Philippine banks should look beyond mere regulatory compliance and use a new Bangko Sentral ng Pilipinas (BSP) requirement to fix actual gaps in their defenses, global cybersecurity firm Kaspersky said Wednesday.
The BSP introduced new rules governing cybersecurity oversight for banks and financial institutions in the country.
Under BSP Circular No. 1232, the central bank replaced its old rating system with the Supervisory Assessment Framework (SAFr), which introduces the Cybersecurity Control Self-Assessment (CCSA) as a key compliance tool. All BSP-supervised financial institutions (BSFIs) must now regularly measure and report on the strength of their cybersecurity practices.
“The Philippine government is taking concrete steps to raise the bar for cybersecurity across the financial system, and banks must move with the same urgency. Compliance is no longer a box to tick. Institutions that use the CCSA to drive real improvements will not only meet regulatory expectations but will be far better positioned to defend their customers against the growing threat landscape,” Kaspersky director of government affairs and public policy for Asia Pacific Heng Lee said.
The timing is pressing for local institutions. A 2025 report by the Security Operations Center Capability Maturity Model (SOC-CMM) found that 58 percent of organizations globally fall short of their own maturity targets, a gap the cybersecurity firm expects the new BSP framework to expose among local banks.
To maximize the new requirement, Kaspersky said banks should treat CCSA results seriously. When assessments reveal a gap in SOC maturity, detection capabilities, or incident response readiness, institutions should treat it as an action item rather than just a regulatory disclosure.
The cybersecurity firm recommended that banks look deeper than what the BSP requires. While the CCSA establishes a baseline, internationally recognized tools like the SOC-CMM measure security maturity more granularly across people, processes and technology. Banks that benchmark against both will have a clearer picture of their actual security posture.
Kaspersky also flagged a common trap where many security operations centers are built to react rather than prevent, processing large volumes of alerts without addressing the root cause of poor detection quality. Financial institutions that use the CCSA to identify and fix this pattern will see the most meaningful gains.
The firm urged banks to rethink how they measure performance. Speed — how fast alerts are triaged or incidents are closed — should not be the sole yardstick. Detection quality and the overall resilience of a security program matter just as much, and Kaspersky said these metrics serve as the strongest evidence of compliance under the new BSP framework.
