By Mariedel Irish U. Catilogo, Researcher
THE Philippines’ banking and financial sector has always been the target of criminals in the past decades. With the rapid shift to remote/hybrid working environment that prompted people to maximize its digital transactions, threats in the financial sector continue to grow at a faster pace.
According to the Bankers Association of the Philippines (BAP), losses from bank fraud, such as unauthorized withdrawals or illegal transfers, during the pandemic reached P1 billion, making the volume of cybercrimes three times higher before the coronavirus pandemic.
In an e-mail to BusinessWorld, the Bangko Sentral ng Pilipinas (BSP) said that while there are significant developments in its supervised financial institutions, the need to remain proactive in monitoring the threats surrounding the industry is crucial as evolving cyber risks can weaken the security posture and defenses.
“As noted in the BSP’s regular onsite examinations and surveillance activities, the banks’ risk management systems and capabilities in managing cybersecurity and technology risks are largely at par with generally accepted security standards and principles,” BSP said.
One of the recent hacking incidents that gained controversy late last year was the one-time-pin (OTP) fraud involving the local banking giant, BDO Unibank, Inc. The attack involved 700 BDO account holders and Aboitiz-led UnionBank of the Philippines, Inc.
The development of the attack started when numerous posts on social media surfaced from BDO clients stating a number of recorded unauthorized transactions using their account to transfer to an account holder under UnionBank.
BDO said in an interview that the institution is committed to safeguarding its clients’ data, stating that cybersecurity remains to be their utmost priority to be able to deliver financial objectives. Despite the hacking incident, the Sy-led bank said that there was no material impact of that incident to the institution.
In a statement, the National Bureau of Investigation (NBI) said about P1.2 million were stolen but it was believed that the criminal actors could have taken more than P50 million had the actions not been immediately tagged as suspicious.
“There has been a constant stream of cyberattacks in recent years, mostly external to bank systems (e.g. phishing), as cyber-criminals continue to evolve with the use of technology and more sophisticated tactics. However, we have been able to successfully detect, prevent, and remediate these attempted cyberattacks, as the case may be, with the robust cybersecurity defenses in place at the bank,” BDO said in an e-mail.
Moreover, BDO’s cybersecurity program utilizes a structured approach and follows the international standards such as ISO 27001 or the International Information Security Standard and NIST Cybersecurity Framework.
“Our cybersecurity initiatives are a continuing process as we regularly enhance risk management systems to address developing cyber threats,” BDO added.
ON CREDIT RATINGSFor years, credit agencies have been monitoring banks’ creditworthiness in the region.
In a recent report released by credit rating agency S&P Global Ratings, it reported that the threat of cyberattacks is growing in Asia-Pacific, resulting in a need for an industry-wide collaboration and cross-border information sharing as a crucial action in strengthening cybersecurity of banking systems.
S&P Global Ratings Associate Director Nikita Anand said in an e-mail interview that while the agency has not downgraded any banks in the Asia-Pacific region including the Philippines, the impact of a cybersecurity incident could impede individual institutions especially for financial institutions that lack cybersecurity resilience.
“While we believe banks in the region are reasonably prepared to manage such risks, an institution could be badly damaged in an attack, monetarily and reputationally,” Ms. Anand said.
Notably, downgrading credit scores also applies for a whole country or an economy. Ms. Anand said that for those jurisdictions where its entire industry sustains continuous hit of data breaches, or where regulators are observed lenient, the credit agency may downgrade its rating scores on all the banks within the jurisdiction.
Meanwhile, Fitch Ratings’ Asia-Pacific Financial Institutions Director Tamma Febrian said that despite the number of cyber incidents including attacks to the banks in the country, the debt watcher continues to see some options for improvement in terms of building a resilient cybersecurity.
“We understand that banks have been closing some of these gaps in response, and recent regulatory initiatives to bolster banks’ cyber risk frameworks such as the requirement to have real-time fraud monitoring system, should also instill greater awareness among banks to make cybersecurity a higher priority,” Mr. Febrian said in an e-mail.
The BSP, through Circular No. 1140, amended its requirements on the adoption of robust fraud management systems. This requires BSP-supervised financial institutions (BSFIs) to implement automated and real-time fraud monitoring and detection systems to identify and block suspicious or fraudulent online transactions.
“Given the prevalence of text scams and social engineering attacks targeting financial consumers, BSFIs understand the need to implement these requirements and are already undertaking the necessary actions to ensure their compliance. The BSP may impose corrective actions, sanctions, and applicable supervisory enforcement actions for BSFIs which failed to comply with the requirements,” the central bank said.
For BDO, the bank has incurred favorable scores based on various indicators in credit rating. Among these indicators are liquidity and funding profile, asset quality, capital position, and financial performance.
“BDO’s credit ratings for Moody’s (Baa2) are already the same as sovereign ratings, while those from Fitch (BBB-) are just a notch below sovereign rating. The Bank’s credit ratings are investment grade and one of the highest among private banks,” BDO said.
Fitch Rating’s Mr. Febrian also said that while there are no specific weight assigned, the credit company consider the cyber risk factor as a part of a bank’s broader risk control and risk profile which translates to 10% of the total weight on the Viability Rating or standalone credit profile of a bank.
“Should we see material weakness in its cyber risk controls or evidence of repeat cyber risk attacks that would undermine the bank’s franchise and business performance, the bank’s risk profile could, however, carry a greater weighting or become a more constraining factor on the bank’s final viability rating,” Mr. Febrian added.
Most of the financial institutions that are supervised by the BSP were compelled to adopt and enhance their digital transformation initiatives. Given the banks’ dependence on outsourced third-party providers, the risks in information technology are likely to increase.
“This risk is expected to intensify with the growing complexity and criticality of outsourcing business functions. As such, it is crucial for BSFIs to put in place a robust vendor risk management system and integrate due diligence procedures to effectively manage third-party risk,” the BSP said.
The central bank also added that the cybersecurity incident involving BDO emphasized the importance of multi-layer cybersecurity defense for financial institutions.
“The occurrence of similar incidents stressed the need for a robust and real-time fraud management system to mitigate the risks in case initial preventive measures fail or if threat actors find a way to bypass existing controls,” the BSP said.
Further, the BSP continues to stretch its policy and supervisory reforms to engage banks and other financial institutions to strengthen its cybersecurity frameworks.
OUTLOOKAs new technology emerges, debt watchers consider cybersecurity risk issues as one of the most important factors in the assessment of banks’ credit ratings.
Fitch Ratings’ Mr. Febrian expressed gloomy outlook as he expects the bank ratings to be more sensitive to movements in the sovereign rating — an independent assessment of the creditworthiness of a country when it borrows on the domestic and international financial markets, in lieu of their preparedness for the future technological environment.
“This is because the Issuer Default ratings of all the banks rated by Fitch Ratings’ in the Philippines are driven by our expectation of sovereign support. The rising interest rate environment is also likely to have a larger bearing on the banks’ near-term financial performance, which we expect to favor their earnings but exert moderate pressure on their assets quality for the next one to two years,” Mr. Febrian said.
For S&P Global Ratings’ Ms. Anand: “We think it likely that cyber incidents will become more sophisticated, thus making them more difficult to handle. We therefore consider that the expansion of the organizational digital capabilities should be accompanied with strengthening and increasing the cyber defense and cyber risk management culture.”