Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

A CERT that will respond to cyberattacks is required of every bureau, office, agency and instrumentality of the government.

For personal data protection, the NPC requires organisations to create a security incident management policy, which shall include:

  • conduct of a privacy impact assessment to identify attendant risks in the processing of personal data, which should take into account the size and sensitivity of the personal data being processed, and impact and likely harm of a personal data breach;
  • a data governance policy that ensures adherence to the principles of transparency, legitimate purpose and proportionality;
  • the implementation of appropriate security measures, which protect the availability, integrity and confidentiality of personal data being processed;
  • regular monitoring for security breaches and vulnerability scanning of computer networks;
  • capacity building of personnel to ensure knowledge of data breach management principles and internal procedures for responding to security incidents; and
  • a procedure for the regular review of policies and procedures, including the testing, assessment and evaluation of the effectiveness of the security measures.

Security measures are required to ensure the availability, integrity and confidentiality of the personal data being processed, such as implementation of backup solutions, access control and secure log files, encryption, data disposal and return-of-assets policy.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

The NPC requires all actions taken by a personal information controller or personal information processor to be properly documented by the designated data protection officer, should a personal data breach occur.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

BSIs must report breaches in information security, especially incidents involving the use of electronic channels. Depending on the nature and seriousness of the incident, the BSP may require the BSI to provide further information or updates on the reported incident until the matter is finally resolved. BSFIs must report major cyber-related incidents, such as those involving significant data loss or massive data breach, and disruptions of financial services and operations, to the BSP.

The Anti-Child Pornography Act requires internet service providers and internet hosts to notify the police authorities when a violation is being committed using its server or facility and preserve evidence of such violation.

The DPA requires personal data breach notification to the NPC.

Timeframes

What is the timeline for reporting to the authorities?

BSFIs must submit a report to the BSP within two hours of discovery of major cyber-related incidents and disruptions of financial services and operations, and a follow-up report within 24 hours from discovery. Companies engaged in the business of issuing access devices must submit an annual report to the Credit Card Association of the Philippines about access device frauds. Internet service providers and internet hosts must report any form of child pornography in their system to the police authorities within seven days of discovery. The NPC must be notified within 72 hours upon knowledge of, or the reasonable belief by, the personal information controller or personal information processor that a personal data breach has occurred.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

Apart from the personal data breach notification to the data subject required by the NPC, there are no rules for reporting threats or breaches to others in the industry, customers or the public.