Financial Crime World

Banking Compliance Issues in Philippines Spark Concern Over Data Breaches

Manila - The Bangko Sentral ng Pilipinas (BSP) has raised concerns over the increasing risks of data breaches or leaks as banks and financial institutions continue to rely on digital platforms to provide essential financial services amid the pandemic.

Concerns Over Data Security

According to BSP Deputy Governor Chuchi Fonacier, banks are required to implement measures to protect customer data and information throughout their life cycle, citing regulations in the Manual of Regulations for Banks (MORB) and the Manual of Regulations for Non-Bank Financial Institutions (MORNBFI). With the adoption of digital platforms, massive amounts of data are being accessed, stored, processed, and transmitted across various systems and networks, making it more vulnerable to cyber-attacks. The shift to remote work arrangements also poses a risk as employees may access internal systems without proper security measures in place.

Risks and Causes of Data Breaches

Fonacier noted that the use of cloud computing platforms adds complexity in ensuring data security, integrity, and privacy. “With these emerging trends in the technology and cybersecurity landscape, risks on data breaches or data leaks become a significant concern leading to reputational, operational, legal, and regulatory risks.” Common causes of data breach include:

  • Simple errors
  • System vulnerabilities
  • Improper access rights management
  • Insider misuse

BSP’s Initiatives to Mitigate Risks

To mitigate these risks, the BSP issued Memorandum 2021 – 043 requiring banks and financial institutions to implement adequate security policies, procedures, and standards on:

  • Data classification and control
  • Identity and access management
  • Remote work arrangements
  • Vulnerability and patch management
  • Outsourcing and vendor management
  • And more

The regulator also reminded banks to:

  • Enhance screening and hiring practices for officers handling sensitive information
  • Secure destruction and disposal of data
  • Conduct activity monitoring, auditing, and logging
  • Implement security technologies such as:
    • Encryption
    • Automated data discovery
    • Endpoint security

Importance of Cybersecurity Awareness and Education

Fonacier emphasized the importance of identifying systems and processes involving sensitive information, adopting a defense-in-depth approach in managing cybersecurity, and conducting information security education and awareness campaigns incorporating data protection standards and procedures.

Reporting Data Breaches

The BSP also reminded banks to promptly report significant data loss or massive data breaches to the central bank and the National Privacy Commission, as well as inform customers of possible data breaches involving sensitive personal information.