The Bangko Sentral ng Pilipinas on Tuesday asked banks and other financial institutions to become vigilant and build “multiple layers of defenses” in the wake of the recent ransomware attacks, or cyber-extortions.
Bangko Sentral Deputy Governor Nestor Espenilla Jr., who will succeed Amando Tetangco Jr. as governor in July, issued a memorandum warning domestic financial institutions about an increased risk of loss or unauthorized disclosure of propriety or sensitive information, operational disruptions and financial losses because of ransomware attacks.
“Ransomware remains a viable threat that is expected to evolve to more sophisticated and destructive forms, such as crypto-ransomware. Web-based applications, including legitimate cloud-based services, are particularly vulnerable to this type of threat,” Espenilla said.
“In this regard, financial institutions are advised to heighten their vigilance and ensure that robust protection against ransomware is in place. Financial institutions should provide multiple layers of defenses by implementing appropriate controls at the host, network, and endpoint level to prevent and detect malicious codes,” he said.
Bangko Sentral said banks and other financial institutions should “refrain” from paying or communicating with suspected individuals as this “does not guarantee that ransomed or encrypted files will be released.” It said paying would only encourage these criminals’ illicit activities.
Bangko Sentral said the “least privilege” principle in granting access to all systems and services must be applied and prohibit the download and use of unauthorized files and software, and access to doubtful websites.
Banks are also encouraged to install and timely update their anti-malware software provided by reputable vendors, periodic vulnerability scanning and effective patch management procedures for all systems and applications.
“To mitigate the potential catastrophic impact of ransomware attacks, financial institutions should ensure that adequate backup and recovery procedures…. are in place,” Bangko Sentral said.
Espenilla said any incidents involving cyber-extortion and other types of cyber-related crimes should be reported to Bangko Sentral and in some instances, they must seek the assistance of enforcement authorities for prompt resolution of the cases.
Espenilla, after his appointment by President Rodrigo Duterte last week as the next Bangko Sentral governor, said he would push for the expansion of the anti-money laundering law and relaxation of the deposit secrecy law in a bid to further protect the consumers and have a safe and stable financial system.
He said expanding the anti-money laundering law, including casinos, was one of the biggest challenges he would face in his term.
In February 2016, cyber thieves stole $81-million from the account of Bank of Bangladesh in Federal Reserve in New York. The dirty money entered the local financial system through a Makati branch of Rizal Commercial Banking Corp. and eventually laundered by a number of individuals in local casinos.
Espenilla said BSP has a critical role to prevent the entry of dirty money in the country.