The Bangko Sentral ng Pilipinas (BSP) has issued a new directive requiring banks and other financial institutions to conduct regular self-assessments of their cybersecurity measures, aiming to bolster the financial system's resilience amid rising digital threats.
Under Circular No. 1232, released on April 27, the central bank introduced a Cybersecurity Maturity Framework that provides a structured approach for institutions to evaluate and enhance their defenses across key risk and control areas. The framework is accompanied by a Cybersecurity Control Self-Assessment Tool—a questionnaire designed to help firms benchmark their current practices and identify pathways for improvement.
Institutions will be rated across four maturity levels: from “foundational,” indicating minimal controls, to “optimized,” reflecting advanced, proactive cybersecurity postures. The BSP emphasized a risk-based approach, noting that supervised institutions must achieve maturity tiers aligned with their risk profiles, while being encouraged to continuously strengthen their capabilities.
The initial self-assessment must be submitted within 60 calendar days after the release of reporting guidelines. The BSP stated that the tool will also help regulators monitor emerging cyber trends and industry practices.
According to central bank data, social engineering schemes—where criminals manipulate individuals into revealing sensitive information—were the most prevalent cyber threat in the Philippines last year, accounting for 76% of total fraud losses. BSP Deputy Governor Lyn Javier noted that this trend reflects a shift from attacks on technical vulnerabilities to those exploiting the human element, posing growing challenges for regulators. A major cyberattack, she warned, could erode public trust in the financial system and trigger bank runs, potentially causing liquidity and capital strains.
The cybersecurity maturity model is part of a broader series of policy and supervisory reforms by the BSP, including new regulations on application programming interfaces (APIs).