Cybersecurity self-assessment for banks, nonbanks proposed by BSP

THE BANGKO SENTRAL ng Pilipinas (BSP) is proposing to require all banks and nonbanks to conduct a self-assessment of their cybersecurity maturity amid growing concerns over increasing cyber risks.

This, as the central bank seeks to strengthen the financial system through its supervised financial institutions (BSFI) against rapidly evolving threats in cyberspace.

“Digital financial and payment services and platforms continue to evolve rapidly, with innovative solutions emerging to enhance customer experience, improve operational efficiency, expand accessibility, and strengthen market competitiveness,” the central bank said in the exploratory note of the draft circular.

“However, these developments are accompanied by a corresponding increase in cyberthreats, which heighten risks to both financial institutions and their customers,” it added.

According to the central bank, the Cybersecurity Control Self-Assessment (CCSA) will allow BSFIs to enhance their offsite surveillance and risk assessments for information and cybersecurity.

“This initiative aims to enhance the financial sector’s resilience against  evolving cyberthreats by enabling BSFIs to assess their cybersecurity maturity against established best practices and develop a roadmap toward their target maturity level,” the BSP said.

BSP Deputy Governor Lyn I. Javier earlier noted that more frequent, more scalable and targeted cyberthreats are endangering the financial system’s digital shift, with the improving interconnectivity enabling more cybercriminals to exploit its weak points.

Based on the latest central bank report, social engineering such as phishing scams, account takeover and identity theft accounted for 76% of the total amount lost to financial fraud in the first half of 2025, making it the top cyberthreat of the local banking system.

This was followed by hacking, which made up 13% of the total losses, and card-not-present fraud with 8%.

Under the draft circular, the BSP clarified that the CCSA will not replace the current Supervisory Assessment Framework for cybersecurity and information security. 

Instead, it will serve as an additional requirement alongside the annual information technology (IT) profile that financial institutions were previously required to submit 25 days after the end of each reference year.

“Rather, these tools are designed to complement existing supervisory mechanisms by enabling BSFIs to identify areas for improvement and systematically track progress toward their desired maturity level,” the BSP said. 

The central bank also noted that the CCSA will use a Cybersecurity Maturity Framework (CMF) to measure the BSFI’s maturity level, based on the CCSA results, and its target maturity level aligned with its IT risk profile.

The assessment tool features capability-based questions to evaluate the BSFI’s maturity in specific control areas, as well as survey questions to gather further insights for policy development and regulatory guidance.

NBFIs’ maturity levels could be classified as foundational, established, managed or optimized, according to the BSP.

The level will be evaluated based on their information security governance, information security risk management, security control implementation, and cyberthreat intelligence and collaboration.

Both the CMF and the CCSA will then be integrated in the Advanced Suptech Engine for Risk-based Compliance, which the BSP said “may be periodically reviewed and enhanced to ensure a dynamic and responsive assessment process.”

“The result shall provide the BSFI’s current maturity and inform of the possible areas requiring intervention or a plan for improvement to achieve their target maturity,” the BSP added.

BSFIs with a moderate and complex IT profile will be mandated to electronically submit their respective CCSAs to the BSP yearly on or before March 31, following the end of the reference year. — Katherine K. Chan