The Bangko Sentral ng Pilipinas (BSP) is overhauling its oversight of digital threats, ditching a legacy rating system in favor of a framework that forces banks to conduct more frequent and rigorous self-assessments of their cybersecurity defenses.

This comes as BSP Governor Eli M. Remolona Jr. approved changes aimed at reinforcing the information and cybersecurity “off-site surveillance and risk assessment activities” of financial institutions, amid evolving digital threats and increasing reliance on technology across the financial system.

Under BSP Circular No. 1232, the regulator formally replaced the IT Rating System with the Supervisory Assessment Framework (SAFr) in evaluating BSP-supervised financial institutions (BSFIs). This marks a shift to a more dynamic and risk-based approach to supervision.

Major tools complement this new guideline, namely the Cybersecurity Maturity Framework (CMF), which provides a globally aligned structure for assessing cybersecurity capabilities, and the Cybersecurity Control Self-Assessment (CCSA), which serves as a benchmarking tool to measure current practices and guide improvements.

BSFIs are now expected to be more proactive in managing cyber risks. “All BSFIs are required to have periodic and rigorous self-assessment exercises using more robust data sets and variables as part of their information security risk management system,” the circular read.

Under the new regime, the BSP will evaluate BSFIs’ cybersecurity maturity using the CCSA alongside other supervisory tools.

BSFIs will be classified into four tiers—foundational, established, managed, and optimized—depending on the sophistication of their cybersecurity controls and integration into business operations.

BSFIs in the foundational stage, or the lower category, “demonstrate minimal adoption of control requirements,” with risk assessments that are often ad hoc and not fully embedded in decision-making.

Meanwhile, firms at the upper end are expected to deploy advanced capabilities, where “advanced security tools, technologies, and adaptive capabilities are used to proactively identify and respond to emerging threats.”

According to the BSP, the tiered approach reflects a risk-based philosophy, with BSFIs expected to achieve maturity levels that are proportionate to their operational complexity and risk profile. Still, the regulator encouraged all entities to continuously enhance their cybersecurity posture.

For compliance, BSFIs are required to submit periodic reports, including an annual IT profile, within 25 days after the end of the reference year.

Meanwhile, the CCSA must be submitted on or before March 31 following the end of the reference year for entities identified as having moderate to complex IT profiles.

Detailed submission procedures will be issued separately, including the use of the BSP’s Advanced SupTech Engine for Risk-based Compliance (ASTERisC) platform. To ease the transition, the initial submission of the CCSA will be due within two months of the release of the implementing guidelines.