Circular No. 1232: Cybersecurity Maturity Framework and Cybersecurity Controls Self-Assessment Requirement

BANGKO SENTRAL NG PILIPINAS Subject The Monetary Bo rd, in its Resolution No. 269 dated 31 March 2026, approved the amendments to Section 48 and Appendix 7 of the Manual of Regulations for Banks (MORB). Sections 147-Q/145-SII26 N and Appendices Q-3, S-2. and N-I of the Manual of Regulations for Non"Bank Financial I stitutions (MORNBFl), to strengthen information and cybersecurity off-site surveillance an risk assessment activities. These amendments are designed to reinforce the existing re ulatory framework and enhance the cyber resilience of the banking and financial sector. Cyberse urity Maturity Framework ICMF) and the Cybersecurity Controls Self-Ass 55ment ICCSA) Requirement CIRCULAR No. OFFICE OFTHE GOVERNOR Section I. Secti0 148 of the MORB and Sections 147-Q/145-SII26-N of he MORNBFl (Information Technolog Risk Management) as amended by Circular No. 12/3 dated 30 May 2025. are hereby furthe amended to replace the IT Rating System with the Supervisory Assessment Framework SAFr) used in assessing BSFls and to incorporate the Cybersecurity Maturity Framework an Cybersecurity Control Self-Assessment (CCSAj, and shall now read as follows Series of 2026 1232 CORRECTED COPY 1481/47. Q/145. S 26N. INFORMATION TECHNOLOGY RISK MANAGEMENT XXX ITPr0,71e Classif ation. xxx XXX xxx. All BSFls are required to have periodic and rigorous self-assessment exercises using more robust data sets and variables as part of their information security risk management system. Bangk'@ Sentra/ cybersecurity Maturity Framework ICMF/. The Bangko Sentral establishes the Cybersecurity Maturity Framework ICMFj to support BSFls in strengthening both institutional and sector-wide cyber resilience in light of increasing digitalization and the evolving threat landscape, Aligned with global standards, the CMF provides a structured approach for assessing and enhancing cybersecurity practices and capabilities across key control areas. Cybersecurity is a critical component of the broader Information Security Risk Management (!SRM) framework. which focuses specifically on protecting digital systems. networks, and data from cyber threats. The CMF shall be complemented by the Cybersecurity Control Self￾Assessment (CCSA) for benchmarking BSFls' current activities, processes and guidelines, and planning for their target maturity. The assessment tool contains activity and capability-based questions intended to reflect the BSFl's maturity in a particular control area and to gather cyber trends and practices. The Bang o Sentral shall evaluate the BSFl's cybersecurity maturity based on the CCSA and other supervisory activities, and assess the results according to the following maturity levels or tiers Page I of 3

Tie evels Foundation al Brief Descri tic The BSFl demonstrates minimal adoption of control requirements. Information security and cybersecurity risk assessments are ad hoc. inconsistently performed. or not yet integrated into business decisions. Governance structures are informal. and information security and cybersecurity priorities do riot reflect the BSFl's risk appetite, The BSFl lacks awareness of its role in the financial ecosystem and does not routinely participate and collaborate in c ber information sharin activities. The BSFl establishes policies and procedures or guidelines appropriate to its IT risk profile and approved by the Board or relevant committee. Information security and cybersecurity controls address identified risks and provide baseline protection for customer information. systems, and operations. While implementation covers key business functions. integration is riot yet fully consistent across all business units. strategic decisions. and third-party engagements. Information security and cybersecurity priorities are guided by the BSFl's risk appetite, risk environment. and business objectives. The BSFl recognizes its role In the financial ecosystem and participates in information-sharing forums but may not consistently share information with other artici ants. The BSFl demonstrates full adoption of relevant applicable requirements and conducts regular assessments of control effectiveness. Information security and cybersecurity considerations are consistently integrated across he business units. and critical risk management processes are mostly automated and subject to continuous improvement. Senior Management systematically incorporates information security and cybersecurity risks in decision making. Information security and cybersecurity priorities are reassessed when there are changes in business objectives, threats. or the technology landscape. The BSFl actively collaborates with sector participants and ro tinely shares relevant information within the financial ecos stem. The BSFl fully adopts requirements and continuously enhances its risk management framework using lessons Iea ned and a comprehensive set of leading. lagging. and predictive risk indicators. Advanced security tools, technologies, and adaptive capabilities are used to proactive Iy identify and respond to emerging threats, Information security and cybersecurity risks are 11y embedded in strateg c planning and enterprise decision￾making, with the Board and Senior Management ove seeing cyber risks alongside financial and other organizational risks. The BSFl demonstrates mature financial ecosystem awareness and contributes thought leadership to information-sharing communities. The BSF! maintains a robust threat intelligence capability and proactiveIy shares actionable intelligence with relevant domestic and international stakeholders. Established Managed Optimized Consistent with a risk-based approach to controls implementation, BSFls are expected to achieve the maturity tiers in line with their risk profile. as outlined below BSFls are encouraged to continuously enhance their cybersecurity capabilities and implement more advanced controls. IT Profile Classification Sim to Moderate Coin Iex C ber Maturit . Tiers/Levels Foundation al to Established Established to Maria ed Maria ed to O timized Page 2 of 3

Demitfo" of Terms* xxx Xxx Reporting and notification standards. xxx (1) Periodic Reports. BSFls shall electronically submit the following reports. as listed in Appendix 77Q-.:^,'S-21^/-I to the appropriate supervising department of the Bangko Sentral: (i) Annual IT Profile - within twenty-five (25) calendar days after the end of reference year. (ii) Cybersecurity Control Self-Assessment ICCSA) - on or before the 31 March following the end of the reference year. for BSFls notified by the Bangko Sentral as having a moderate and complex IT Profile and other BSFls specifically identified by the Bangko Sentral. Section 2, Appendix 7 of the MORB, as amended. on the Reports Required of Banks. and Appendices Q-315-2/N-I of the MORNBFl, as amended, on the List of Reports Required of Quasi-Banks/NSSLAs/NBFls, are further amended as shownin Annex A of this Circular to reflect the su binission of the cybersecurity control self-assessment. Section 3. Reporting Guidelines. Detailed procedures and guidelines on the submission of the CCSA through the Advanced SupTech Engine for Risk- based Compliance (ASTERisC') platform. as well as the maturity assessment. shall be covered in a separate regulatory issuance, To prepare and amiliarize BSFls with the new requirement. the submission of the initial CCSA shall be ue sixty (60) calendar days from the release of the reporting guidelines. ' a. Reporting requirement. Xxx Section 4. Effect vity Clause. This circular shal take effect fifteen (15) calendar days following its publication in any newspaper of general circulation. ^:Z April2026 ' To be incorporated as a footnote to Appendix 7 of the MORB/Appendices Q-3. S-2, and N-I of the MORNBFl in relation to the Cybersecurity Control Self-Assessment FOR THE MONETARY BOARD 14 - ELI M. REMOLONA, JR. Governor Page 3 of 3

.. . . . . a. Appendix 7 of the MORB IREPORTS REQUIRED OF BANKS) I UBs/KBs/Digital Bank/rBs/RBs/ Form No. xxx MOR Ref. xxx Section 148 Report Title XXX b. Appendix Q-31S-21N-, of the MORNBFl (LIST OF REPORTS REQUIRED OF QUASI￾BANKS/NSSLAs/NBFls) Xxx Cybersecurity Control Self￾Assessment xxx Category Frequency xxx xxx XXX Form No. Annually Submission Deadline xxx xxx Unnumb ered MOR Ref. xxx Xxx 31st of March after end of reference year Annex A xxx xxx Section 147. or145- SII26-N Report Title Submission Procedure/e-mail Address xxx xxx Xxx XXX Cybersecurity Control Self￾Assessment Via ASTERisc* Frequency xxx xxx Annually Submission Deadline xxx 31st of March after end of reference ear Submission Procedure/ e-mail address xxx xxx Via ASTERisC' xxx Page I of I