Banks face cyber reckoning under brutal new BSP rules

Philippine banks are being urged to do more than just comply with a new cybersecurity regulation. They need to use it to fix real gaps in their defenses.

This was the message of global cybersecurity firm Kaspersky as the Bangko Sentral ng Pilipinas (BSP) introduced new rules governing the cybersecurity oversight of banks and financial institutions in the country.

“The Philippine government is taking concrete steps to raise the bar for cybersecurity across the financial system, and banks must move with the same urgency. Compliance is no longer a box to tick. Institutions that use the CCSA to drive real improvements will not only meet regulatory expectations but will be far better positioned to defend their customers against the growing threat landscape,” said Heng Lee, Kaspersky’s Director of Government Affairs and Public Policy for Asia Pacific.

Under BSP Circular No. 1232, the central bank replaced its old rating system with the Supervisory Assessment Framework (SAFr), which introduces the Cybersecurity Control Self-Assessment (CCSA) as a key compliance tool. All BSP-supervised financial institutions (BSFIs) are now required to regularly measure and report on the strength of their cybersecurity practices.

Kaspersky said the timing could not be more pressing. A 2025 report by the Security Operations Center Capability Maturity Model (SOC-CMM) found that 58 percent of organizations globally are already falling short of their own maturity targets, a gap the firm expects the new BSP framework to expose among local banks.

The company then laid out how banks can make the most of the new requirement. For starters, Kaspersky said banks must take their CCSA results seriously. When the assessment reveals a gap, whether in SOC maturity, detection capabilities, or incident response readiness, it should be treated as an action item, not just a regulatory disclosure.

Banks should also go deeper than what the BSP requires. While the CCSA establishes a baseline, internationally recognized tools like the SOC-CMM measure security maturity more granularly across people, processes, and technology. Banks that benchmark against both will have a far clearer picture of where they actually stand.

The firm also flagged a common trap wherein many security operations centers are built to react rather than prevent, processing large volumes of alerts without addressing the root cause of poor detection quality. Kaspersky said institutions that use the CCSA to identify and fix this pattern will see the most meaningful gains.

Finally, Kaspersky said banks need to rethink how they measure performance. Speed – how fast alerts are triaged or incidents are closed – should not be the only yardstick. Detection quality and the overall resilience of a security program matter just as much, and these metrics, the firm noted, also serve as the strongest evidence of compliance under the new BSP framework.