM X-Force Threat Intelligence Index 2023, the BSP said the financial sector is a consistent target of cyber threat actors from 2018 until 2022, second only to the manufacturing sector in terms of share of attacks by industry.
"The increasing propensity and sophistication of cyber attacks in the financial sector alongside the growing interconnections with third parties' IT systems accelerate system risk and poses a significant threat to financial stability," said the BSP in the FSCRP report.
Last year, based on BSFIs' cyber threat reports to the BSP, 59.48 percent of cyber fraud losses were caused by account takeover, identity theft and phishing.
Cyber threat actors use generative artificial intelligence or AI in phishing emails and conduct identity theft and account takeover through "deep fake" technology, said the BSP.