November 25, 2017 | MANILA, PHILIPPINES

BSP warns banks on ‘ransomware’

THE BANGKO SENTRAL ng Pilipinas (BSP) has reminded banks and other financial entities to beef up their safeguards versus cyber-attacks, in light of a so-called global “ransomware” where hackers freeze computer systems and demand money to regain access to the machines and private data.


The central bank on Monday issued Memorandum M-2017-018 to lay out the guidelines for banks and financial entities in handling malware and ransomware, just days after the WannaCry virus broke out across some 150 countries.

The rules were first issued by BSP Deputy Governor Nestor A. Espenilla, Jr. internally to financial institutions in February, but have now been made public in the aftermath of the WannaCry cyber-attack, which is reported to be the “fastest-spreading” virus that has infected over 300,000 computers owned by factories, hospitals, shops, and schools worldwide.

Reuters reported that cybersecurity experts found ties between the WannaCry worm and North Korea’s Lazarus Group, which has been blamed for last year’s $81-million Bangladesh Bank heist and the cyber-attack on Sony Pictures in 2014.

Through the ransomware, hackers encrypt the files on an infected computer, rendering them unusable until the user settles ransom money through Bitcoin payments, or unregulated digital currency.

The BSP’s latest guidelines mandate banks to adopt “multiple layers of defenses” by installing controls at the host, network, and endpoint level in order to “prevent and detect” malicious codes which may be used by hackers to tap into internal systems and steal sensitive information.

The regulator also instructed the firms to limit access to files and software sourced from “doubtful” web sites, and suggested the use of advanced solutions like signature-less anti-malware programs to police abnormal patterns within networks and system traffic.

Adequate measures for back-up and recovery as well as periodic testing of systems must also be considered by the banks, alongside user education among employees, according to the central bank’s guidelines.

The BSP also told banks not to give in to demands made by the attackers, and instead told them to report cases of “cyber-extortion” to the BSP and to the police.

“If infected by a ransomware, BSFIs should refrain from paying or communicating with the malicious actor as this does not guarantee that ransomed and/or encrypted files will be released. Instead, paying ransom only encourages cyber criminals’ illicit activities,” the BSP’s issuance read.

“Additionally, ransomware attacks should be covered by an established and well-tested incident response plan and procedures.”

Mr. Espenilla said in a text message yesterday that while some local banks are “possible” targets of ransomware, none have been successfully attacked so far, noting that regulatory policies on cybersecurity likely minimized hacking risks among lenders.

“On top of the above-cited recommendations, BSFIs should continuously assess the cyber-threat landscape and adjust their information security programs, policies, processes, and capabilities accordingly,” the central bank added, even saying that financial firms may tap third-party service providers to help deter cyber-threats.

The BSP has been upgrading risk management rules to boost cybersecurity measures among banks, which include the adoption of multi-factor authentication and the creation of internal rules on social media use to raise the guards versus fraud and identity theft, to name a few. -- Melissa Luz T. Lopez