Cyber Resilience Initiative: Central Bank of the Philippines

The Central Bank of the Philippines (BSP) is harnessing regtech tools to drive cyber security goals. The BSP’s Advanced Suptech Engine for Risk-Based Compliance (ASTERisC*) is a pioneering cloud-based regtech and suptech solution that automates the central bank’s cyber security supervision while easing regulatory compliance for institutions.

Supervised institutions can submit reports, and the BSP has an industry-wide overview for proactive policy formulation and supervision. ASTERisC* generates real-time dashboards on threat intelligence, cyber profiles and compliance gaps, enabling the BSP to deploy early interventions.

“We see the fast-evolving and sophisticated nature of cyber security threats,” Chuchi Fonacier, deputy governor of the financial supervision sector of the BSP, tells Central Banking. “And, as such, cyber security supervision must also step up to cope with the dynamic landscape.” The project started at the onset of the Covid-19 pandemic, which was a “challenging” yet “opportune” time as cyber attacks escalated.

From the outset, ASTERisC* was conceptualised in co-ordination with the banking industry. Onboarding 150 supervised financial institutions in 2022, the central bank is now expanding ASTERisC* to 600.

Last year also marked a significant year for the BSP’s cyber security policy journey. As well as issuing major policies on fraud management systems and digital security, the BSP introduced mobile app security scans to enhance supervisory processes, and assessments that show how easy it is for customers to reach a financial institution during an attack. With growing global concern around cyber security, the BSP prioritised supervisory reforms to strengthen industry cyber resilience.

“ASTERisC* puts the BSP at the forefront of achieving swift, co-ordinated and intelligence-driven cyber security supervision in tune with the evolving digital threat,” says Fonacier.

After logging onto the system following authentication, the central bank issues cyber threat advisories. On the platform, the central bank creates digitised forms of its cyber policies. Once these are uploaded to the system, financial institutions perform their own cyber self-assessments. The BSP can quickly design and send questionnaires to obtain more detailed information, and responses can be standardised.

The system also supports profiling. As financial institutions submit their incident reports and IT profile templates, a scoring methodology is embedded into ASTERisC*. A series of studies conducted during development included work on ​the different factors that should form part of that profile – from simple, moderate to complex – and how closely the institution should be supervised.

Financial institutions are also required to report major cyber incidents and disruptions to the BSP within two hours. Previously this was conducted via email – now the process is automated. Again, a scoring methodology is embedded into the system. High-priority incidents can immediately be escalated to senior management.

The technology also presents real-time dashboards for cyber posture and maturity for each institution, as well as for the industry as a whole. Combined with incident reports coming in, the central bank can see high-risk areas of the system and may perform a virtual examination. There is an extraction facility where supervised institutions can conduct their own analyses based on reports submitted to the BSP.

The BSP seeks to institutionalise cyber resilience in the financial system as cyber threats accelerate. The BSP also collects data on critical third-party service providers, and sees ongoing risks from foreign threat actors. It also collaborates with other central banks to address national and global cyber threat concerns.

“Threat actors will continue the cycle of exploiting controls, systems and vulnerabilities,” says Fonacier. However, “with the ASTERisC* platform, the BSP can be more proactive in deploying early interventions and engaging relevant industry stakeholders.” As the BSP’s pioneering suptech and regtech platform and first external cloud initiative, ASTERisC* “serves as a monumental precedent for future digital initiatives of the BSP”.