BSP cyber rules push banks past compliance

Philippine banks are being urged to treat a new cybersecurity self-assessment requirement as more than a regulatory checklist, with global cybersecurity firm Kaspersky saying the policy could strengthen protection for all Filipino financial consumers if used properly.

Kaspersky issued the call after the Bangko Sentral ng Pilipinas introduced new rules governing cybersecurity oversight of banks and other financial institutions.

Under BSP Circular No. 1232, dated April 27, 2026, the central bank introduced a Cybersecurity Maturity Framework and replaced its previous information technology rating system with the Supervisory Assessment Framework, or SAFr, according to reports on the BSP issuance.

The framework includes the Cybersecurity Control Self-Assessment, or CCSA, as a key compliance tool for BSP-supervised financial institutions.

All BSP-supervised financial institutions, or BSFIs, are required to regularly measure and report the strength of their cybersecurity practices under the new framework.

“The Philippine government is taking concrete steps to raise the bar for cybersecurity across the financial system, and banks must move with the same urgency. Compliance is no longer a box to tick. Institutions that use the CCSA to drive real improvements will not only meet regulatory expectations but will be far better positioned to defend their customers against the growing threat landscape,” said Heng Lee, Kaspersky’s Director of Government Affairs and Public Policy for Asia Pacific.

Kaspersky said the timing of the BSP requirement is critical as banks face increasingly complex cyberthreats tied to the growth of digital financial services.

A 2025 report by the Security Operations Center Capability Maturity Model, or SOC-CMM, found that 58 percent of organizations globally were falling short of their own maturity targets, a gap Kaspersky said the new BSP framework could expose among local banks.

The cybersecurity firm said banks should take their CCSA results seriously and use them to identify real weaknesses in their defenses.

When the assessment reveals gaps in security operations center maturity, detection capabilities, or incident response readiness, Kaspersky said banks should treat the findings as action items rather than mere regulatory disclosures.

The company also urged banks to go beyond the minimum requirements set by the BSP.

Kaspersky said the CCSA establishes a baseline, but internationally recognized tools such as the SOC-CMM can measure security maturity more granularly across people, processes, and technology.

Banks that benchmark against both frameworks will have a clearer picture of their actual cybersecurity posture, the firm said.

Kaspersky also warned against a common weakness in security operations centers, where teams are built mainly to react to cyber incidents rather than prevent them.

The firm said many security operations centers process large volumes of alerts without addressing the root causes of poor detection quality.

Institutions that use the CCSA to identify and correct this pattern will likely see the most meaningful improvements, Kaspersky said.

The company also said banks should rethink how they measure cybersecurity performance.

Kaspersky said speed, including how quickly alerts are triaged or incidents are closed, should not be the only yardstick for success.

Detection quality and the overall resilience of a security program matter just as much, the firm said.

Kaspersky said these metrics can also serve as strong evidence of compliance under the new BSP framework.

The BSP, as the country’s central bank and financial regulator, supervises banks and other financial institutions as part of its mandate to promote monetary and financial stability.

The new cybersecurity requirement comes as more Filipinos rely on online banking, mobile wallets, and other digital financial channels, making stronger cyber defenses a key consumer protection issue.