The Philippine Securities and Exchange Commission has exposed for comment a draft memorandum circular that would set expectations for regulated capital market entities to establish and maintain a cyber resilience framework, covering governance, incident response and disclosure of material cyber incidents. The draft would apply to publicly listed companies, broker dealers, investment houses, exchanges, self-regulatory organizations, clearing agencies, securities depositories, transfer agents and similar participants. Minimum requirements include an enterprise risk management-aligned framework with a board-approved cyber resilience strategy, defined cyber risk tolerance, clear accountability across the board and management, and procedures to identify, contain, analyze, eradicate, recover from and learn from cyber incidents. Covered entities would also be required to establish a Computer Emergency Response Team with at least three personnel led by a Chief Information Security Officer, manage third-party service provider risks (including reliance on third-party-owned critical information infrastructure), comply with data privacy requirements, adopt information-sharing protocols, and submit an authenticated cybersecurity audit and risk assessment at least every two years by a Department of Information and Communications Technology-recognized provider, retaining reports for at least five years. The draft would require disclosure to the SEC within five days of a cyber incident determined to be material, including events that could reasonably be expected to materially affect investor decisions and those involving a 10% or more change in the entity’s financial condition or results of operations. Comments are due by 16 January 2026, and the draft text provides for effectivity 15 days after publication and a transition period of at least one year from effectivity for compliance.

Original source View in tracker