Is BSP’s cyber resilience plan the key to protecting finance in 2025?

The central bank plans to mainstream cybersecurity in schools to close the skills gap.

Amidst increasing digital transformation in the financial sector, the Philippines addressed the alarming rise of cyber threats through a resilience framework to safeguard the financial system by 2025. 

Melchor T. Plabasan, director of the Technology Risk and Innovation Supervision Department (TRISD), Bangko Sentral ng Pilipinas (BSP), reflected on a significant incident that occurred on 19 July, where several sectors, including finance and airports, experienced disruptions. CrowdStrike's Falcon sensor update caused global system crashes on Microsoft Windows systems, affecting industries such as airlines, finance, and healthcare.

“Microsoft has estimated 8.5 million Windows devices have been affected.  The broad economic and societal impacts reflect the use of CrowdStrike by enterprises that run many critical services,” according to Aon’s Crowdstrike / Windows Event Briefing.

This incident showed a critical aspect of cyber resilience: the role of third-party service providers. "What this incident highlighted is the influence of third-party service providers on cyber resilience," Plabasan told the 286 attendees at the Asian Banking & Finance and Insurance Asia summit held last 1 October at Makati Shangri-La, Philippines.

Plabasan also emphasised the importance of cyber resilience, particularly as the industry faced mounting threats from various actors. 

"As more financial institutions harnessed technological advancements, we had to incorporate cyber resilience as we navigated this dynamic environment," he remarked.

The BSP’s initial assessment categorised the impact on the Philippine financial system as moderate, with fewer than 20 institutions affected. "The downtime ranged from one to nine hours, averaging around 4.64 hours. 

No institution was completely down, and customers were not left helpless," Plabasan said, adding that clients could still conduct transactions through alternative channels such as ATMs.

In 2023, the top global cyber threats included supply chain risks, ransomware, phishing, distributed denial of service (DDoS) attacks, and state-sponsored cyber espionage. 

For the Philippine financial sector, 50% to 60% of cyber incidents involved phishing and social engineering schemes, many tied to card-not-present transactions. Supply chain risks ranked fourth among these threats.

The Financial Services Cyber Resilience Plan

To combat these challenges, the BSP introduced the Financial Services Cyber Resilience Plan (FSCRP) in August, a framework designed to bolster the financial sector's defence against cyber risks. 

"The FSCRP is a comprehensive program with specific priority actions, including stock-taking and mapping exercises to identify critical service providers, allowing us to better assess concentration and systemic risks," Plabasan explained.

The BSP conducted thematic reviews of service providers, ensuring they met regulatory expectations and best practices. "We completed two or three thematic reviews, identifying certain service providers as critical to the system's resilience," Plabasan added.

The FSCRP framework emphasised governance and enhanced the cyber resilience of supervised entities. 

"Our expectations for strengthening cyber resilience included robust governance practices and consideration of various cyberattack scenarios," Plabasan said. 

He underscored the importance of developing a cybersecurity culture within financial institutions, supported by updated incident response protocols, information-sharing initiatives, and best practices.

One of the plan's key initiatives was its baseline incident response playbooks for common cyber risks like ransomware attacks. These playbooks would be expanded to address more complex threats, such as supply chain risks and data breaches. 

Plabasan also mentioned plans to conduct industry-wide scenario testing, starting with tabletop exercises.

Looking ahead: Capacity building and legal reforms

Plabasan said the BSP worked closely with universities and private sector partners to mainstream cybersecurity education and address the industry’s talent shortage. 

"Our awareness goals included possibly mainstreaming cybersecurity in universities to close the skills gap," he said.

Legal and regulatory reforms were also a crucial aspect of the BSP’s strategy. The Anti-Financial Account Scheme Act (AFASA), recently signed into law by President Ferdinand Marcos Jr., introduced higher penalties for offences related to phishing, social engineering, and economic sabotage. 

"We worked closely with lawmakers to address gaps in the legal framework and protect consumers from cybercrimes," Plabasan noted.