Financial Crime World

Cybercrime Threats Loom Large in Philippines’ Financial Institutions Amid Pandemic

The Bangko Sentral ng Pilipinas (BSP) has sounded the alarm over the growing risks of data breaches or leaks as banks and financial institutions increasingly rely on digital platforms to provide essential services amidst the pandemic.

Complexity and Challenges in Ensuring Data Security

According to BSP Deputy Governor Chuchi Fonacier, the rising adoption of cloud computing, remote work arrangements, and third-party services has added complexity and challenges in ensuring data security, integrity, and privacy. Massive amounts of data are being accessed, stored, processed, and transmitted across various systems and networks by customers, third-party providers, and external stakeholders.

Framework for Protecting Sensitive Information

Fonacier emphasized that financial institutions must lay down a framework to protect sensitive information throughout its life cycle. This includes:

  • Providing adequate security policies, procedures, and standards on data classification and control
  • Identity and access management
  • Remote work arrangements
  • Vulnerability management

Common Causes of Data Breaches

A data breach is defined as the intentional or unintentional disclosure of sensitive information to unauthorized recipients or a cyber-incident involving the theft of data or information. Fonacier cited simple errors such as:

  • Sending an email to incorrect recipients
  • Misplacing or theft of unencrypted storage media
  • Utilizing free digital platforms without understanding their terms and conditions

Sophisticated Threats

The regulator also highlighted more sophisticated threats such as:

  • Exploits on systems and network vulnerabilities
  • Improper access rights management
  • Insider misuse of information

Measures to Strengthen Data Breach Prevention and Control Mechanisms

To strengthen data breach prevention and control mechanisms, the BSP issued Memorandum 2021-043, which reminds banks to:

  • Enhance screening and hiring practices for officers handling sensitive information
  • Secure destruction and disposal of data and media
  • Conduct activity monitoring, auditing, and logging

Security Technologies Required

The central bank also required financial institutions to implement security technologies such as:

  • Encryption
  • Automated data discovery and classification
  • Data loss prevention
  • Database activity monitoring
  • Endpoint security

Importance of Proper Identification and Defense-in-Depth Approach

Fonacier emphasized the importance of properly identifying systems and processes involving sensitive information, adopting a defense-in-depth approach in managing cybersecurity, and conducting information security education and awareness campaigns incorporating data protection standards.

Reporting Significant Data Loss or Massive Data Breaches

The BSP also reminded banks to promptly report significant data loss or massive data breaches and other cyber-related incidents to the central bank and the National Privacy Commission (NPC), as well as inform their customers of possible data breaches involving sensitive personal information.

Situational Awareness and Enhanced Security Capabilities

With the increasing reliance on digital platforms, the fight against data breaches and cyber-attacks requires financial institutions to raise their situational awareness against the latest tactics, techniques, and procedures of cyber threat actors and enhance their security capabilities as part of their overall defense-in-depth cybersecurity strategy.