BSP requires quick reporting of cyber-related, ATM attacks » Manila Bulletin News

Manila Bulletin Philippines

Breaking News from the Nation's leading newspaper


Online Newspaper

Showbiz and Celebrity News

Sports News

World News
News Asia

BSP requires quick reporting of cyber-related, ATM attacks


By Lee Chipongian

Since cyber threats in the banking system occur on a daily basis, the central bank has tightened its rules in the reporting of such incidence to be able to contain its spread and damage.

Bangko Sentral ng Pilipinas (BSP.GOV.PH / MANILA BULLETIN)

Bangko Sentral ng Pilipinas

On October 31, 2018 Bangko Sentral ng Pilipinas (BSP) Circular No. 1019 (Tech­nology and Cyber-Risk Reporting and Notification Requirements) as it tightened reporting of major cyber-related issues, in­cluding system attacks on automated teller machines (ATMs), from within 10 days after it happened to within two hours from first detection.

When or if hit, local banks are ordered to submit to the BSP a follow-up report within 24 hours of the incident and this should contain information such as the manner and time of initial detection, impact of the incident, and initial remedial response.

Quick reporting is key in stopping cyber-related crimes from spreading. The BSP said this is necessary due to the “speed of exploitation, proliferation of attack tools and actors, and potentially massive extent of damage.”

The BSP circular has detailed guidelines for banks’ periodic reports (or annual IT profile) and event-driven reports on cyber-re­lated issues. Reportable major cyber-related crimes are everything that would “seriously jeopardize the confidentiality, integrity or availability of critical information, data or systems of BSP supervised financial institu­tions.” These would include “compromised state” when someone or something has ma­liciously broken into networks, systems and computers; data breach; hacking; pharming (a form of cyber attack that redirects website traffic to a fake website); spearphishing; and threat actor (a person, an organized group or government that has superior capabilities to cause major damage to institutions).

What doesn’t need immediate reporting or not considered as major reportable incidents are security events and/or attacks which could be stopped by security systems. However, these could become major incidents if there are a mul­titude of customer accounts that were hit such as fraudulent transfer of large sums of money.

This is to prevent further disruptions of financial services and operations such as when a data breach has occurred. The BSP described data breach as “an incident in which sensitive, protected or confidential data or information has potentially been viewed, stolen, leaked, used or destroyed by unauthorized persons.

Financial institutions continuously watch out for bigger threats such as massive data breach and financial losses resulting in com­promised cyber security systems.

The incidents at the Bank of the Philip­pine Islands (BPI) and BDO Unibank, Inc. in 2017 were very much publicized, though both claimed they did not involve loss of money. But most incidents did not come out openly and were known only by the bank involved and its regulator, the Bangko Sentral ng Pilipinas (BSP).

But cyber attacks have become so brazen that there is now a strong clamor for public disclosure. This was highlighted by the 2016’s cyberheist by an international group of hack­ers who stole Bangladesh Bank money from the Federal Reserve Bank of New York and funneled $81 million of cash to a local bank.

Recently, US cyber security software provider Symantec, issued a global warning after it allegedly discovered how the Lazarus cyber crime group deployed the so-called “FASTCash” that are hitting ATMs in Asia and other parts of the globe. FASTCash works by emptying ATM accounts. The warning on massive ATM attacks which fall as a data breach were just one of several that have already been issued this year by several governments, mainly the US which warned the world about the Lazarus’ ATM cash thieving back in October.

Recently, Microsoft has commissioned a study with Frost & Sullivan on cybersecurity risks where it estimated that in 2017, a finan­cial services firm located in Asia Pacific that has been targeted incurred an economic loss of $7.9 million. The study noted that about 56 percent of financial services companies have had cyber security incidents last year, whether they are aware of it or not.

Regulators expect more ATM-related crimes
A number of banks are still transition­ing to the EMV (Europay Mastercard Visa) regime even as deadline for compliance already expired in June 30 this year.
EMV is a global standard for chip-based technology for credit, debit and prepaid payment cards. Also known as smart cards, these payment cards contain a small micro­processor, which is basically a small com­puter chip that contains all the information and security features. These chip cards are more secure than the traditional magstripe payment/ATM cards. Skimming or illegally copying magstripe cards to gain access to ATM accounts is the most common crime for the old cards.

In the months before the full migration deadline to EMV technology, BSP Deputy Governor Chuchi G. Fonacier had antici­pated that fraudsters would step up their illegal activity to take advantage of banks that have yet to shift to EMV.

The EMV compliance includes soft­ware updates, upgrading ATM and POS terminals, and replacing credit cards, debit and prepaid cards.
In anticipation of fraudulent at­tacks, the BSP implemented the EMV Card Fraud Liability Shift Framework in 2017 to discourage banks from delay­ing the EMV migration process.

The liability shift addresses the liability and resolution of disputes on fraudulent transactions. Essentially, the banks or the issuing banks that have yet to adopt the EMV technology will shoulder all liability from fraud.

The EMV compliance was reiterat­ed when the BSP released the revised reporting rule on cyber security issues last October 31.

The BPI and BDO incidents were in the news for different reasons. BPI said it suffered an electronic glitch that resulted in massive mispostings of their debit and credit transactions but they insisted it wasn’t a cyber security attack.

BDO, on the other hand, dealt with ATM skimming that victimized a number of cardholders. They resolved it – as most banks do – by reimburs­ing customers after they have filed disputes claims.

BSP Governor Nestor A. Espenilla Jr. has said that what hap­pened to both banks was a threat that banks face on a daily basis. The Bank­ers Association of the Philippines said inter­nal glitches or ATM hits are common incidents and at the end of the day, these glitches do not affect banks’ ability to provide service to clients.

Still, BPI and BDO were called by the Senate Committee on Banks, Financial Institutions and Currencies to explain the situation and more importantly, to enlighten the banking public.

Related Posts