The Philippine government is drafting a circular that shall require regulated entities to create data security models amid increased risks for cyber-related threats. In a document uploaded to its website, the nation’s Securities and Exchange Commission (SEC) requested comments for a draft circular, which shall mandate registered companies to create cybersecurity frameworks and data security teams.
The Commission referred to regulated entities as all broker-dealers, asset managers, transfer agents, self-regulatory organisations and entities which have secured secondary licences from the SEC.
Under the draft circular, cybersecurity shall mean all activities that can lessen the effects of cyber risks. These acts include identification, detection and response to these risks. It shall also refer to procedures and methods that would protect data from being compromised.
Part of the obligation of regulated entities under the cybersecurity framework is to identify critical assets and risk management and surveillance systems. To do this, entities must make an inventory of software and hardware equipment. They may also avail of routine security assessments with partners or third parties.
Establishment of an information security group
Once completed, the circular shall mandate regulated bodies to create an information security group. It shall be a separate entity from the regulated body’s information technology teams.
The Commission added that the data security team shall be led by a chief information security officer (CISO). The CISO’s role will be to oversee the cybersecurity framework and “ensure the confidentiality, integrity, and availability of information” of the regulated body. The CISO shall also engage in close coordination with security managers, in line with goals of implementing a functional security plan and a long-term operations strategy.
One of the roles of the data security team is external and internal monitoring of data traffic. Doing this would allow it to track any unusual access to confidential data. Aside from these, the team may conduct a workforce assessment. This may include conducting a proper screening of employees, as well as third party vendors and contractors.
In anticipation of critical cyber-related threats, regulated entities must formulate an incident response plan. Business continuity plans and disaster recovery initiatives must likewise be prioritised. The security framework shall include communication plans to inform stockholders of the effects of cyber threats and their magnitude. Conducting drills in anticipation of a critical cyber threat may also be resorted to, as required under the framework. A business impact analysis shall also be indispensable.
In order to recover quickly from any cyberattack, the SEC suggested that a disaster recovery plan (DRP) must be well-integrated into the information security framework. This is a written plan outlining steps to recover data systems through another alternative facility after an incident of hardware or software failure. The DRP may be referred to in cases of destruction of company facilities or equipment. This usually applies in cases of major disruptions in services which have the result of denying any access to primary data infrastructure during an extended period of time. It addresses system disruptions that will need relocation.
This announcement by the SEC of the new requirement aimed at fighting cybercrime comes after news of a data hack of the Solicitor General’s website. The latest data breach showed that the government is still vulnerable to cyber risks.
The country remains committed to integrating innovative strategies with government services. As earlier reported by OpenGov Asia, Congress has doubled the nation’s 2021 budget for the National Broadband Program of the Department of Information and Communications Technology. The NBP is expected to boost internet connectivity and in the long run, generate more investments by improving the ease of doing business in the country.