Central Bank of the Philippines introduces a Cybersecurity Maturity Framework and mandates Cybersecurity Control Self-Assessment reporting

The Central Bank of the Philippines has amended its information technology risk management rules for banks and non-bank financial institutions to strengthen off-site cybersecurity surveillance and risk assessment. The changes replace the IT Rating System with the Supervisory Assessment Framework and introduce a Cybersecurity Maturity Framework supported by a Cybersecurity Control Self-Assessment requirement. The Cybersecurity Maturity Framework sets four maturity tiers, Foundational, Established, Managed and Optimized, and will be used to benchmark institutions’ cybersecurity practices across key control areas. Expected maturity outcomes are linked to IT profile classification, with simple institutions targeting Foundational to Established, moderate targeting Established to Managed, and complex targeting Managed to Optimized. For reporting, institutions must submit an annual IT Profile within 25 calendar days after year-end, and submit the Cybersecurity Control Self-Assessment annually by 31 March following the reference year where notified by the central bank as having a moderate or complex IT profile or otherwise specifically identified; submissions are to be made through the Advanced SupTech Engine for Risk-based Compliance platform. Detailed procedures for Cybersecurity Control Self-Assessment submission and maturity assessment will be set out in a separate regulatory issuance, and the initial Cybersecurity Control Self-Assessment will be due 60 calendar days after those reporting guidelines are released. The circular takes effect 15 calendar days after publication in a newspaper of general circulation.