October 1, 2023

The Securities and Exchange Commission has advised corporations to strengthen their cybersecurity as more Filipinos turn to digital transactions amid the Covid-19 pandemic.

The SEC on June 9 issued a notice encouraging corporations to assess their exposure to cybersecurity risks and craft policies and measures, in light of reports of hacking incidents.

“Digital transformation benefits businesses, allowing them to improve their productivity and realize greater efficiencies, but not without risks,” SEC Chair Emilio B. Aquino said.

The Covid-19 pandemic has amplified the advantages of digital technologies, as companies shifted to low-touch and online-only services in response to the stringent physical distancing and quarantine measures imposed across the world.

In the Philippines, digital technologies have allowed some companies to sustain their operations while the country was placed under enhanced community quarantine. As digital transactions increased, however, reports of phishing attempts, data breaches and other cyber attacks likewise emerged.

“Cybersecurity is more than an IT matter,” Aquino said. “It is a corporate governance issue that companies should give serious attention to and proactively manage, as cyber attacks could damage their reputation, disrupt their operations, and eventually jeopardize their profitability and enterprise value.”

The SEC urged the boards of directors and senior management teams, in particular, to ensure they understand and can effectively confront the cybersecurity risks faced by corporations.

The SEC has been advocating cybersecurity and data privacy in the corporate sector, integrating best practices and standards in various rules and regulations.

For one, the corporate governance codes issued by the SEC recommend that companies’ boards establish audit committees, whose duties and responsibilities include the monitoring and evaluation of the security of information assets.

In the capital market, the SEC requires broker dealers, exchanges, clearing agencies, securities depositories and other participants to have a comprehensive information technology plan, pursuant to the 2015 Implementing Rules and Regulations of the Securities Regulation Code.

Capital market participants are further mandated to subject their IT, business continuity and disaster recovery plans, and risk management systems to regular review and audit by independent firms.

In 2016, the SEC also required capital market participants to report their compliance with data privacy and protection regulations. The Data Privacy Act of 2012, for one, requires organizations both in the government and the private sector to develop their privacy manuals. – Press release