BSP orders banks to beef up defenses vs cyber attacks

The Bangko Sentral ng Pilipinas yesterday said the global ransomware attack over the weekend had no impact on any Philippine financial institution even as it urged all banks and nonbanks to step up their defenses.

Asked if BSP-supervised financial institutions were targeted during the cyber extortion attacks, Deputy Governor Nestor A. Espenilla Jr. replied: “Targeted? Possible. Successfully attacked? That’s another matter—none so far.”

Reports said that at least 100,000 groups in 150 countries had been hit by online extortion attacks as of Sunday.

Espenilla said the BSP had “previously alerted the system to the danger,” hence he was “sure” that “defensive initiatives have minimized the risk.”

Last week, the BSP issued Memorandum No. M-2017-017 reminding banks to adopt multifactor authentication (MFA) in response to “growing concerns on cyber attacks involving fraudulent e-mails and websites aimed at customers and employees of financial institutions.”

Last April, the BSP ordered all financial institutions in the country to implement MFA, especially for sensitive transactions, by September amid bigger risks coming from cyber attacks.

The BSP earlier explained that the MFA employed a combination of at least two authentication factors, namely inherence or something that is inherent to the user such as fingerprint and retinal pattern; knowledge or something that the user knows such as password or PIN, and possession or something that the user has in his/her possession, including payment card or a one-time password generated through a security token or sent via SMS.

The MFA “provides for a more reliable authentication method and a stronger fraud deterrent mechanism that limits unauthorized access,” the BSP had said.

In a new memorandum issued just last Monday, the BSP reiterated the need to beef up cyber defenses in light of the recent global ransomware attacks.

“With the alarming proliferation of ransomware, BSP-supervised financial institutions are at an increased risk of loss or unauthorized disclosure of proprietary or sensitive information, operational disruptions, financial losses incurred to restore affected systems and reputational damage. Given the perceived anonymity of threat actors in perpetrating ransom payment schemes, ransomware remains a viable threat that is expected to evolve to more sophisticated and destructive forms, such as crypto-ransom ware. Web-based applications, including legitimate cloud-based services, are particularly vulnerable to this type of threat,” Espenilla said in Memorandum No. M-2017-018 issued on May 15.

“In this regard, BSP-supervised financial institutions are advised to heighten their vigilance and ensure that robust protection against ransomware is in place. BSP-supervised financial institutions should provide multiple layers of defenses by implementing appropriate controls at the host, network, and endpoint level to prevent and detect malicious codes,” Espenilla said. — BEN O. DE VERA, Philippine Daily Inquirer