THE Bangko Sentral ng Pilipinas (BSP) wants banks and other financial institutions to conduct annual cybersecurity assessments to improve the financial system’s defenses against digital threats.
Based on a draft circular, a Cybersecurity Control Self-Assessment (CCSA) will become a regular reporting requirement for all BSP-supervised financial institutions (BSFIs) as well as selected institutions identified by the central bank.
The self-assessment will be submitted electronically through the BSP’s Advanced Suptech Engine for Risk-based Compliance and will be due every March 31 following the end of the reference year.
“This initiative aims to enhance the financial sector’s resilience against evolving cyberthreats by enabling BSFIs to assess their cybersecurity maturity against established best practices and develop a roadmap toward their target maturity level,” the central bank said.
The CCSA will be anchored on a newly introduced Cybersecurity Maturity Framework that allows financial institutions to measure their current cybersecurity maturity against established standards and identify a target level that matches their risk profile.
Institutions will be guided in evaluating their governance structures, risk management practices, security controls and their ability to detect, respond to and recover from cyber incidents, as well as their participation in cyber threat intelligence sharing.
The maturity framework groups cybersecurity capability into four levels. At the “foundational” level, institutions have basic controls in place, with weak governance and limited consideration of cyber risks in business decisions.
The “established” category, meanwhile, means policies and baseline controls are approved but use across business units may still be inconsistent.
At the “managed” level, institutions fully comply with regulations, regularly review how effective their controls are and integrate cybersecurity into organization-wide processes.
The highest category, “optimized,” applies to institutions that continuously strengthen their cybersecurity using advanced tools, forward-looking risk indicators and lessons learned, with boards and senior management actively overseeing cyber risks alongside financial and operational risks.
The assessment will cover four main areas: information security governance, information security risk management, security control implementation and cyberthreat intelligence and collaboration.
Security controls will be assessed across identification, prevention, detection, response, recovery and assurance and testing. Institutions’ answers to a questionnaire will determine their maturity level in each area, showing where they are strong and where improvements are needed.
The BSP said the intent was not to impose a one-size-fits-all standard but to help institutions understand gaps in current practices and develop a clear roadmap for improvement.
It also clarified this is not intended to “replace the Supervisory Assessment Framework for cybersecurity and information security.”
“Rather, these tools are designed to complement existing supervisory mechanisms by enabling BSFIs to identify areas for improvement and systematically track progress toward their desired maturity level,” it said.
The BSP said the results would be reviewed to assess whether institutions could sustain stated maturity levels and to identify areas that may require regulatory attention.
Banks and non-bank financial institutions will still have to submit annual IT profiles and the CCSA will be added as a separate annual requirement for covered institutions.
Universal and commercial banks, thrift banks, rural and cooperative banks, quasi-banks, non-stock savings and loan associations and other non-bank financial institutions will all be required to file the assessment if covered by the scope of the rules.
