148 INFORMATION TECHNOLOGY RISK MANAGEMENT

148 INFORMATION TECHNOLOGY RISK MANAGEMENT1

The enhanced guidelines on Information Technology Risk Management (ITRM) keep abreast with the
aggressive and widespread adoption of technology in the financial service industry and consequently
strengthen existing Bangko Sentral framework for IT risk supervision. ITRM should be considered a
component and integrated with the institutions’ risk management program. The guidelines likewise
provide practical plans to address risks associated with emerging trends in technology and growing
concerns on cyber security.

Policy statement. The rapid pace of digital innovation has significantly reshaped the financial
services landscape. BSFIs employ advances in technology to sharpen business insights, enhance
operational efficiencies, and deliver innovative financial products and services in line with emerging
market trends and evolving client needs. Technological developments also enable greater access to
financial services that promote an inclusive and responsive digital financial ecosystem. As technological
innovations become more deeply entrenched in business models, infrastructure, and delivery channels,
system-related failures and malfunctions can create major operational disruptions in BSFIs. Social
media platforms may further complicate matters as news of disruptions as well as customer complaints
can spread at unprecedented speeds. Further, cyber-threats and attacks confronting the financial
services industry pose added risks that can undermine public trust and confidence in the financial
system.

In line with their growing technology usage and dependence at the back of a dynamic operating and
cyber-threat environment, BSFIs should establish robust and effective technology risk management
processes, governance structures, and cybersecurity controls. This is to ensure that the benefits
derived from technological innovations can be fully optimized without compromising financial stability,
operational resilience, and consumer protection.

Purpose and scope. The enhanced guidelines aim to provide guidance in managing risks associated
with use of technology. The guidelines outlined are based on international standards and recognized
principles of international practice for ITRM and shall serve as Bangko Sentral’s baseline requirement
for all BSFIs.

The guidelines shall apply to BSFIs which include banks, non-banks with quasi-banking function
(NBQB), non-bank electronic money issuers and other non-bank institutions which under existing
Bangko Sentral rules and regulations and special laws are subject to Bangko Sentral supervision and/or
regulation. Moreover, subject guidelines shall also apply to BSFIs with offshore data processing as may
be appropriate to their situation. The framework covers different facets of ITRM, some of which are
supplemented with detailed guidelines in Appendices 74, 75, 76, 77, 78 and 79. The Bangko Sentral shall
keep the Appendices updated and, in the future, issue additional regulations on new and emerging

Manual of Regulations for Banks | 1

 148 INFORMATION TECHNOLOGY RISK MANAGEMENT

products, services, delivery channels, and other significant applications of technology.

Subject guidelines, including the Appendices 74, 75, 76, 77, 78 and 79, are not “one-size-fits-all” and
implementation of these need to be risk-based and commensurate with size, nature and types of
products and services and complexity of IT operations of the individual BSFIs. BSFIs shall exercise
sound judgment in determining applicable provisions relevant to their risk profile.

IT Profile Classification. To ensure that IT risk management system, governance structure and
processes are commensurate with the attendant IT risks, the Bangko Sentral shall determine the IT
profile of all BSFIs and classify them as “Complex”, “Moderate” or “Simple”. The IT profile refers to the
inherent risk of a BSFI before application of any mitigating controls, and is assessed taking into
consideration the following factors:

a. IT infrastructure and operations. Inherent IT risks of a BSFI largely depend on the degree of
automation of core processes and applications, the size of branch networks, and the
characteristics of its IT organization. BSFIs with larger branch networks and more complex
organizational structures usually require a higher degree of reliance on IT systems/infrastructure,
which in turn, carry higher levels of inherent IT risks. Interconnectivity risks also play a factor in
determining IT risk levels since added connections to third party networks increase complexity
as well as exposure to potential information security/cybersecurity risks. These include
participation in electronic payment systems and interconnections with other financial
institutions, business partners, customers, and third party service providers, among others.

b. Digital/Electronic financial products and services. Digital/electronic financial products and services
provided to the BSFI’s corporate and retail clients, by their very nature, can have a direct impact
on IT risks, including information security/cybersecurity risks. This is because these products and
services are normally provided via the internet or public networks which are inherently risky.
Digital/electronic financial products and services include ATM debit, prepaid and credit cards and
e-channels such as ATM terminals, point-of-sale (POS) terminals, internet banking and mobile
banking facilities, among others. BSFIs that are more aggressive in providing such services are
expected to have greater IT risks.

c. IT projects and initiatives. The extent and nature of the BSFI’s IT projects prospectively impact IT
risk exposure and complexity. For instance, developing or acquiring a new core banking system
is considered a major project, that if not adequately managed and overseen, may heighten
inherent IT risks. Also, IT projects and initiatives entail the use of current resources in terms of
funding and manpower that might affect existing IT operations and risk profile.

d. Outsourced services. While outsourcing in general does not diminish the BSFI’s responsibility over

Manual of Regulations for Banks | 2

 148 INFORMATION TECHNOLOGY RISK MANAGEMENT

the function/service outsourced, outsourcing poses an added dimension to IT and information

security risks. For this reason, outsourcing arrangements require a higher degree of oversight,
due diligence, and risk management controls. Outsourcing core IT services and functions via
cloud computing platforms may further intensify IT and information security risks.

e. Systemic importance. The systemic importance of a BSFI is a critical determinant in assessing

inherent IT and information security/cybersecurity risks since BSFIs identified as “Domestic
Systemically Important Banks” or DSIBs are essentially larger in size and have more complex
operations and product offerings. Moreover, cyber-attacks against DSIBs can have serious
implications to financial and economic stability that may undermine public trust and confidence
in the financial system.

f. Threats. The volume, type, and severity of cyber-attacks and fraud targeting a specific BSFI
affects IT and cybersecurity risk profiles. Some BSFIs may be more prone to attacks compared to
others by virtue of their asset size, customer base, systemic importance, and other factors. Thus,
BSFIs that are likely targets of these types of threats should have greater degree of
cyber-preparedness and resilience.

A general description for each IT profile classification is outlined as follows:

IT Profile General Description/Attributes

Classification

Complex A BSFI with complex IT profile uses technology extensively in supporting mission-critical
business processes and delivering financial products and services. It has ubiquitous
branch network in the country and offers a wide array of digital/electronic financial
products and services to a large number of corporate and retail clients. It is highly
interconnected with external third party stakeholders and actively participates in
electronic payment systems and networks, usually involving large-value transfers.
Business strategies and objectives are largely anchored on IT platforms, digital
innovation, and technology-based solutions. It is also aggressively utilizing/exploring
emerging technologies such as cloud computing, social media and big data.

Moderate A BSFI classified as moderate uses technology to some extent, but not as aggressively as
those classified as complex. Its branch network, IT organization and structure, and extent
of IT projects are also relatively less significant than those of complex BSFIs. IT
applications and systems are integrated but primarily support traditional banking
products and services. It may offer basic digital/electronic products and services, such as
ATM terminals/card-based products, to a limited number of clients.

Simple A BSFI classified as simple generally has very limited use of technology with minimal
interconnectivity to its clients and other institutions. Likewise, branch network or
geographic presence is confined to a specific locality. IT applications and systems are
stand-alone or are not fully integrated and e-banking products and services are rarely
offered. A simple BSFI also has few IT personnel and customer base.

The IT profile of rural banks, cooperative banks, NBFIs, and non-bank institutions shall be classified

Manual of Regulations for Banks | 3

 148 INFORMATION TECHNOLOGY RISK MANAGEMENT

as “Simple”, unless notified by the Bangko Sentral of a higher classification. For other BSFIs, the Bangko
Sentral shall notify in writing their assigned classification within a reasonable timeline from 5 December
2017. The Bangko Sentral-assigned classification shall remain effective until such time that the Bangko
Sentral informs the concerned BSFI of a change in classification.

The Bangko Sentral assessment and classification process should not preclude BSFIs from assessing
their own IT profile classification on an ongoing basis. All BSFIs are required to have periodic and
rigorous self-assessment exercises using more robust data sets and variables as part of their
information security risk management system.

IT rating system. The Bangko Sentral, in the course of its on-site examination activities, shall
evaluate BSFIs’ ITRM system and measure the results based on Bangko Sentral’s IT rating system. A
composite rating is assigned based on a “1” to “4” numerical scale, as follows:

4 BSFIs with this rating exhibit strong performance in every respect. Noted weaknesses in IT
are minor in nature and can be easily corrected during the normal course of business.

3 BSFIs with this rating exhibit satisfactory performance but may demonstrate modest
weaknesses in operating performance monitoring, management processes or system
development.

2 BSFIs with this rating exhibit less than satisfactory performance and require considerable
degree of supervision due to a combination of weaknesses that may range from moderate
to severe.

1 BSFIs with this rating exhibit deficient IT environment that may impair the future viability
of the entity, thereby requiring immediate remedial action.

Definition of terms. In these guidelines, terms are used with the following meanings:

a. Advanced persistent threat or APT shall refer to a sophisticated form of attack that involves
coordinating multiple methods of identifying and exploiting a target’s vulnerabilities over an
extended period to do harm.

b. Card skimming shall refer to the illegal copying of information from the magnetic stripe of a credit
or ATM card to gain access to accounts.

c. Cloud computing shall refer to a model for enabling ubiquitous, convenient, and on-demand
network access to a shared pool of configurable computing resources that can be rapidly
provisioned and released with minimal management effort or service provider interaction.

d. Compromised state shall refer to a state wherein someone or something has maliciously broken
into networks, systems and computers which raises doubt as to the integrity of information

Manual of Regulations for Banks | 4

 148 INFORMATION TECHNOLOGY RISK MANAGEMENT

assets, such as but not limited to, program files, image files, and operating system files.

e. Cyber-threat shall refer to a deliberate act of omission or commission by any person carried out
using the internet and/or other electronic channels, in order to communicate false or fraudulent
representations to prospective victims, to conduct fraudulent transactions, or to illegally obtain
proprietary data or information related to the institution, their customers and other stakeholders.
Cyber-threat can be used synonymously with cyber-fraud, cyber-attack or cyber-related
incidents.

f. Cybersecurity shall refer to technologies, processes, and practices designed to protect a BSFI’s
information assets and consumers by preventing, detecting, and responding to cyber-attacks.

g. Data breach shall refer to an incident in which sensitive, protected or confidential data or
information has potentially been viewed, stolen, leaked used, or destroyed by unauthorized
persons.

h. Defense-in-depth shall refer to a security strategy or design of deploying security controls over
multiple or various layers across the network, systems, and applications such that a failure in
one control would be compensated by another control in the next layer. This approach
effectively delays or disrupts an attacker’s ability to progress within the attack sequence.

i. Distributed denial of service (DDoS) shall refer to a type of attack which makes use of the capacity
limitation of enterprise networks, systems or ingress with extreme traffic loads.

j. Hacking shall refer to unauthorized access into or interference in networks, systems and
computers without the knowledge and consent of the system/information owner.

k. Information security program (ISP) shall refer to information security policies, standards and
procedures, security operations, technologies, organizational structures, and information
security awareness and training programs aimed at protecting a BSFI’s information assets and
supporting infrastructure from internal and external threats.

l. Information security strategic plan (ISSP) shall refer to the roadmap to guide a BSFI in transforming
the current state of security to the desired state taking into account business goals and
strategies.

m. Information security risk management (ISRM) shall refer to the process of identifying, assessing,
mitigating, managing, and monitoring information security risks, including cyber-risk, to ensure
these are within acceptable levels. It should be integrated into the BSFI’s ISP and enterprise-wide

Manual of Regulations for Banks | 5

 148 INFORMATION TECHNOLOGY RISK MANAGEMENT

risk management system.

n. Malware shall refer to malicious software that compromises the confidentiality, availability or
integrity of information systems, networks or data. Examples of malware include ransomware,
trojans, adware, botnets, bugs, and spyware, among others.

o. Pharming shall refer to a form of cyber-attack that redirects a website traffic to another fake
website to obtain user credentials and information.

p. Phishing shall refer to the use of electronic communications such as e-mail to masquerade with
trusted identity to capture sensitive information to gain access to accounts. It involves tricking
customers into giving sensitive information through fraudulent emails or websites.

q. Reportable major cyber-related incidents shall refer to any cyber-related incidents that meet the
criteria for reporting/notification to the Bangko Sentral as laid out in Item “a(2)(a)” of this Section
(Reporting and notification standards).

r. Security operations center (SOC) shall refer to a unit or function that provides centralized visibility,
continuous monitoring, and rapid response and recovery procedures on security incidents and
events.

s. Spearphishing shall refer to a more advanced type of phishing attack which is customized to a
particular target (e.g., executives, privileged users, etc.).

t. Threat actor shall refer to a person, group or nation/state/government that carries out or intends
to carry out damaging acts against another party. An advanced threat actor shall refer to a
person, organized group, or nation/state/government that (a) possesses superior capabilities,
resources and skills to launch sophisticated cyber-attacks; or (b) seeks military and/or
intelligence information for cyber-espionage purposes.

u. Threat intelligence shall refer to the process of gathering and analyzing information about the
proficiencies, tactics, and motives of malicious actors/attackers that enables a BSFI to institute
appropriate countermeasures quickly.

Description of IT-related risks. As BSFIs increase their reliance on IT to deliver products and
services, inappropriate usage of IT resources may have significant risk exposures. While IT does not
trigger new types of risks, it brings in new dimensions to traditional banking risks (i.e., strategic risk,
credit risk, market risk, liquidity risk and operational risk) that require new or enhanced control
activities (e.g., a failure of a credit risk measurement application is an IT failure and, therefore, a

Manual of Regulations for Banks | 6

 148 INFORMATION TECHNOLOGY RISK MANAGEMENT

systems failure in the sense of operational risk). Moreover, IT is an implied part of any system of
internal controls, regardless of the type of risk and, consequently, forms an important element in
organization-wide risk management. Among the risks associated with the use of IT are the following:

a. Operational risk is the risk to earnings and capital arising from problems with service or product
delivery. This risk is a function of internal controls, IT systems, employee integrity and operating
processes. Operational risk exists in all products and services;

b. Strategic risk is the risk to earnings and capital arising from adverse business decisions on
IT-related investments or improper implementation of those decisions. The risk is a function of
the compatibility of an organization’s strategic goals, the business strategies developed to
achieve those goals, the resources deployed against these goals and the quality of
implementation. The resources needed to carry out business strategies are both tangible and
intangible which include communication channels, operating systems, delivery networks and
managerial capacities and capabilities;

c. Reputational risk is the risk to earnings and capital arising from negative public opinion. This
affects the institution’s ability to establish new relationships or services or continue servicing
existing relationships. The risk can expose the institution to litigation, financial loss or damage to
its reputation; and

d . Compliance risk is the risk to earnings and capital arising from the violations of, or
non-conformance with laws, rules and regulations, prescribed practices or ethical standards.
Compliance risk also arises in situations where the laws and rules governing certain products
activities of the BSFI’s clients may be ambiguous or untested. Compliance risk exposes the
institution to monetary penalties, non-monetary sanctions and possibility of contracts being
annulled or declared unenforceable.

IT Risk Management System (ITRMS). As BSFIs become more dependent on IT systems and
processes, technology risks and information security issues have become progressively more complex
and pressing in recent years. Information security is just as important as the new technologies being
installed by BSFIs. As progress in technology shifts to higher gear, the trend in cyber-attacks,
intrusions, and other form of incidents on computer systems shows that it will not only persist but will
continue to increase in frequency and spread in magnitude.

Management of IT risks and information security issues becomes a necessity and an important part
of BSFIs’ risk management system. BSFIs are therefore required to establish a robust ITRM system
covering four (4) key components: 1) IT governance, 2) risk identification and assessment, 3) IT
controls implementation, and 4) risk measurement and monitoring.

Manual of Regulations for Banks | 7

 148 INFORMATION TECHNOLOGY RISK MANAGEMENT

a. IT Governance. This is an integral part of BSFIs’ governance framework and consists of the
leadership and organizational structures and processes that ensure the alignment of IT strategic
plan with BSFIs’ business strategy, optimization of resources management, IT value delivery,
performance measurement and the effective and efficient use of IT to achieve business
objectives and effective IT risk management implementation. BSFIs must establish an effective
IT governance framework covering the following:

(1) Oversight and organization of IT functions. Accountability is a key concern of IT governance and
this can be obtained with an organizational structure that has well-defined roles for the
responsibility of information, business processes, applications, IT infrastructure, etc.

The board of directors is ultimately responsible for understanding the IT risks confronted
by a BSFI and ensuring that they are properly managed, whereas the senior management is
accountable for designing and implementing the ITRMS approved by the board. For complex
BSFIs, the board may delegate to an IT steering committee (ITSC) or its equivalent IT
oversight function to cohesively monitor IT performance and institute appropriate actions to
ensure achievement of desired results. The ITSC, at a minimum, should have as members a
non-executive director who oversees the institution’s IT function, the head of IT
group/department, and the highest rank officer who oversees the business user groups. The
head of control groups should participate in ITSC meetings in advisory capacity only.

A charter should be ratified by the board to clearly define the roles and responsibilities of
the ITSC. Formal minutes of meeting should be maintained to document its discussions and
decisions. The ITSC should regularly provide adequate information to the board regarding IT
performance, status of major IT projects or other significant issues to enable the board to
make well-informed decisions about the BSFIs’ IT operations.

BSFIs should develop an IT strategic plan that is aligned with the institution’s business
strategy. This should be undertaken to manage and direct all IT resources in line with the
business strategy and priorities. IT strategic plan should focus on long term goals covering
three (3) to five (5) year horizon and should be sufficiently supplemented by tactical IT plans
which specify concise objectives, action plans and tasks that are understood and accepted by
both business and IT. The IT strategic plan should be formally documented, endorsed by the
Board and communicated to all stakeholders. It should be reviewed and updated regularly for
new risks or opportunities to maximize the value of IT to the institution.

BSFIs should also create an organization of IT functions that will effectively deliver IT
services to business units. For complex BSFIs, a full-time IT head or equivalent rank should be
designated to take the lead in key IT initiatives and oversee the effectiveness of the IT

Manual of Regulations for Banks | 8

 148 INFORMATION TECHNOLOGY RISK MANAGEMENT

organization. In addition to managing the delivery of day-to-day IT services, the IT head

should also oversee the IT budget and maintain responsibility for performance management,
IT acquisition oversight, professional development and training. The IT head should be a
member of executive management with direct involvement in key decisions for the BSFI and
usually reports directly to the president or chief executive officer.

A clear description of roles and responsibilities for individual IT functions should be

documented and approved by the board. Proper segregation of duties within and among the
various IT functions should be implemented to reduce the possibility for an individual to
compromise a critical process. A mechanism should be in place to ensure that personnel are
performing only the functions relevant to their respective jobs and positions. In the event that
an institution finds it difficult to segregate certain IT control responsibilities, it should put in
place adequate compensating controls (e.g. peer reviews) to mitigate the associated risks.

(2) IT policies, procedures and standards. IT controls, policies, and procedures are the foundation
of IT governance structure. It helps articulate the rules and procedures for making IT
decisions, and helps to set, attain, and monitor IT objectives.

BSFIs should adopt and enforce IT-related policies and procedures that are well-defined
and frequently communicated to establish and delineate duties and responsibilities of
personnel for better coordination, effective and consistent performance of tasks, and quicker
training of new employees. Management should ensure that policies, procedures, and
systems are current and well-documented. The ITSC should review IT policies, procedures,
and standards at least on an annual basis. Any updates and changes should be clearly
documented and properly approved. IT policies and procedures should include at least the
following areas:

• IT Governance/ Management;
• Development and Acquisition;
• IT Operations;
• Communication networks;
• Information security;
• Electronic Banking/Electronic Products and Services; and
• IT Outsourcing/Vendor Management.

For simple BSFIs, some of the above areas (i.e., development, electronic banking, etc.)
may not be applicable, thus sound judgment should be employed to ensure that the BSFI’s IT
policies and procedures have adequately covered all applicable areas.

Manual of Regulations for Banks | 9

 148 INFORMATION TECHNOLOGY RISK MANAGEMENT

(3) IT audit. Audit plays a key role in assisting the board in the discharge of its corporate
governance responsibilities by performing an independent assessment of technology risk
management process and IT controls.

Auditors provide an assurance that important control mechanisms are in place for
detecting deficiencies and managing risks in the implementation of IT. They should be
qualified to assess the specific risks that arise from specific uses of IT. BSFIs should establish
effective audit programs that cover IT risk exposures throughout the organization,
risk-focused, promote sound IT controls, ensure the timely resolution of audit deficiencies and
periodic reporting to the Board on the effectiveness of institution’s IT risk management,
internal controls, and IT governance. Regardless of size and complexity, the IT audit program
should cover the following:

• Independence of the IT audit function and its reporting relationship to the Board or its
Audit Committee;
• Expertise and size of the audit staff relative to the IT environment;
• Identification of the IT audit universe, risk assessment, scope, and frequency of IT audits;
• Processes in place to ensure timely tracking and resolution of reported weaknesses; and
• Documentation of IT audits, including work papers, audit reports, and follow-up.

In case in-house IT audit expertise is not available, such as for a simple BSFI, the IT audit
support may be performed by external specialists and auditors of other institutions consistent
with existing Bangko Sentral rules and regulations on outsourcing. (Detailed
guidelines/standards on IT Audit are shown in Appendix 74)

(4) Staff competence and training. The rapid development in technology demands appropriate,
skilled personnel to remain competent and meet the required level of expertise on an
ongoing basis.

BSFIs should have an effective IT human resources management plan that meets the
requirements for IT and the business lines it supports. Management should allocate sufficient
resources to hire and train employees to ensure that they have the expertise necessary to
perform their job and achieve organizational goals and objectives.

Management needs to ensure that staffing levels are sufficient to handle present and
expected work demands, and to cater reasonably for staff turnover. Appropriate succession
and transition strategies for key officers and personnel should be in place to provide for a
smooth transition in the event of turnover in vital IT management or operations functions.

Manual of Regulations for Banks | 10

 148 INFORMATION TECHNOLOGY RISK MANAGEMENT

(5) Management Information Systems (MIS). The BSFIs’ IT organization often provides an important
support role for their MIS. Accurate and timely MIS reports are an essential component of
prudent and reasonable business decisions. At the most senior levels, MIS provides the data
and information to help the Board and management make strategic decisions. At other
levels, MIS allows management to monitor the institution’s activities and distribute
information to other employees, customers, and members of management.

Advances in technology have increased the volume of information available to

management and directors for planning and decision-making. However, if technology is not
properly managed, the potential for inaccurate reporting and flawed decision making
increases. Because report generation systems can rely on manual data entry or extract data
from many different financial and transaction systems, management should establish
appropriate control procedures to ensure information is correct, relevant, and adequately
protected. Since MIS can originate from multiple equipment platforms and systems, the
controls should ensure all information systems have sufficient and appropriate controls to
maintain the integrity of the information and the processing environment. Sound fundamental
principles for MIS review include proper internal controls, operating procedures, safeguards,
and audit coverage.

(6) IT risk management function. Management of risk is a cornerstone of IT Governance. BSFIs

should have a policy requiring the conduct of identification, measurement, monitoring and
controlling of IT risks for each business function/service on a periodic basis. BSFIs should
define and assign these critical roles to a risk management unit or to a group of persons from
different units collectively performing the tasks defined for this function.

The function should have a formal technology risk acknowledgement and acceptance
process by the owner of risk to help facilitate the process of reviewing, evaluating and
approving any major incidents of non-compliance with IT control policies. The process can be
supported by the following:

• a description of risk being considered for acknowledgement by owner of risk and an

assessment of the risk that is being accepted;
• identification of mitigating controls;
• formulation of a remedial plan to reduce risk; and
• approval of risk acknowledgement from the owner of the risk and senior management.

ITRM processes should be integrated into the enterprise-wide risk management processes
to allow BSFIs to make well-informed decisions involving business plans and strategies, risk
responses, risk tolerance levels and capital management, among others.

Manual of Regulations for Banks | 11

 148 INFORMATION TECHNOLOGY RISK MANAGEMENT

b. Risk identification and assessment. BSFIs should maintain a risk assessment process that drives
response selection and controls implementation. An effective IT assessment process begins with
the identification of the current and prospective IT risk exposures arising from the institution’s IT
environment and related processes. The assessments should identify all information assets, any
foreseeable internal and external threats to these assets, the likelihood of the threats, and the
adequacy of existing controls to mitigate the identified risks. Management should continually
compare its risk exposure to the value of its business activities to determine acceptable risk
levels.

Once management understands the institution’s IT environment and analyzes the risk, it
should rank the risks and prioritize its response. The probability of occurrence and the
magnitude of impact provide the foundation for reducing risk exposures or establishing
mitigating controls for safe, sound, and efficient IT operations appropriate to the complexity of
the organization. Periodic risk assessment process should be done at the enterprise-wide level
and an effective monitoring program for the risk mitigation activities should be manifested
through mitigation or corrective action plans, assignment of responsibilities and accountability
and management reporting.

c. IT controls implementation. Controls comprise of policies, procedures, practices and organizational

structures designed to provide reasonable assurance that business objectives will be achieved
and undesired events will be mitigated. Management should establish an adequate and effective
system of internal controls based on the degree of exposure and the potential risk of loss arising
from the use of IT. Controls for IT environment generally should address the overall integrity of
the environment and should include clear and measurable performance goals, the allocation of
specific responsibilities for key project implementation, and independent mechanisms that will
both measure risks and minimize excessive risk-taking. BSFI Management should implement
satisfactory control practices that address the following as part of its overall IT risk mitigation
strategy: 1) Information security; 2) Project management/development and acquisition and
change management; 3) IT operations; 4) IT outsourcing/Vendor management; and 5) Electronic
banking, Electronic payments, Electronic money and other Electronic products and services.

(1) Information security. Information is a vital asset of a BSFI that must be adequately protected
and managed to preserve its confidentiality, integrity and availability. Considering the crucial
role information plays in supporting business goals and objectives, driving core operations
and critical decision-making, information security is intrinsically linked to the overall safety
and soundness of BSFIs. Thus, the BSFI needs to put in place a robust, resilient and
enterprisewide framework for ISRM supported by effective information security governance
and oversight mechanisms. Information security risk exposures must be managed to within
acceptable levels through a dynamic interplay of people, policies and processes, and

Manual of Regulations for Banks | 12

 148 INFORMATION TECHNOLOGY RISK MANAGEMENT

technologies and must be integrated with the enterprise-wide risk management system.

Management should adopt a holistic, integrated and cyclical approach to managing

information security risks. An ISRM framework should be in place encompassing key elements
and phases with effective governance mechanisms to oversee the entire process. The
framework represents a continuing cycle that should evolve over time taking into account
changes in the operating and business environment as well as the overall cyber-threat
landscape.

The ISRM framework is based upon the following underlying fundamental principles
and concepts:

(a) Strong leadership and effective Information Security (IS) governance and oversight. The
BSFI’s board and senior management set the overall tone and strategic direction for
information security by providing strong leadership, effective information security
governance and oversight. They should take the lead in establishing an information
security culture that regards security as an intrinsic part of the BSFI’s core business and
operations. Instilling a strong security culture ensures that security controls, processes,
and measures are deeply embedded into the institution’s lines of business, products,
services and processes, including its employees and external relationships. The board
and senior management should adopt the right mindset and understand the crucial role
of information security in supporting/achieving business goals and objectives. Towards
this end, they should oversee the development of an information security strategic plan
(ISSP) to clearly articulate security strategies and objectives aligned with business plans.

The BSFI should maintain a comprehensive, well-designed and effective information

security program (ISP) that is commensurate with its operational and IT profile
complexity. To ensure its effectiveness and sustainability, the ISP should have strong
support from the board and senior management as well as cooperation of all concerned
stakeholders. Management should see to it that adequate resources, organizational
functions/capabilities, policies, standards, and procedures as well as the supporting
infrastructure commensurate with the BSFI’s IT risk complexity and appetite are available
and optimized to effectively implement the ISSP and ISP. Lastly, the board and senior
management should appoint a chief information security officer (CISO), a senior level
executive with sufficient authority within the institution, who will be responsible and
accountable for the organization-wide ISP.

Manual of Regulations for Banks | 13

 148 INFORMATION TECHNOLOGY RISK MANAGEMENT

(b) Integrated, holistic and risk-based approach. The ISRM should form an integral part of the
BSFI’s ISP and enterprise risk management system. It encompasses the people, policies
and processes, and technology elements in the organization that should be harmonized
to support information security goals and objectives. Information security is not achieved
by merely focusing on technology or one aspect and no one element is superior over the
other. Each of these elements must work together to achieve the desired security posture
and manage information security risks to acceptable levels. In line with the increasing
interconnectivity of BSFIs and other industry players, the ISRM should also consider
security controls and requirements over third party service providers, customers, banks,
and other third party stakeholders which are linked or have access to the BSFI’s network
and systems. This is because threat actors may launch their attacks on the BSFI through
these third party networks.

Likewise, the ISRM including cyber-risk management programs should be

commensurate with the inherent risks involved. This means that the BSFI’s information
security controls and maturity levels should be commensurate with its operations and
complexity of IT profile. In this regard, in determining whether a certain control
requirement is applicable to the BSFI, it shall first assess the complexity of its IT profile
pursuant to Sec. 148. BSFIs with complex IT profile are expected to implement the more
advanced security control measures and be at the higher levels of the information
security/cyber-maturity curve. BSFIs may also refer to leading standards and frameworks
issued by standard-setting bodies2 on information security and cybersecurity in designing
their ISRM.

(c) Continuing cycle. The ISRM involves a continuing cycle consisting of the following six (6)
major phases:

(i) Identify. The starting point of the cycle is the identification of the BSFI’s information
security as well as cyber-related risks. Under this phase, management needs to
identify its business processes and functions, information assets classified as to
sensitivity and criticality, threats and vulnerabilities, interconnections, and security
architecture. Identification of these factors facilitates BSFI’s understanding and
assessment of its inherent information security and cyber risks which are key inputs
in determining, designing, and implementing the appropriate risk treatment options.

(ii) Prevent. After identifying these key factors and assessing the information security and
cyber risks, the prevent phase comes into play where adequate protection
mechanisms and controls are designed and implemented. These include measures
ranging from baseline to advanced tools and approaches such as defense-in-depth,

Manual of Regulations for Banks | 14

 148 INFORMATION TECHNOLOGY RISK MANAGEMENT

malware prevention, access controls and cybersecurity awareness programs, among

others. These preventive controls are generally categorized into three (3) types, as
follows:

(aa) Administrative controls – refer to the policies, standards, and procedures in place
which articulate Management’s intent, expectations, and direction on information
security. It also includes security trainings and awareness programs and
personnel security practices designed to prevent unwarranted employee
behavior.

(bb) Physical and environmental controls – pertain to the security controls and measures
implemented to protect physical infrastructure such as data centers, computer
facilities, and equipment from damage, unauthorized access or environmental
hazards.

(cc) Technical controls – refer to the logical security controls, security tools, and
technologies to ensure that the confidentiality, integrity, and availability
objectives for information assets are achieved.

(iii) Detect. Detection capabilities should also be in place as prevention alone is not
sufficient. As demonstrated in recent cyberattacks, the ability of an institution to
quickly detect anomalous activities and evaluate the scope of an attack is an
important aspect in significantly reducing negative impacts. Management should
design and implement effective detection controls over the BSFI’s networks, critical
systems and applications, access points, and confidential information.

(iv) Respond. The response phase is triggered upon confirmation of an occurrence of a

cyber-attack or security incident affecting the BSFI and its customers. With the
growing incidence of sophisticated cybercrimes and threats, the BSFI should be
prepared to respond quickly considering that cyber-attacks are no longer a remote
possibility. Therefore, it should develop comprehensive, updated, and tested incident
response plans supported by well-trained incident responders, investigators, and
forensic data collectors. Through adequate response capabilities, the BSFI should be
able to minimize and contain the damage and impact arising from security incidents,
immediately restore critical systems and services, and facilitate investigation to
determine root causes.

(v) Recover. This phase encompasses both the resumption of activities at a level which is
considered “good enough for a certain period of time” and full recovery, i.e., an

Manual of Regulations for Banks | 15

 148 INFORMATION TECHNOLOGY RISK MANAGEMENT

eventual return to full service. Management should be able to establish back-up

facilities and recovery strategies to ensure the continuity of critical operations. During
the recovery phase, it should ensure that information processed using back-up
facilities and alternate sites still meet acceptable levels of security. To achieve cyber
resilience, the BSFI should consider information security incidents and cyber-related
attack scenarios in its business continuity management and recovery processes.

(vi) Test. The BSFI needs to continually assess and test controls and security measures
implemented under the prevent, detect, respond, and recover phases to ensure that
these are effective and working as intended. Likewise, a comprehensive, systematic
and layered testing and assurance program covering security processes and
technologies should be in place. This is to ensure that the ISRM is on track in
providing appropriate level of information security commensurate with the BSFIs’ IT
profile complexity. This phase also ensures that both the ISSP and ISP remain
effective vis-a-vis the fast-evolving cyberthreat landscape.

(d) Cyber threat intelligence and collaboration. In response to the growing cyber-threat
landscape, BSFIs need to step up their information security posture and resilience beyond
their respective networks. Likewise, BSFIs need to enhance situational awareness that
would provide a keen sense of the threat landscape as it relates to their IT risk and
cyber-risk profiles, operating complexities, and business models. Further, BSFIs need to
collaborate with each other, including regulators, law enforcement agencies, and other
third party stakeholders for a collective, coordinated, and strategic response through
information sharing and collaboration. Information sharing allows BSFIs to enhance threat
intelligence that enables quick identification, prevention and response to emerging and
persistent threats. (Detailed guidelines/standards on information security are shown in
Appendix 75)

(2) Project management/development and acquisition and change management. BSFIs should
establish a framework for management of IT-related projects. The framework should clearly
specify the appropriate project management methodology that will govern the process of
developing, implementing and maintaining major IT systems. The methodology, on the other
hand, should cover allocation of responsibilities, activity breakdown, budgeting of time and
resources, milestones, checkpoints, key dependencies, quality assurance, risk assessment
and approvals, among others. In the acquisition and/or development of IT solutions, BSFIs
should ensure that business and regulatory requirements are satisfied. (Detailed
guidelines/standards on Project Management/Development and Acquisition and Change
Management are shown in Appendix 76)

Manual of Regulations for Banks | 16

 148 INFORMATION TECHNOLOGY RISK MANAGEMENT

(3) IT operations. IT has become an integral part of the day-to-day business operation,
automating and providing support to nearly all of the business processes and functions within
the institution. Therefore, the IT systems should be reliable, secure and available when
needed which translates to high levels of service and dependency on IT to operate.

One of the primary responsibilities of IT operations management is to ensure the

institution’s current and planned infrastructure is sufficient to accomplish its strategic plans.
BSFI management should ensure that IT operates in a safe, sound, and efficient manner
throughout the institution. Given that most IT systems are interconnected and
interdependent, failure to adequately supervise any part of the IT environment can heighten
potential risks for all elements of IT operations and the performance of the critical business
lines of the BSFIs. Such scenario necessitates the coordination of IT controls throughout the
institution’s operating environment. (Detailed guidelines/standards on IT Operations are
shown in Appendix 77)

(4) IT outsourcing/vendor management program. IT outsourcing refers to any contractual

agreement between a BSFI and a service provider or vendor for the latter to create, maintain,
or reengineer the institution’s IT architecture, systems and related processes on a continuing
basis. A BSFI may outsource IT systems and processes except those functions expressly
prohibited by existing regulations. The decision to outsource should fit into the institution’s
overall strategic plan and corporate objectives and said arrangement should comply with the
provisions of existing Bangko Sentral rules and regulations on outsourcing. Although the
technology needed to support business objectives is often a critical factor in deciding to
outsource, managing such relationships should be viewed as an enterprise-wide corporate
management issue, rather than a mere IT issue.

While IT outsourcing transfers operational responsibility to the service provider, the BSFIs
retain ultimate responsibility for the outsourced activity. Moreover, the risks associated with
the outsourced activity may be realized in a different manner than if the functions were inside
the institution resulting in the need for controls designed to monitor such risks.

BSFI management should implement an effective outsourcing oversight program that

provides the framework for management to understand, monitor, measure, and control the
risks associated with outsourcing. BSFIs outsourcing IT services should have a comprehensive
outsourcing risk management process which provides guidance on the following areas: 1) risk
assessment; 2) selection of service providers; 3) contract review; and 4) monitoring of service
providers. Detailed guidelines/standards on IT Outsourcing/ Vendor Management and on the
adoption of outsourced cloud computing model are shown in Appendix 78.

Manual of Regulations for Banks | 17

 148 INFORMATION TECHNOLOGY RISK MANAGEMENT

(5) Electronic products and services. The evolution in technology revolutionized the way banking
and financial products and services are delivered. Physical barriers were brought down
enabling clients to access their accounts, make transactions or gather information on
financial products and services anywhere they are, at any time of the day and at their own
convenience. As development in technology continues to accelerate, innovative electronic
products and services are foreseen to bring more accessibility and efficiency. However, BSFIs
may be confronted with challenges relating to capacity, availability and reliability of the
electronic services. Likewise, fraudulent activities via electronic channels are also rising in
number.

BSFIs should protect customers from fraudulent schemes done electronically. Otherwise,
consumer confidence to use electronic channels as safe and reliable method of making
transactions will be eroded. To mitigate the impact of cyber fraud, BSFIs should adopt
aggressive security posture such as the following:

(a) The entire ATM system shall be upgraded/converted to allow adoption of end-to-end Triple
DES (3DES) encryption standards by 01 January 2015. The 3DES encryption standards
shall cover the whole ATM network which consists of the host processors, switches, host
security module (HSM), automated teller machines (ATMs), point-of-sale (POS) terminals
and all communication links connected to the network;

(b) ATMs to be installed after 04 September 2014 should be 3DES compliant; and

(c) ATMs, POS terminals and payment cards are also vulnerable to skimming attacks due to
the lack of deployment of globally recognized EMV enabled technology by BSFIs.
Magnetic stripe only ATMs, POS Terminals and cards are largely defenseless against
modern fraud techniques. Therefore, all concerned BSFIs should shift from magnetic
stripe technology to EMV chip-enabled cards, POS Terminals and ATMs. The entire
payment card network should be migrated to EMV. This requirement shall cover both
issuing and acquiring programs of concerned BSFIs. A written and board-approved EMV
migration plan should be submitted to the appropriate supervising department of the
Bangko Sentral within six (6) months from 22 August 2013. The guidelines on EMV
Implementation are shown in Appendix 112. The guidelines on the EMV Card Fraud Liability
Shift Framework (ECFLSF) are in Appendix 113 3.

Detailed guidelines/standards on Electronic Products and Services are shown in Appendix

79.

d. Risk measurement and monitoring. BSFI Management should monitor IT risks and the effectiveness

Manual of Regulations for Banks | 18

 148 INFORMATION TECHNOLOGY RISK MANAGEMENT

of established controls through periodic measurement of IT activities based on internally

established standards and industry benchmarks to assess the effectiveness and efficiency of
existing operations. Timely, accurate, and complete risk monitoring and assessment reports
should be submitted to management to provide assurance that established controls are
functioning effectively, resources are operating properly and used efficiently and IT operations
are performing within established parameters. Any deviation noted in the process should be
evaluated and management should initiate remedial action to address underlying causes. The
scope and frequency of these performance measurement activities will depend on the
complexity of the BSFI’s IT risk profile and should cover, among others, the following:

(1) Performance vis-à-vis approved IT strategic plan. As part of both planning and monitoring
mechanisms, BSFI management should periodically assess its uses of IT as part of overall
business planning. Such an enterprise-wide and ongoing approach helps to ensure that all
major IT projects are consistent with the BSFI’s overall strategic goals. Periodic monitoring of
IT performance against established plans shall confirm whether IT strategic plans remain in
alignment with the business strategy and the IT performance supports the planned strategy.

(2) Performance benchmarks/service levels. BSFIs should establish performance benchmarks or

standards for IT functions and monitor them on a regular basis. Such monitoring can identify
potential problem areas and provide assurance that IT functions are meeting the objectives.
Areas to consider include system and network availability, data center availability, system
reruns, out of balance conditions, response time, error rates, data entry volumes, special
requests, and problem reports.

Management should properly define services and service level agreements (SLA) that
must be monitored and measured in terms understandable to the business units. SLA with
business units and IT department should be established to provide a baseline to measure IT
performance.

(3) Quality assurance/quality control. BSFI should establish quality assurance (QA) and quality
control (QC) procedures for all significant activities, both internal and external, to ensure that
IT is delivering value to business in a cost effective manner and promotes continuous
improvement through ongoing monitoring. QA activities ensure that product conforms to
specification and is fit for use while QC procedures identify weaknesses in work products and
to avoid the resource drain and expense of redoing a task. The personnel performing QA and
QC reviews should be independent of the product/process being reviewed and use
quantifiable indicators to ensure objective assessment of the effectiveness of IT activities in
delivering IT capabilities and services.

Manual of Regulations for Banks | 19

 148 INFORMATION TECHNOLOGY RISK MANAGEMENT

(4) Policy compliance. BSFIs should develop, implement, and monitor processes to measure IT
compliance with their established policies and standards as well as regulatory requirements.
In addition to the traditional reliance on internal and third party audit functions, BSFIs should
perform self-assessments on a periodic basis to gauge performance which often lead to early
identification of emerging or changing risks requiring policy changes and updates.

(5) External assessment program. Complex BSFIs may also seek regular assurance that IT assets
are appropriately secured and that their IT security risk management framework is effective.
This may be executed through a formal external assessment program that facilitates a
systematic assessment of the IT security risk and control environment over time.

Reporting and notification standards. In line with the increased reliance on and adoption of
technology by BSFIs, along with growing concerns on cybersecurity, BSFIs should submit regular and
event-driven reports covering technology-related information as well as incidence of major
cyber-attacks and operational disruptions. This will enable the Bangko Sentral to have an enhanced
visibility on the changing IT risk landscape and to proactively ensure that the impact and risks arising
from cyber-related incidents and operational disruptions are minimized and contained to avert potential
systematic risks to the financial system.

a. Reporting requirement. BSFIs are required to submit to the Bangko Sentral the following
reports/information:

(1) Periodic reports. BSFIs shall submit an Annual IT Profile, as listed in Appendix 7, electronically
to the appropriate supervising department of the Bangko Sentral within twenty five (25) days
from the end of reference year.

(2) Event-driven reports. BSFIs shall notify the Bangko Sentral upon discovery of any of the
following:

(a) Reportable Major Cyber-related Incidents. These cover all events which may seriously
jeopardize the confidentiality, integrity or availability of critical information, data or
systems of BSFIs, including their customers and other stakeholders. Reporting of such
incidents to the Bangko Sentral should form part of the incident management plan of
BSFIs.

An incident is considered a reportable major cyber-related incident, if after assessing

the nature of the incident or attack, the BSFI has determined that the same:

(i) resulted in an unauthorized access and infiltrati on into the BSFI’s internal network

Manual of Regulations for Banks | 20

 148 INFORMATION TECHNOLOGY RISK MANAGEMENT

(i.e., hacking, advanced persistent threats, presence of malware);

(ii) involved a system-level compromise (i.e., attacks on BSFI’s core systems, as opposed
to phishing attempts of individual clients);
(iii) affected a significant number of customer accounts simultaneously;
(iv) involved significant data loss or massive data breach;
(v) indicated spearphishing attacks targeting the BSFIs’ directors, senior executives,
officers, or privileged users;
(vi) resulted in the unavailability of critical systems/services (e.g., Distributed Denial of
Service (DDoS) attack resulting in service outage);
(vii)inflicted material financial losses to the BSFIs, their customers and other stakeholders;
or
(viii) has been suspected to be perpetrated by an advanced threat actor.

(b) Disruptions of financial services and operations. These include disruption of critical
operations which lasts for more than two (2) hours due to internal and external threats,
which may be natural, man-made or technical in origin. Such scenarios usually involve
loss of personnel, technology, alternate site, and service providers. Causes of such
interruptions include, but are not limited to fire, earthquakes, flood, typhoon, long-term
power outage, technical malfunctions, pandemics and other threats.

Security events/attacks which are normally prevented by security systems/devices

need not be reported to the Bangko Sentral, except if the same involve significant
financial value and/or multitude of customer accounts beyond BSFI’s reasonable threshold
levels. For instance, an attempt to fraudulently transfer funds involving large sums of
money requires immediate notification to the Bangko Sentral as this can be a signal of
impending attacks to other BSFIs.

b. Procedure for event-driven reporting. The following procedures shall be followed by BSFIs in
reporting reportable major cyber-related incidents and/or disruptions of financial services and
operations stated in Item “(a)2” of this Section (Reporting and Notification Standards):

(1) The BSFIs’ Compliance Officer and/or BSFI-designated Officer shall notify the appropriate
supervising department of the Bangko Sentral within two (2) hours from discovery of the
reportable major cyber-related incidents and/or disruptions of financial services and
operations stated in Item “a(2)” of this Section (Reporting and Notification Standards), in
accordance with Appendix 7.

(2) The BSFIs shall disclose, at the minimum, the nature of the incident and the specific system
or business function involved.

Manual of Regulations for Banks | 21

 148 INFORMATION TECHNOLOGY RISK MANAGEMENT

(3) Within twenty-four (24) hours from the time of the discovery of the reportable major
cyber-related incident and/or disruption, a follow-up report should be sent to the appropriate
supervising department of the Bangko Sentral through e-mail indicating the following, as
applicable:

(a) nature of the incident;

(b) manner and time of initial detection;
(c) impact of the incident based on initial assessment (e.g., length of downtime, number of
affected customers/accounts, number of complaints received, value of transactions
involved);
(d) initial response or actions taken/to be taken (e.g., conduct of root cause analysis) with
respect to the incident; and
(e) information if the incident resulted in activation of the Business Continuity Plan (BCP)
and/or Crisis Management Plan (CMP).

c. Verification of root cause. Depending on the nature and severity of the reported
incident/disruption, the Bangko Sentraal may require BSFIs to provide additional information or
updates until the matter is satisfactorily resolved. Likewise, the Bangko Sentral may conduct
special examination or overseeing inspection, if necessary, to verify root cause of the incident,
assess the impact to the BSFI and the financial system as a whole, identify areas for
improvement to prevent recurrence of the incident, and promote enterprise and industry-wide
operational resilience.

d. Compliance with reporting of crimes and losses. Compliance with event-driven report
requirement shall not excuse BSFIs from complying with the existing rules on the reporting of
crimes and losses under Sec. 173 (Report on crimes/losses). Likewise, any cyber-related incident
which does not qualify as a reportable major cyber-related incident and other disruptions arising
from crimes and losses must be reported to the Bangko Sentral in accordance with the aforesaid
regulations. Operational risk events which are covered under Item “a(2)” on the event-driven
reporting and notification requirements shall no longer require separate reporting and
notification pursuant to Sec. 146 (Notification/Reporting to Bangko Sentral).

e. Information gathering. Should the conduct of in-depth studies and research on certain
technology development or key area of concern relating to technology risk and cybersecurity be
warranted, the Bangko Sentral, from time to time, may request BSFIs to submit specific data and
information thereon through surveys, questionnaires or other means.

Sanctions and penalties. BSFIs should make available all policies and procedures and other
documents/requirements related to the foregoing during on-site examination as well as provide copies

Manual of Regulations for Banks | 22

 148 INFORMATION TECHNOLOGY RISK MANAGEMENT

thereof to the Bangko Sentral when a written request is made to determine their compliance with this
Section.

a. Non-compliance with the requirements in Item “b” of this Section (Reporting and notification
standards) will be subject to “High” penalty level monetary sanctions pursuant to Sec. 1102
(Guidelines on the imposition of monetary penalties).
b. Consistent with Sec. 002, the Bangko Sentral may deploy applicable enforcement actions on the
BSFI and/or its directors, officers, and/or employees for violations on this requirement.
c. Annual IT Profile and other periodic reports which have been considered as erroneous, delayed or
unsubmitted shall be subject to the penalties for Category B reports under Section Sec. 171
(Sanctions on reports for non-compliance with the reporting standards).

(Circular Nos. 1019 dated 31 October 2018, 982 dated 9 November 2017, 958 dated 25 April 2017, 936 dated 28 December 2016, 859 dated 24
November 2014, and 833 dated 28 May 2014)

Footnotes
1. BSFIs shall comply with the Enhanced Guidelines on Information Security Management within a period of
one (1) year from 5 December 2017. In this regard, a BSFI should be able to show its plan of actions with
specific timelines, as well as the status of initiatives being undertaken to fully comply with the provisions
of this circular, upon request of the Bangko Sentral starting December 2017.
2. US National Institute of Standards and Technology (NIST), ISO/IEC, ISACA and Committee and Payments
and Market Infrastructures (CPMI), among others.
3. This paragraph shall take effect on 01 January 2017.

Manual of Regulations for Banks | 23