The Central Bank of the Philippines issued recommendations for Bangko Sentral-supervised institutions to manage emerging cybersecurity risks from frontier artificial intelligence systems. It warned that such systems can identify software vulnerabilities, generate exploit pathways and execute multi-stage cyberattacks with minimal human intervention, creating a more adaptive and scalable threat environment for financial institutions, third-party service providers and critical infrastructure. Institutions are told to ensure that cybersecurity and technology risk management frameworks, together with basic cyber hygiene, remain robust against faster and more sophisticated AI-enabled threats. The recommendations focus on stronger visibility and control across the attack surface, including current inventories of externally reachable assets, cloud services, identities, critical applications and software dependencies, including third-party and open-source components. They also call for stronger foundational controls such as credential hygiene, Multi-Factor Authentication for critical systems and assets, least-privilege access, device hardening, micro-segmentation, zero trust controls, faster patching, replacement or upgrade of end-of-life systems and reduced unnecessary internet exposure. For administrative and privileged access, the memo recommends hardware-backed MFA such as FIDO2 or WebAuthn keys, smart cards or certificate-based authentication, and says knowledge-based passwords and communication-based SMS or push authentication should be discontinued for those uses. Institutions are further advised to adopt AI-enabled defensive tools for patch management, threat hunting, exposure management and security orchestration, use virtual patching to block exploit paths, and review business continuity management and plans for AI-enabled threats. The memo says these recommendations complement existing risk-based information technology and cybersecurity requirements under the Manual of Regulations for Banks and the Manual of Regulations for Non-Bank Financial Institutions. It also recommends that supervised institutions formally develop an AI governance framework proportionate to their AI systems, operational complexity and risk profile, following the principles set out in BSP Memorandum No. M-2026-031 dated 24 June 2026.
Central Bank of the Philippines2026-07-06
Central Bank of the Philippines issues frontier AI cyber risk recommendations including hardware-backed MFA for privileged access
The Central Bank of the Philippines issued guidance for supervised institutions on managing cybersecurity risks from frontier AI systems that could automate vulnerability discovery and multi-stage attacks. It recommends stronger attack-surface visibility, zero trust and patching controls, hardware-backed MFA for privileged access with passwords and SMS or push methods discontinued for that purpose, AI-enabled defensive tools, business continuity reviews and institution-specific AI governance frameworks.