148 INFORMATION TECHNOLOGY RISK MANAGEMENT

148  INFORMATION TECHNOLOGY RISK MANAGEMENT1

The enhanced guidelines on Information Technology Risk Management (ITRM) keep abreast with the aggressive and widespread adoption of technology in the financial service industry and consequently strengthen existing Bangko Sentral framework for IT risk supervision. ITRM should be considered a component and integrated with the institutions’ risk management program. The guidelines likewise provide practical plans to address risks associated with emerging trends in technology and growing concerns on cyber security.

Policy statement. The rapid pace of digital innovation has significantly reshaped the financial services landscape. BSFIs employ advances in technology to sharpen business insights, enhance operational efficiencies, and deliver innovative financial products and services in line with emerging market trends and evolving client needs. Technological developments also enable greater access to financial services that promote an inclusive and responsive digital financial ecosystem. As technological innovations become more deeply entrenched in business models, infrastructure, and delivery channels, system-related failures and malfunctions can create major operational disruptions in BSFIs. Social media platforms may further complicate matters as news of disruptions as well as customer complaints can spread at unprecedented speeds. Further, cyber-threats and attacks confronting the financial services industry pose added risks that can undermine public trust and confidence in the financial system.

In line with their growing technology usage and dependence at the back of a dynamic operating and cyber-threat environment, BSFIs should establish robust and effective technology risk management processes, governance structures, and cybersecurity controls. This is to ensure that the benefits derived from technological innovations can be fully optimized without compromising financial stability, operational resilience, and consumer protection.

Purpose and scope. The enhanced guidelines aim to provide guidance in managing risks associated with use of technology. The guidelines outlined are based on international standards and recognized principles of international practice for ITRM and shall serve as Bangko Sentral’s baseline requirement for all BSFIs.

The guidelines shall apply to BSFIs which include banks, non-banks with quasi-banking function (NBQB), non-bank electronic money issuers and other non-bank institutions which under existing Bangko Sentral rules and regulations and special laws are subject to Bangko Sentral supervision and/or regulation. Moreover, subject guidelines shall also apply to BSFIs with offshore data processing as may be appropriate to their situation. The framework covers different facets of ITRM, some of which are supplemented with detailed guidelines in Appendices 74, 75, 76, 77, 78 and 79. The Bangko Sentral shall keep the Appendices updated and, in the future, issue additional regulations on new and emerging products, services, delivery channels, and other significant applications of technology.

Subject guidelines, including the Appendices 74, 75, 76, 77, 78 and 79, are not “one-size-fits-all” and implementation of these need to be risk-based and commensurate with size, nature and types of products and services and complexity of IT operations of the individual BSFIs. BSFIs shall exercise sound judgment in determining applicable provisions relevant to their risk profile.

IT Profile Classification. To ensure that IT risk management system, governance structure and processes are commensurate with the attendant IT risks, the Bangko Sentral shall determine the IT profile of all BSFIs and classify them as “Complex”, “Moderate” or “Simple”. The IT profile refers to the inherent risk of a BSFI before application of any mitigating controls, and is assessed taking into consideration the following factors:

a. IT infrastructure and operations. Inherent IT risks of a BSFI largely depend on the degree of automation of core processes and applications, the size of branch networks, and the characteristics of its IT organization. BSFIs with larger branch networks and more complex organizational structures usually require a higher degree of reliance on IT systems/infrastructure, which in turn, carry higher levels of inherent IT risks. Interconnectivity risks also play a factor in determining IT risk levels since added connections to third party networks increase complexity as well as exposure to potential information security/cybersecurity risks. These include participation in electronic payment systems and interconnections with other financial institutions, business partners, customers, and third party service providers, among others.

b. Digital/Electronic financial products and services. Digital/electronic financial products and services provided to the BSFI’s corporate and retail clients, by their very nature, can have a direct impact on IT risks, including information security/cybersecurity risks. This is because these products and services are normally provided via the internet or public networks which are inherently risky. Digital/electronic financial products and services include ATM debit, prepaid and credit cards and e-channels such as ATM terminals, point-of-sale (POS) terminals, internet banking and mobile banking facilities, among others. BSFIs that are more aggressive in providing such services are expected to have greater IT risks.

c. IT projects and initiatives. The extent and nature of the BSFI’s IT projects prospectively impact IT risk exposure and complexity. For instance, developing or acquiring a new core banking system is considered a major project, that if not adequately managed and overseen, may heighten inherent IT risks. Also, IT projects and initiatives entail the use of current resources in terms of funding and manpower that might affect existing IT operations and risk profile.

d. Outsourced services. While outsourcing in general does not diminish the BSFI’s responsibility over the function/service outsourced, outsourcing poses an added dimension to IT and information security risks. For this reason, outsourcing arrangements require a higher degree of oversight, due diligence, and risk management controls. Outsourcing core IT services and functions via cloud computing platforms may further intensify IT and information security risks.

e. Systemic importance. The systemic importance of a BSFI is a critical determinant in assessing inherent IT and information security/cybersecurity risks since BSFIs identified as “Domestic Systemically Important Banks” or DSIBs are essentially larger in size and have more complex operations and product offerings. Moreover, cyber-attacks against DSIBs can have serious implications to financial and economic stability that may undermine public trust and confidence in the financial system.

f. Threats. The volume, type, and severity of cyber-attacks and fraud targeting a specific BSFI affects IT and cybersecurity risk profiles. Some BSFIs may be more prone to attacks compared to others by virtue of their asset size, customer base, systemic importance, and other factors. Thus, BSFIs that are likely targets of these types of threats should have greater degree of cyber-preparedness and resilience.

A general description for each IT profile classification is outlined as follows:

 IT Profile Classification  General Description/Attributes
 Complex A BSFI with complex IT profile uses technology extensively in supporting mission-critical business processes and delivering financial products and services. It has ubiquitous branch network in the country and offers a wide array of digital/electronic financial products and services to a large number of corporate and retail clients. It is highly interconnected with external third party stakeholders and actively participates in electronic payment systems and networks, usually involving large-value transfers. Business strategies and objectives are largely anchored on IT platforms, digital innovation, and technology-based solutions. It is also aggressively utilizing/exploring emerging technologies such as cloud computing, social media and big data.
 Moderate  A BSFI classified as moderate uses technology to some extent, but not as aggressively as those classified as complex. Its branch network, IT organization and structure, and extent of IT projects are also relatively less significant than those of complex BSFIs. IT applications and systems are integrated but primarily support traditional banking products and services. It may offer basic digital/electronic products and services, such as ATM terminals/card-based products, to a limited number of clients.
 Simple  A BSFI classified as simple generally has very limited use of technology with minimal interconnectivity to its clients and other institutions.  Likewise, branch network or geographic presence is confined to a specific locality. IT applications and systems are stand-alone or are not fully integrated and e-banking products and services are rarely offered. A simple BSFI also has few IT personnel and customer base.

The IT profile of rural banks, cooperative banks, NBFIs, and non-bank institutions shall be classified as “Simple”, unless notified by the Bangko Sentral of a higher classification. For other BSFIs, the Bangko Sentral shall notify in writing their assigned classification within a reasonable timeline from 5 December 2017. The Bangko Sentral-assigned classification shall remain effective until such time that the Bangko Sentral informs the concerned BSFI of a change in classification.

The Bangko Sentral assessment and classification process should not preclude BSFIs from assessing their own IT profile classification on an ongoing basis. All BSFIs are required to have periodic and rigorous self-assessment exercises using more robust data sets and variables as part of their information security risk management system.

IT rating system. The Bangko Sentral, in the course of its on-site examination activities, shall evaluate BSFIs’ ITRM system and measure the results based on Bangko Sentral’s IT rating system. A composite rating is assigned based on a “1” to “4” numerical scale, as follows:

 4 BSFIs with this rating exhibit strong performance in every respect. Noted weaknesses in IT are minor in nature and can be easily corrected during the normal course of business.
 3 BSFIs with this rating exhibit satisfactory performance but may demonstrate modest weaknesses in operating performance monitoring, management processes or system development.
 2 BSFIs with this rating exhibit less than satisfactory performance and require considerable degree of supervision due to a combination of weaknesses that may range from moderate to severe.
 1 BSFIs with this rating exhibit deficient IT environment that may impair the future viability of the entity, thereby requiring immediate remedial action.

Definition of terms. In these guidelines, terms are used with the following meanings:

a. Advanced persistent threat or APT shall refer to a sophisticated form of attack that involves coordinating multiple methods of identifying and exploiting a target’s vulnerabilities over an extended period to do harm.

b. Card skimming shall refer to the illegal copying of information from the magnetic stripe of a credit or ATM card to gain access to accounts.

c. Cloud computing shall refer to a model for enabling ubiquitous, convenient, and on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.

d. Compromised state shall refer to a state wherein someone or something has maliciously broken into networks, systems and computers which raises doubt as to the integrity of information assets, such as but not limited to, program files, image files, and operating system files.

e. Cyber-threat shall refer to a deliberate act of omission or commission by any person carried out using the internet and/or other electronic channels, in order to communicate false or fraudulent representations to prospective victims, to conduct fraudulent transactions, or to illegally obtain proprietary data or information related to the institution, their customers and other stakeholders. Cyber-threat can be used synonymously with cyber-fraud, cyber-attack or cyber-­related incidents.

f. Cybersecurity shall refer to technologies, processes, and practices designed to protect a BSFI’s information assets and consumers by preventing, detecting, and responding to cyber-attacks.

g. Data breach shall refer to an incident in which sensitive, protected or confidential data or information has potentially been viewed, stolen, leaked used, or destroyed by unauthorized persons.

h. Defense-in-depth shall refer to a security strategy or design of deploying security controls over multiple or various layers across the network, systems, and applications such that a failure in one control would be compensated by another control in the next layer. This approach effectively delays or disrupts an attacker’s ability to progress within the attack sequence.

 i. Distributed denial of service (DDoS) shall refer to a type of attack which makes use of the capacity limitation of enterprise networks, systems or ingress with extreme traffic loads.

 j. Hacking shall refer to unauthorized access into or interference in networks, systems and computers without the knowledge and consent of the system/information owner.

k. Information security program (ISP) shall refer to information security policies, standards and procedures, security operations, technologies, organizational structures, and information security awareness and training programs aimed at protecting a BSFI’s information assets and supporting infrastructure from internal and external threats.

l.  Information security strategic plan (ISSP) shall refer to the roadmap to guide a BSFI in transforming the current state of security to the desired state taking into account business goals and strategies.

m. Information security risk management (ISRM) shall refer to the process of identifying, assessing, mitigating, managing, and monitoring information security risks, including cyber-risk, to ensure these are within acceptable levels. It should be integrated into the BSFI’s ISP and enterprise-wide risk management system.

n. Malware shall refer to malicious software that compromises the confidentiality, availability or integrity of information systems, networks or data. Examples of malware include ransomware, trojans, adware, botnets, bugs, and spyware, among others.

o. Pharming shall refer to a form of cyber-attack that redirects a website traffic to another fake website to obtain user credentials and information.

p. Phishing shall refer to the use of electronic communications such as e-mail to masquerade with trusted identity to capture sensitive information to gain access to accounts. It involves tricking customers into giving sensitive information through fraudulent emails or websites.

q. Reportable major cyber-related incidents shall refer to any cyber-related incidents that meet the criteria for reporting/notification to the Bangko Sentral as laid out in Item “a(2)(a)” of this Section (Reporting and notification standards).

r. Security operations center (SOC) shall refer to a unit or function that provides centralized visibility, continuous monitoring, and rapid response and recovery procedures on security incidents and events.

s. Spearphishing shall refer to a more advanced type of phishing attack which is customized to a particular target (e.g., executives, privileged users, etc.).

t. Threat actor shall refer to a person, group or nation/state/government that carries out or intends to carry out damaging acts against another party. An advanced threat actor shall refer to a person, organized group, or nation/state/government that (a) possesses superior capabilities, resources and skills to launch sophisticated cyber-attacks; or (b) seeks military and/or intelligence information for cyber-espionage purposes.

u. Threat intelligence shall refer to the process of gathering and analyzing information about the proficiencies, tactics, and motives of malicious actors/attackers that enables a BSFI to institute appropriate countermeasures quickly.

a. Operational risk is the risk to earnings and capital arising from problems with service or product delivery. This risk is a function of internal controls, IT systems, employee integrity and operating processes. Operational risk exists in all products and services;

b. Strategic risk is the risk to earnings and capital arising from adverse business decisions on IT-related investments or improper implementation of those decisions. The risk is a function of the compatibility of an organization’s strategic goals, the business strategies developed to achieve those goals, the resources deployed against these goals and the quality of implementation. The resources needed to carry out business strategies are both tangible and intangible which include communication channels, operating systems, delivery networks and managerial capacities and capabilities;

c. Reputational risk is the risk to earnings and capital arising from negative public opinion. This affects the institution’s ability to establish new relationships or services or continue servicing existing relationships. The risk can expose the institution to litigation, financial loss or damage to its reputation; and

d. Compliance risk is the risk to earnings and capital arising from the violations of, or non-conformance with laws, rules and regulations, prescribed practices or ethical standards. Compliance risk also arises in situations where the laws and rules governing certain products activities of the BSFI’s clients may be ambiguous or untested. Compliance risk exposes the institution to monetary penalties, non-monetary sanctions and possibility of contracts being annulled or declared unenforceable.

IT Risk Management System (ITRMS). As BSFIs become more dependent on IT systems and processes, technology risks and information security issues have become progressively more complex and pressing in recent years. Information security is just as important as the new technologies being installed by BSFIs. As progress in technology shifts to higher gear, the trend in cyber-attacks, intrusions, and other form of incidents on computer systems shows that it will not only persist but will continue to increase in frequency and spread in magnitude.

Management of IT risks and information security issues becomes a necessity and an important part of BSFIs’ risk management system. BSFIs are therefore required to establish a robust ITRM system covering four (4) key components: 1) IT governance, 2) risk identification and assessment, 3) IT controls implementation, and 4) risk measurement and monitoring.

a. IT Governance. This is an integral part of BSFIs’ governance framework and consists of the leadership and organizational structures and processes that ensure the alignment of IT strategic plan with BSFIs’ business strategy, optimization of resources management, IT value delivery, performance measurement and the effective and efficient use of IT to achieve business objectives and effective IT risk management implementation. BSFIs must establish an effective IT governance framework covering the following:

(1) Oversight and organization of IT functions. Accountability is a key concern of IT governance and this can be obtained with an organizational structure that has well-defined roles for the responsibility of information, business processes, applications, IT infrastructure, etc.

The board of directors is ultimately responsible for understanding the IT risks confronted by a BSFI and ensuring that they are properly managed, whereas the senior management is accountable for designing and implementing the ITRMS approved by the board. For complex BSFIs, the board may delegate to an IT steering committee (ITSC) or its equivalent IT oversight function to cohesively monitor IT performance and institute appropriate actions to ensure achievement of desired results. The ITSC, at a minimum, should have as members a non-executive director who oversees the institution’s IT function, the head of IT group/department, and the highest rank officer who oversees the business user groups. The head of control groups should participate in ITSC meetings in advisory capacity only.

A charter should be ratified by the board to clearly define the roles and responsibilities of the ITSC. Formal minutes of meeting should be maintained to document its discussions and decisions. The ITSC should regularly provide adequate information to the board regarding IT performance, status of major IT projects or other significant issues to enable the board to make well-informed decisions about the BSFIs’ IT operations.

BSFIs should develop an IT strategic plan that is aligned with the institution’s business strategy. This should be undertaken to manage and direct all IT resources in line with the business strategy and priorities. IT strategic plan should focus on long term goals covering three (3) to five (5) year horizon and should be sufficiently supplemented by tactical IT plans which specify concise objectives, action plans and tasks that are understood and accepted by both business and IT. The IT strategic plan should be formally documented, endorsed by the Board and communicated to all stakeholders. It should be reviewed and updated regularly for new risks or opportunities to maximize the value of IT to the institution.

BSFIs should also create an organization of IT functions that will effectively deliver IT services to business units. For complex BSFIs, a full-time IT head or equivalent rank should be designated to take the lead in key IT initiatives and oversee the effectiveness of the IT organization. In addition to managing the delivery of day-to-day IT services, the IT head should also oversee the IT budget and maintain responsibility for performance management, IT acquisition oversight, professional development and training. The IT head should be a member of executive management with direct involvement in key decisions for the BSFI and usually reports directly to the president or chief executive officer.

A clear description of roles and responsibilities for individual IT functions should be documented and approved by the board. Proper segregation of duties within and among the various IT functions should be implemented to reduce the possibility for an individual to compromise a critical process. A mechanism should be in place to ensure that personnel are performing only the functions relevant to their respective jobs and positions. In the event that an institution finds it difficult to segregate certain IT control responsibilities, it should put in place adequate compensating controls (e.g. peer reviews) to mitigate the associated risks.

(2) IT policies, procedures and standards. IT controls, policies, and procedures are the foundation of IT governance structure. It helps articulate the rules and procedures for making IT decisions, and helps to set, attain, and monitor IT objectives.

BSFIs should adopt and enforce IT-related policies and procedures that are well-defined and frequently communicated to establish and delineate duties and responsibilities of personnel for better coordination, effective and consistent performance of tasks, and quicker training of new employees. Management should ensure that policies, procedures, and systems are current and well-documented. The ITSC should review IT policies, procedures, and standards at least on an annual basis. Any updates and changes should be clearly documented and properly approved. IT policies and procedures should include at least the following areas:

•    IT Governance/ Management;

•    Development and Acquisition;

•    IT Operations;

•    Communication networks;

•    Information security;

•    Electronic Banking/Electronic Products and Services; and

•    IT Outsourcing/Vendor Management.

For simple BSFIs, some of the above areas (i.e., development, electronic banking, etc.) may not be applicable, thus sound judgment should be employed to ensure that the BSFI’s IT policies and procedures have adequately covered all applicable areas.

(3) IT audit. Audit plays a key role in assisting the board in the discharge of its corporate governance responsibilities by performing an independent assessment of technology risk management process and IT controls.

Auditors provide an assurance that important control mechanisms are in place for detecting deficiencies and managing risks in the implementation of IT. They should be qualified to assess the specific risks that arise from specific uses of IT. BSFIs should establish effective audit programs that cover IT risk exposures throughout the organization, risk-focused, promote sound IT controls, ensure the timely resolution of audit deficiencies and periodic reporting to the Board on the effectiveness of institution’s IT risk management, internal controls, and IT governance. Regardless of size and complexity, the IT audit program should cover the following:

•  Independence of the IT audit function and its reporting relationship to the Board or its Audit Committee;

•  Expertise and size of the audit staff relative to the IT environment;

• Identification of the IT audit universe, risk assessment, scope, and frequency of IT audits;

•  Processes in place to ensure timely tracking and resolution of reported weaknesses; and

•  Documentation of IT audits, including work papers, audit reports, and follow-up.

In case in-house IT audit expertise is not available, such as for a simple BSFI, the IT audit support may be performed by external specialists and auditors of other institutions consistent with existing Bangko Sentral rules and regulations on outsourcing. (Detailed guidelines/standards on IT Audit are shown in Appendix 74)

(4) Staff competence and training. The rapid development in technology demands appropriate, skilled personnel to remain competent and meet the required level of expertise on an ongoing basis.

BSFIs should have an effective IT human resources management plan that meets the requirements for IT and the business lines it supports. Management should allocate sufficient resources to hire and train employees to ensure that they have the expertise necessary to perform their job and achieve organizational goals and objectives.

Management needs to ensure that staffing levels are sufficient to handle present and expected work demands, and to cater reasonably for staff turnover. Appropriate succession and transition strategies for key officers and personnel should be in place to provide for a smooth transition in the event of turnover in vital IT management or operations functions.

(5) Management Information Systems (MIS). The BSFIs’ IT organization often provides an important support role for their MIS. Accurate and timely MIS reports are an essential component of prudent and reasonable business decisions. At the most senior levels, MIS provides the data and information to help the Board and management make strategic decisions. At other levels, MIS allows management to monitor the institution’s activities and distribute information to other employees, customers, and members of management.

Advances in technology have increased the volume of information available to management and directors for planning and decision-making. However, if technology is not properly managed, the potential for inaccurate reporting and flawed decision making increases. Because report generation systems can rely on manual data entry or extract data from many different financial and transaction systems, management should establish appropriate control procedures to ensure information is correct, relevant, and adequately protected. Since MIS can originate from multiple equipment platforms and systems, the controls should ensure all information systems have sufficient and appropriate controls to maintain the integrity of the information and the processing environment. Sound fundamental principles for MIS review include proper internal controls, operating procedures, safeguards, and audit coverage.

(6) IT risk management function. Management of risk is a cornerstone of IT Governance. BSFIs should have a policy requiring the conduct of identification, measurement, monitoring and controlling of IT risks for each business function/service on a periodic basis. BSFIs should define and assign these critical roles to a risk management unit or to a group of persons from different units collectively performing the tasks defined for this function.

The function should have a formal technology risk acknowledgement and acceptance process by the owner of risk to help facilitate the process of reviewing, evaluating and approving any major incidents of non-compliance with IT control policies. The process can be supported by the following:

•   a description of risk being considered for acknowledgement by owner of risk and an assessment of the risk that is being accepted;

•   identification of mitigating controls;

•   formulation of a remedial plan to reduce risk; and

•   approval of risk acknowledgement from the owner of the risk and senior management.

ITRM processes should be integrated into the enterprise-wide risk management processes to allow BSFIs to make well-informed decisions involving business plans and strategies, risk responses, risk tolerance levels and capital management, among others.

b. Risk identification and assessment. BSFIs should maintain a risk assessment process that drives response selection and controls implementation. An effective IT assessment process begins with the identification of the current and prospective IT risk exposures arising from the institution’s IT environment and related processes. The assessments should identify all information assets, any foreseeable internal and external threats to these assets, the likelihood of the threats, and the adequacy of existing controls to mitigate the identified risks. Management should continually compare its risk exposure to the value of its business activities to determine acceptable risk levels.

Once management understands the institution’s IT environment and analyzes the risk, it should rank the risks and prioritize its response. The probability of occurrence and the magnitude of impact provide the foundation for reducing risk exposures or establishing mitigating controls for safe, sound, and efficient IT operations appropriate to the complexity of the organization. Periodic risk assessment process should be done at the enterprise-wide level and an effective monitoring program for the risk mitigation activities should be manifested through mitigation or corrective action plans, assignment of responsibilities and accountability and management reporting.

c. IT controls implementation. Controls comprise of policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be mitigated. Management should establish an adequate and effective system of internal controls based on the degree of exposure and the potential risk of loss arising from the use of IT. Controls for IT environment generally should address the overall integrity of the environment and should include clear and measurable performance goals, the allocation of specific responsibilities for key project implementation, and independent mechanisms that will both measure risks and minimize excessive risk-taking. BSFI Management should implement satisfactory control practices that address the following as part of its overall IT risk mitigation strategy: 1) Information security; 2) Project management/development and acquisition and change management; 3) IT operations; 4) IT outsourcing/Vendor management; and 5) Electronic banking, Electronic payments, Electronic money and other Electronic products and services.

(1) Information security. Information is a vital asset of a BSFI that must be adequately protected and managed to preserve its confidentiality, integrity and availability. Considering the crucial role information plays in supporting business goals and objectives, driving core operations and critical decision-making, information security is intrinsically linked to the overall safety and soundness of BSFIs. Thus, the BSFI needs to put in place a robust, resilient and enterprise­wide framework for ISRM supported by effective information security governance and oversight mechanisms. Information security risk exposures must be managed to within acceptable levels through a dynamic interplay of people, policies and processes, and technologies and must be integrated with the enterprise-wide risk management system.

Management should adopt a holistic, integrated and cyclical approach to managing information security risks. An ISRM framework should be in place encompassing key elements and phases with effective governance mechanisms to oversee the entire process. The framework represents a continuing cycle that should evolve over time taking into account changes in the operating and business environment as well as the overall cyber-threat landscape.

The ISRM framework is based upon the following underlying fundamental principles and concepts:

(a)  Strong leadership and effective Information Security (IS) governance and oversight. The BSFI’s board and senior management set the overall tone and strategic direction for information security by providing strong leadership, effective information security governance and oversight. They should take the lead in establishing an information security culture that regards security as an intrinsic part of the BSFI’s core business and operations. Instilling a strong security culture ensures that security controls, processes, and measures are deeply embedded into the institution’s lines of business, products, services and processes, including its employees and external relationships. The board and senior management should adopt the right mindset and understand the crucial role of information security in supporting/achieving business goals and objectives. Towards this end, they should oversee the development of an information security strategic plan (ISSP) to clearly articulate security strategies and objectives aligned with business plans.

The BSFI should maintain a comprehensive, well-designed and effective information security program (ISP) that is commensurate with its operational and IT profile complexity. To ensure its effectiveness and sustainability, the ISP should have strong support from the board and senior management as well as cooperation of all concerned stakeholders. Management should see to it that adequate resources, organizational functions/capabilities, policies, standards, and procedures as well as the supporting infrastructure commensurate with the BSFI’s IT risk complexity and appetite are available and optimized to effectively implement the ISSP and ISP. Lastly, the board and senior management should appoint a chief information security officer (CISO), a senior level executive with sufficient authority within the institution, who will be responsible and accountable for the organization-wide ISP.

(b) Integrated, holistic and risk-based approach. The ISRM should form an integral part of the BSFI’s ISP and enterprise risk management system. It encompasses the people, policies and processes, and technology elements in the organization that should be harmonized to support information security goals and objectives. Information security is not achieved by merely focusing on technology or one aspect and no one element is superior over the other. Each of these elements must work together to achieve the desired security posture and manage information security risks to acceptable levels. In line with the increasing interconnectivity of BSFIs and other industry players, the ISRM should also consider security controls and requirements over third party service providers, customers, banks, and other third party stakeholders which are linked or have access to the BSFI’s network and systems. This is because threat actors may launch their attacks on the BSFI through these third party networks.

Likewise, the ISRM including cyber-risk management programs should be commensurate with the inherent risks involved. This means that the BSFI’s information security controls and maturity levels should be commensurate with its operations and complexity of IT profile. In this regard, in determining whether a certain control requirement is applicable to the BSFI, it shall first assess the complexity of its IT profile pursuant to Sec. 148. BSFIs with complex IT profile are expected to implement the more advanced security control measures and be at the higher levels of the information security/cyber-maturity curve. BSFIs may also refer to leading standards and frameworks issued by standard-setting bodies2 on information security and cybersecurity in designing their ISRM.

(c) Continuing cycle. The ISRM involves a continuing cycle consisting of the following six (6) major phases:

(i)   Identify. The starting point of the cycle is the identification of the BSFI’s information security as well as cyber-related risks. Under this phase, management needs to identify its business processes and functions, information assets classified as to sensitivity and criticality, threats and vulnerabilities, interconnections, and security architecture. Identification of these factors facilitates BSFI’s understanding and assessment of its inherent information security and cyber risks which are key inputs in determining, designing, and implementing the appropriate risk treatment options.

(ii)  Prevent. After identifying these key factors and assessing the information security and cyber risks, the prevent phase comes into play where adequate protection mechanisms and controls are designed and implemented. These include measures ranging from baseline to advanced tools and approaches such as defense-in-depth, malware prevention, access controls and cybersecurity awareness programs, among others. These preventive controls are generally categorized into three (3) types, as follows:

(aa) Administrative controls – refer to the policies, standards, and procedures in place which articulate Management’s intent, expectations, and direction on information security. It also includes security trainings and awareness programs and personnel security practices designed to prevent unwarranted employee behavior.

(bb) Physical and environmental controls – pertain to the security controls and measures implemented to protect physical infrastructure such as data centers, computer facilities, and equipment from damage, unauthorized access or environmental hazards.

(cc) Technical controls – refer to the logical security controls, security tools, and technologies to ensure that the confidentiality, integrity, and availability objectives for information assets are achieved.

(iii) Detect. Detection capabilities should also be in place as prevention alone is not sufficient. As demonstrated in recent cyber­attacks, the ability of an institution to quickly detect anomalous activities and evaluate the scope of an attack is an important aspect in significantly reducing negative impacts. Management should design and implement effective detection controls over the BSFI’s networks, critical systems and applications, access points, and confidential information.

(iv)  Respond. The response phase is triggered upon confirmation of an occurrence of a cyber-attack or security incident affecting the BSFI and its customers. With the growing incidence of sophisticated cybercrimes and threats, the BSFI should be prepared to respond quickly considering that cyber-attacks are no longer a remote possibility. Therefore, it should develop comprehensive, updated, and tested incident response plans supported by well-trained incident responders, investigators, and forensic data collectors. Through adequate response capabilities, the BSFI should be able to minimize and contain the damage and impact arising from security incidents, immediately restore critical systems and services, and facilitate investigation to determine root causes.

(v)   Recover. This phase encompasses both the resumption of activities at a level which is considered “good enough for a certain period of time” and full recovery, i.e., an eventual return to full service. Management should be able to establish back-up facilities and recovery strategies to ensure the continuity of critical operations. During the recovery phase, it should ensure that information processed using back-up facilities and alternate sites still meet acceptable levels of security. To achieve cyber resilience, the BSFI should consider information security incidents and cyber-related attack scenarios in its business continuity management and recovery processes.

(vi)  Test. The BSFI needs to continually assess and test controls and security measures implemented under the prevent, detect, respond, and recover phases to ensure that these are effective and working as intended. Likewise, a comprehensive, systematic and layered testing and assurance program covering security processes and technologies should be in place. This is to ensure that the ISRM is on track in providing appropriate level of information security commensurate with the BSFIs’ IT profile complexity. This phase also ensures that both the ISSP and ISP remain effective vis-a-vis the fast-evolving cyber­threat landscape.

(d) Cyber threat intelligence and collaboration. In response to the growing cyber-threat landscape, BSFIs need to step up their information security posture and resilience beyond their respective networks. Likewise, BSFIs need to enhance situational awareness that would provide a keen sense of the threat landscape as it relates to their IT risk and cyber-risk profiles, operating complexities, and business models. Further, BSFIs need to collaborate with each other, including regulators, law enforcement agencies, and other third party stakeholders for a collective, coordinated, and strategic response through information sharing and collaboration. Information sharing allows BSFIs to enhance threat intelligence that enables quick identification, prevention and response to emerging and persistent threats. (Detailed guidelines/standards on information security are shown in Appendix 75)

(2) Project management/development and acquisition and change management. BSFIs should establish a framework for management of IT-related projects. The framework should clearly specify the appropriate project management methodology that will govern the process of developing, implementing and maintaining major IT systems. The methodology, on the other hand, should cover allocation of responsibilities, activity breakdown, budgeting of time and resources, milestones, checkpoints, key dependencies, quality assurance, risk assessment and approvals, among others. In the acquisition and/or development of IT solutions, BSFIs should ensure that business and regulatory requirements are satisfied. (Detailed guidelines/standards on Project Management/Development and Acquisition and Change Management are shown in Appendix 76)

(3) IT operations. IT has become an integral part of the day-to-day business operation, automating and providing support to nearly all of the business processes and functions within the institution. Therefore, the IT systems should be reliable, secure and available when needed which translates to high levels of service and dependency on IT to operate.

One of the primary responsibilities of IT operations management is to ensure the institution’s current and planned infrastructure is sufficient to accomplish its strategic plans. BSFI management should ensure that IT operates in a safe, sound, and efficient manner throughout the institution. Given that most IT systems are interconnected and interdependent, failure to adequately supervise any part of the IT environment can heighten potential risks for all elements of IT operations and the performance of the critical business lines of the BSFIs. Such scenario necessitates the coordination of IT controls throughout the institution’s operating environment. (Detailed guidelines/standards on IT Operations are shown in Appendix 77)

(4) IT outsourcing/vendor management program. IT outsourcing refers to any contractual agreement between a BSFI and a service provider or vendor for the latter to create, maintain, or reengineer the institution’s IT architecture, systems and related processes on a continuing basis. A BSFI may outsource IT systems and processes except those functions expressly prohibited by existing regulations. The decision to outsource should fit into the institution’s overall strategic plan and corporate objectives and said arrangement should comply with the provisions of existing Bangko Sentral rules and regulations on outsourcing. Although the technology needed to support business objectives is often a critical factor in deciding to outsource, managing such relationships should be viewed as an enterprise-wide corporate management issue, rather than a mere IT issue.

While IT outsourcing transfers operational responsibility to the service provider, the BSFIs retain ultimate responsibility for the outsourced activity. Moreover, the risks associated with the outsourced activity may be realized in a different manner than if the functions were inside the institution resulting in the need for controls designed to monitor such risks.

BSFI management should implement an effective outsourcing oversight program that provides the framework for management to understand, monitor, measure, and control the risks associated with outsourcing. BSFIs outsourcing IT services should have a comprehensive outsourcing risk management process which provides guidance on the following areas: 1) risk assessment; 2) selection of service providers; 3) contract review; and 4) monitoring of service providers. Detailed guidelines/standards on IT Outsourcing/ Vendor Management and on the adoption of outsourced cloud computing model are shown in Appendix 78.

(5) Electronic products and services. The evolution in technology revolutionized the way banking and financial products and services are delivered. Physical barriers were brought down enabling clients to access their accounts, make transactions or gather information on financial products and services anywhere they are, at any time of the day and at their own convenience. As development in technology continues to accelerate, innovative electronic products and services are foreseen to bring more accessibility and efficiency. However, BSFIs may be confronted with challenges relating to capacity, availability and reliability of the electronic services. Likewise, fraudulent activities via electronic channels are also rising in number.

BSFIs should protect customers from fraudulent schemes done electronically. Otherwise, consumer confidence to use electronic channels as safe and reliable method of making transactions will be eroded. To mitigate the impact of cyber fraud, BSFIs should adopt aggressive security posture such as the following:

(a) The entire ATM system shall be upgraded/converted to allow adoption of end-to-end Triple DES (3DES) encryption standards by 01 January 2015. The 3DES encryption standards shall cover the whole ATM network which consists of the host processors, switches, host security module (HSM), automated teller machines (ATMs), point-of-sale (POS) terminals and all communication links connected to the network;

(b) ATMs to be installed after 04 September 2014 should be 3DES compliant; and

(c) ATMs, POS terminals and payment cards are also vulnerable to skimming attacks due to the lack of deployment of globally recognized EMV enabled technology by BSFIs. Magnetic stripe only ATMs, POS Terminals and cards are largely defenseless against modern fraud techniques. Therefore, all concerned BSFIs should shift from magnetic stripe technology to EMV chip-enabled cards, POS Terminals and ATMs. The entire payment card network should be migrated to EMV. This requirement shall cover both issuing and acquiring programs of concerned BSFIs. A written and board-approved EMV migration plan should be submitted to the appropriate supervising department of the Bangko Sentral within six (6) months from 22 August 2013. The guidelines on EMV Implementation are shown in Appendix 112. The guidelines on the EMV Card Fraud Liability Shift Framework (ECFLSF) are in Appendix 113 3.

Detailed guidelines/standards on Electronic Products and Services are shown in Appendix 79.

d. Risk measurement and monitoring. BSFI Management should monitor IT risks and the effectiveness of established controls through periodic measurement of IT activities based on internally established standards and industry benchmarks to assess the effectiveness and efficiency of existing operations. Timely, accurate, and complete risk monitoring and assessment reports should be submitted to management to provide assurance that established controls are functioning effectively, resources are operating properly and used efficiently and IT operations are performing within established parameters. Any deviation noted in the process should be evaluated and management should initiate remedial action to address underlying causes. The scope and frequency of these performance measurement activities will depend on the complexity of the BSFI’s IT risk profile and should cover, among others, the following:

(1) Performance vis-à-vis approved IT strategic plan. As part of both planning and monitoring mechanisms, BSFI management should periodically assess its uses of IT as part of overall business planning. Such an enterprise-wide and ongoing approach helps to ensure that all major IT projects are consistent with the BSFI’s overall strategic goals. Periodic monitoring of IT performance against established plans shall confirm whether IT strategic plans remain in alignment with the business strategy and the IT performance supports the planned strategy.

(2) Performance benchmarks/service levels. BSFIs should establish performance benchmarks or standards for IT functions and monitor them on a regular basis. Such monitoring can identify potential problem areas and provide assurance that IT functions are meeting the objectives. Areas to consider include system and network availability, data center availability, system reruns, out of balance conditions, response time, error rates, data entry volumes, special requests, and problem reports.

Management should properly define services and service level agreements (SLA) that must be monitored and measured in terms understandable to the business units. SLA with business units and IT department should be established to provide a baseline to measure IT performance.

(3) Quality assurance/quality control. BSFI should establish quality assurance (QA) and quality control (QC) procedures for all significant activities, both internal and external, to ensure that IT is delivering value to business in a cost effective manner and promotes continuous improvement through ongoing monitoring. QA activities ensure that product conforms to specification and is fit for use while QC procedures identify weaknesses in work products and to avoid the resource drain and expense of redoing a task. The personnel performing QA and QC reviews should be independent of the product/process being reviewed and use quantifiable indicators to ensure objective assessment of the effectiveness of IT activities in delivering IT capabilities and services.

(4) Policy compliance. BSFIs should develop, implement, and monitor processes to measure IT compliance with their established policies and standards as well as regulatory requirements. In addition to the traditional reliance on internal and third party audit functions, BSFIs should perform self-assessments on a periodic basis to gauge performance which often lead to early identification of emerging or changing risks requiring policy changes and updates.

(5) External assessment program. Complex BSFIs may also seek regular assurance that IT assets are appropriately secured and that their IT security risk management framework is effective. This may be executed through a formal external assessment program that facilitates a systematic assessment of the IT security risk and control environment over time.

Reporting and notification standards. In line with the increased reliance on and adoption of technology by BSFIs, along with growing concerns on cybersecurity, BSFIs should submit regular and event-driven reports covering technology-related information as well as incidence of major cyber-attacks and operational disruptions. This will enable the Bangko Sentral to have an enhanced visibility on the changing IT risk landscape and to proactively ensure that the impact and risks arising from cyber-related incidents and operational disruptions are minimized and contained to avert potential systematic risks to the financial system.

a. Reporting requirement. BSFIs are required to submit to the Bangko Sentral the following reports/information:

(1) Periodic reports. BSFIs shall submit an Annual IT Profile, as listed in Appendix 7, electronically to the appropriate supervising department of the Bangko Sentral within twenty five (25) days from the end of reference year.

(2) Event-driven reports. BSFIs shall notify the Bangko Sentral upon discovery of any of the following:

An incident is considered a reportable major cyber-related incident, if after assessing the nature of the incident or attack, the BSFI has determined that the same:

(i)   resulted in an unauthorized access and infiltrati on into the BSFI’s internal network (i.e., hacking, advanced persistent threats, presence of malware);

(ii)   involved a system-level compromise (i.e., attacks on BSFI’s core systems, as opposed to phishing attempts of individual clients);

(iii)  affected a significant number of customer accounts simultaneously;

(iv)  involved significant data loss or massive data breach;

(v)  indicated spearphishing attacks targeting the BSFIs’ directors, senior executives, officers, or privileged users;

(vi) resulted in the unavailability of critical systems/services (e.g., Distributed Denial of Service (DDoS) attack resulting in service outage);

(vii)inflicted material financial losses to the BSFIs, their customers and other stakeholders; or

(viii) has been suspected to be perpetrated by an advanced threat actor.

(b) Disruptions of financial services and operations. These include disruption of critical operations which lasts for more than two (2) hours due to internal and external threats, which may be natural, man-made or technical in origin. Such scenarios usually involve loss of personnel, technology, alternate site, and service providers. Causes of such interruptions include, but are not limited to fire, earthquakes, flood, typhoon, long-term power outage, technical malfunctions, pandemics and other threats.

Security events/attacks which are normally prevented by security systems/devices need not be reported to the Bangko Sentral, except if the same involve significant financial value and/or multitude of customer accounts beyond BSFI’s reasonable threshold levels. For instance, an attempt to fraudulently transfer funds involving large sums of money requires immediate notification to the Bangko Sentral as this can be a signal of impending attacks to other BSFIs.

b. Procedure for event-driven reporting. The following procedures shall be followed by BSFIs in reporting reportable major cyber-related incidents and/or disruptions of financial services and operations stated in Item “(a)2” of this Section (Reporting and Notification Standards):

(1) The BSFIs’ Compliance Officer and/or BSFI-designated Officer shall notify the appropriate supervising department of the Bangko Sentral within two (2) hours from discovery of the reportable major cyber-related incidents and/or disruptions of financial services and operations stated in Item “a(2)” of this Section (Reporting and Notification Standards), in accordance with Appendix 7.

(2) The BSFIs shall disclose, at the minimum, the nature of the incident and the specific system or business function involved.

(3) Within twenty-four (24) hours from the time of the discovery of the reportable major cyber-related incident and/or disruption, a follow-up report should be sent to the appropriate supervising department of the Bangko Sentral through e-mail indicating the following, as applicable:

(a) nature of the incident;

(b) manner and time of initial detection;

(c) impact of the incident based on initial assessment (e.g., length of downtime, number of affected customers/accounts, number of complaints received, value of transactions involved);

(d) initial response or actions taken/to be taken (e.g., conduct of root cause analysis) with respect to the incident; and

(e) information if the incident resulted in activation of the Business Continuity Plan (BCP) and/or Crisis Management Plan (CMP).

c. Verification of root cause. Depending on the nature and severity of the reported incident/disruption, the Bangko Sentraal may require BSFIs to provide additional information or updates until the matter is satisfactorily resolved. Likewise, the Bangko Sentral may conduct special examination or overseeing inspection, if necessary, to verify root cause of the incident, assess the impact to the BSFI and the financial system as a whole, identify areas for improvement to prevent recurrence of the incident, and promote enterprise and industry-wide operational resilience.

d. Compliance with reporting of crimes and losses. Compliance with event-driven report requirement shall not excuse BSFIs from complying with the existing rules on the reporting of crimes and losses under Sec. 173 (Report on crimes/losses). Likewise, any cyber-related incident which does not qualify as a reportable major cyber-related incident and other disruptions arising from crimes and losses must be reported to the Bangko Sentral in accordance with the aforesaid regulations. Operational risk events which are covered under Item “a(2)” on the event-driven reporting and notification requirements shall no longer require separate reporting and notification pursuant to Sec. 146 (Notification/Reporting to Bangko Sentral).

e. Information gathering. Should the conduct of in-depth studies and research on certain technology development or key area of concern relating to technology risk and cybersecurity be warranted, the Bangko Sentral, from time to time, may request BSFIs to submit specific data and information thereon through surveys, questionnaires or other means.

Sanctions and penalties. BSFIs should make available all policies and procedures and other documents/requirements related to the foregoing during on-site examination as well as provide copies thereof to the Bangko Sentral when a written request is made to determine their compliance with this Section.

a. Non-compliance with the requirements in Item “b” of this Section (Reporting and notification standards) will be subject to “High” penalty level monetary sanctions pursuant to Sec. 1102 (Guidelines on the imposition of monetary penalties).

b. Consistent with Sec. 002, the Bangko Sentral may deploy applicable enforcement actions on the BSFI and/or its directors, officers, and/or employees for violations on this requirement.

c. Annual IT Profile and other periodic reports which have been considered as erroneous, delayed or unsubmitted shall be subject to the penalties for Category B reports under Section Sec. 171 (Sanctions on reports for non-compliance with the reporting standards).

(Circular Nos. 1019 dated 31 October 2018, 982 dated 9 November 2017, 958 dated 25 April 2017, 936 dated 28 December 2016, 859 dated 24 November 2014, and 833 dated 28 May 2014)

Footnotes

  1. BSFIs shall comply with the Enhanced Guidelines on Information Security Management within a period of one (1) year from 5 December 2017. In this regard, a BSFI should be able to show its plan of actions with specific timelines, as well as the status of initiatives being undertaken to fully comply with the provisions of this circular, upon request of the Bangko Sentral starting December 2017.
  2. US National Institute of Standards and Technology (NIST), ISO/IEC, ISACA and Committee and Payments and Market Infrastructures (CPMI), among others.
  3. This paragraph shall take effect on 01 January 2017.