A New Cybersecurity Proposed Mandate from the BSP
With the many advancements in technology, cyberthreats are no longer considered distant risks. The reality is that therein exists an inherent exposure to imminent danger.
The Bangko Sentral ng Pilipinas (BSP) has recently proposed a mandatory Cybersecurity Control Self-Assessment (CCSA) for financial institutions, which marks a major shift in how the sector should approach digital security.
As digital finance expands and cyber fraud losses rise — this proposal could reshape compliance and risk management in the Philippine Financial Ecosystem.
Rising Cyber Threats in the Philippine Financial System
As digital banking and payment platforms continue to enhance and are used by the general public, such risk also comes with it.
According to BSP data, in early 2025, 76% of financial fraud losses came from social engineering attacks. Some of these included phishing, identity theft, and account takeovers. This emphasizes a crucial problem: Cybersecurity is not just an I.T. concern — it has become a business survival problem.
Hence, the proposal for CCSA will require BSP-supervised financial institutions (BSFI) to:
- Evaluate their cybersecurity maturity
- Catch-up and compete against global best practices
- Identify vulnerabilities and lapses
- Build a roadmap for stronger security frameworks
Furthermore, this will be supported by a Cybersecurity Maturity Framework (CMF), which makes an assessment in crucial areas such as information security governance, risk management, security controls, and threats to intelligence or collaboration. As a result, such institutions will have classifications according to their maturity levels:
- Foundational – Basic cybersecurity is present but inconsistent & reactive, and usually, they are not fully standardized.
- Established – Cybersecurity policies are defined, and procedures are implemented consistently in key areas of organizations.
- Managed – Cybersecurity procedures are actively monitored, measured, and enhanced using derived data from risk management.
- Optimized – Cybersecurity is fully integrated into business operations and strategies, along with continuous improvement, automation, and advanced intelligence for threats or issues.
Why This Matters for Businesses
Simply because stronger regulation on financial institutions has direct impacts on:
- How secure are your transactions
- How data is protected against threats
- How resilient are your financial partners during cyber-cases
Moreover, this also highlights a broader trend — authorities are changing from reactive to compliance to a much more proactive risk management.
Yet, on the part of growing businesses, this fosters both a challenge and an opportunity. The main challenge is keeping up with the continuous enhancement of compliance expectations, while the opportunity is to build trust by implementing stronger internal controls & cybersecurity awareness.
In Conclusion
As it is currently a proposal, it is important to view this as a wake-up call for businesses and financial institutions to review their internal controls in terms of financial matters and IT processes.
This development can be the starting point to assess current cybersecurity measures, identify weaknesses, and prepare for a stricter regulatory environment.
Indeed, the future of finance is digital, and security will be the defining factor between those who can adapt and those who will fall behind. If you’re looking to strengthen your position and stay ahead of evolving cyber risks, partner with Babylon2k — where compliance meets technology, and expertise drives resilience.
Reference: Exposure Draft of CCSA Requirement – BSP
