Original post by Reicelene Joy N. Ignacio, Reporter , published on Business World
TO HELP strengthen the banking industry’s resilience to cyber attacks, the Bangko Sentral ng Pilipinas (BSP) has ordered BSP-supervised financial institutions (BSFIs) to participate in a cybersecurity sharing platform hosted by the Bankers Association of the Philippines (BAP).
“In order to further strengthen the industry’s cyber-resilience amidst growing threats, the BSP reiterates the need for BSFIs to have a collective, coordinated and strategic cyber response through information sharing and collaboration,” according to BSP Memorandum No. M-2019-016 issued on June 11 and published last June 13 as signed by Sector-in-Charge Restituto C. Cruz of the Financial Supervision Sector.
“As cyber-attacks can be launched even against BSFI’s with simple IT (information technology) profiles, the BSP enjoins all BSFIs to participate in the BAP Cybersecurity Incident Database (BAPCID)…,” the memorandum further read.
BAPCID is a platform hosted by BAP used for sharing industry-wide and cyber threat and best practices.
The memorandum further stated that through the database, BSFIs can raise “the level of situational awareness” as the latest tactics, techniques, and procedures of cyber threat actors that target financial institutions, including those in the dark web, will be shared.
“The BSP, as an advisory member of the BAPCID, shall also use the BAPCID platform in the issuance of specific cyberthreat advisories and memoranda,” read the memorandum.
In March, BSP Governor Benjamin E. Diokno said that he would strengthen the central bank’s capacity to respond to cyberthreats, which he called the “number one threat to any financial system.”
The BSP started to become stricter in its rules in 2016 after unidentified hackers transferred an amount of $81 million from Bangladesh Bank’s account at the New York Federal Reserve to a Makati branch of Rizal Commercial Banking Corp.
For one, the BSP requires all supervised financial firms to report any cyber-attacks or data breach cases within two hours upon discovery, followed by a more detailed report the next day.