Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

As mentioned in question 1, the DICT recommends optional security controls for CSPs to host classes of government data. With respect to government agencies that process the personal data records of more than 1,000 individuals, the NPC recommends the use of ISO/IEC 27002 as the minimum standard to assess any gaps in the agency’s control framework for data protection.

How does the government incentivise organisations to improve their cybersecurity?

Under the NCP2022, the DICT aims to raise the business sector’s awareness of cyber risks, security measures and possible public-private partnership on improving cybersecurity. The government has yet to especially incentivise organisations to improve their cybersecurity.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

See question 3.

Are there generally recommended best practices and procedures for responding to breaches?

BSP Circular No. 1019 (2018) prescribes technology and cyber-risk reporting and notification requirements for BSFIs. The Circular provides procedures for reporting to the BSP major cyber-related incidents, such as those involving significant data loss or massive data breach, and disruptions of financial services and operations.

NPC Circular No. 16-03 provides guidelines for personal data breach management, requiring organisations to implement a security incident management policy to ensure:

  • the creation of a data breach response team, which will be responsible for implementing the policy;
  • implementation of organisational, physical and technical security measures, and of policies to prevent or minimise personal data breaches and assure timely discovery of the same;
  • implementation of an incident response procedure;
  • mitigation of negative consequences to data subjects; and
  • compliance with all laws and regulations on data privacy.
Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

None as of yet. But the NCP2022 aims to use organisation reports to develop cybersecurity measures and to promote the sharing of information between the government and private sector.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

The DICT is creating technical working groups to review existing and develop new cybersecurity courses to integrate these courses into the curriculum of engineering, computer science, information technology, law and criminology. The NCP2022 includes establishing and creating programmes among CERTs, law enforcement, academia and industries as one of the government’s key initiatives.

Insurance

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Only a few insurance companies so far offer insurance for data security breaches, network interruption and cyber extortion as well as fines resulting from breach of administrative obligations relative to cybersecurity.