By Pierce Oel A. Montalvo, Researcher
FORGET STEEL VAULTS — today’s financial industry is built with code, and security is a high-stakes game of who finds the digital backdoor first.
The fintech industry continues to expand. Data from the Bangko Sentral ng Pilipinas (BSP) showed that digital transactions grew to 55.3% of the total retail transaction value in 2023 from 40.1% in 2022, signaling a growing acceptance of digitalization among consumers.
Similarly, the central bank resumed accepting digital banking license applications effective Jan. 1, 2025, now allowing four more digital banks to operate in the Philippines.
Amid rapid growth, financial institutions in the Philippines continue their race to fortify their digital operations. The BSP has reinforced its cybersecurity stance through Memorandum M-2024-029, which provides detailed guidelines for financial institutions following the implementation of the Anti-Financial Account Scamming Act (AFASA) in July 2024.
The AFASA law was only a glimpse of what was to come in the 2024-2029 Financial Services Cyber Resilience Plan (FSCRP), a roadmap for the Philippine financial ecosystem’s security, launched August last year.
“It’s our commitment to creating a robust, secure, and resilient financial system that can withstand cyber incidents and recover quickly from them,” BSP Governor Eli M. Remolona, Jr. said at the launch of the FSCRP.
Deep Web Konek, a cybersecurity advocacy group based in Manila, said that Philippine banks are becoming more proactive in their cybersecurity efforts.
Its coverage on breaches and threat intelligence reveals that data from myriads of Philippine companies continue to be leaked, to be sold in dark web markets — including banking credentials.
“This indicates gaps in detecting and mitigating breaches before fraud occurs,” the group said in an e-mail interview.
Considering these breaches, Philippine banks have made progress in strengthening their cybersecurity, adopting measures like penetration testing and red teaming, the group added.
A key component among the requirements listed in the M-2024-029 memo is a mandatory Vulnerability Assessment and Penetration Testing (VAPT), which must be performed to ensure Bangko Sentral-supervised financial institutions (BSFIs) maintain a proper Information Security Program.
“However, inconsistencies remain, and not all institutions rigorously implement these defenses,” Deep Web Konek said.
“Some banks pass security audits but remain vulnerable to real-world attacks, especially through social engineering and application programming interface exploits.”
While banks and financial service providers rush to digitize their operations, the challenge lies in ensuring their security measures keep pace with innovation. This dynamic has spurred both banks and cybersecurity firms in the Philippines to strengthen local VAPT capabilities, recognizing it as a critical aspect of modern financial security.
WHAT IS VAPT?The finance industry continues to be compromised. IBM’s X-Force Threat Intelligence Index showed finance and insurance ranked second among targeted sectors in 2023, accounting for 18.2% of cyberattacks globally.
Locally, cybercrime complaints have tripled to 10,004 reported cases in 2024, totaling almost P198 million in losses among cybercrime victims, data from the Cybercrime Investigation and Coordinating Center showed.
Cyber fraud losses among BSFIs also soared by 212% year on year in 2023, with account takeovers, identity theft, and phishing accounting for almost 60% of total cases, according to the BSP.
These figures underscore the growing necessity of ensuring, through rigorous testing, that banks are safe.
“VAPT requires a risk-based approach to effectively identify and mitigate security vulnerabilities,” said the BSP in an e-mail statement.
The BSP Manual of Regulations for Banks requires these tests for BSFIs. Vulnerability assessments (VA) refer to the identification of security vulnerabilities in systems and networks using automated vulnerability scanners.
Meanwhile, penetration testing (PT) involves subjecting systems or networks to simulated or real-world attacks that exploit vulnerabilities under controlled conditions. Both terms are often jointly referred to as “VAPT.”
“This risk-based approach tailors cybersecurity assessments to the unique complexities of each BSFI’s IT operations,” it added.
“VAPT is a way for banks to ensure that the systems and applications they roll out to serve customers are being audited by a third party or an external provider, to ensure that the features or applications they roll out are secure,” Secuna Software Technologies, Inc., a cybersecurity firm that offers penetration testing, said in a video interview.
BSFIs with digital or electronic financial services are also required to conduct VAPT tests at least annually.
“Meeting the annual VAPT requirement involves careful planning, allocation of resources and execution,” the Philippine National Bank’s (PNB) Office of the Chief Information Security Officer (CISO) and Data Privacy Officer (DPO) said in an e-mail interview.
“Each activity should be properly scheduled including assigning of champions and determining the scope of review, required tools, connectivity to the systems and credentials to be used in the testing.”
“BSFIs must ensure providers have the necessary expertise to meet their operational and security needs,” said the central bank.
To make sure banking operations are not affected during VAPT exercises, separate setups are often employed to prevent tests from interfering with the bank’s critical systems.
Otherwise, attack simulations and exercises would be employed during non-critical days and hours, said Red Rock IT Security, a cybersecurity service provider.
“It’s also important to have backups and extra systems in place, so that in case of any setbacks, systems can be recovered quickly, minimizing downtime and potential data loss,” it said in an e-mail interview.
Carlos T. Tengkiat, CISO of Rizal Commercial Banking Corp. (RCBC), said that business units within the scope of VAPT exercises also require coordination.
“These include provisioning of test accounts, personnel to do a walkthrough of the system, and allocation of resources to address any findings that may come of the exercise,” he said in an e-mail interview.
During the VAPT exercise, which could last upwards of a month, banks and cybersecurity firms cooperate with one another to find critical flaws in the bank’s systems, recommend changes, and implement solutions — all happening within a set timeframe.
“Vulnerabilities are assessed on their impact. These are then addressed based on the criticality of the systems involved,” Mr. Tengkiat said.
The PNB’s Office of the CISO/DPO added that remediation of the vulnerabilities is a collaborative effort between the business owner, Infosec and IT team.
“This requires remediation planning, analysis, testing, deployment and validation if the fix deployed resolved the issue.”
Considering these extensive measures, VAPT exercises help banks reach global standards in security, strengthening consumer trust.
“Financial institutions must adhere to regulatory and international compliance requirements to follow cybersecurity best practices,” Justin David G. Pineda, president of Pineda Cybersecurity, said in an e-mail interview.
Red Rock stated that institutions are implementing stronger and more reliable practices such as adhering to the CIS Critical Security Controls, a globally recognized benchmark for the implementation of safeguards for various systems.
“Global benchmarks, like the Penetration Testing Execution Standard (PTES) and Open Worldwide Application Security Project (OWASP), are available for reference,” said the BSP.
The central bank added that it does not accredit VAPT providers for BSFIs.
“Instead, it requires BSFIs to conduct due diligence using a risk-based approach when selecting service providers.”
VULNERABILITIESThrough VAPT exercises, banks can work on preventing discovered exploits in their system, ensuring that their services are secure. In the industry, cybersecurity firms continue to discover common vulnerabilities in the financial industry.
Mr. Pineda said that his firm usually finds vulnerabilities in unpatched workstations and servers, with updates available that have yet to be implemented.
“Unfortunately, vulnerabilities with critical severity can severely damage IT assets and exfiltrate confidential and highly confidential data.”
He also added that parameter tampering is a common vulnerability they still observe in financial apps and sites.
“For example, you may send money supposedly worth P100 but modify it to P10,000 using tools. If successful, the data sent may be different, or you may even send money more than what you have in your account,” Mr. Pineda said.
Likewise, Red Rock said that security features like one-time passwords (OTPs) were observed to be vulnerable points.
“There are instances such as the misconfiguration of OTP implementations which disrupt the intended process allowing the OTP to be bypassed or manipulated to even be received by the attackers.”
It has highlighted several other security vulnerabilities, ranging from broken access controls that enable unauthorized account access to insufficient input validation that could allow balance manipulation through negative amounts.
Additionally, it has identified a lack of security awareness training that leaves organizations vulnerable to phishing and social engineering attacks.
Based on its evaluations with clients from the financial industry last year, Secuna has observed injection attacks, where malicious actors enter malware into ordinary text fields, giving hackers an entry point into a bank’s database.
It has also observed access control issues where users can access unauthorized areas or data, and authentication and session management issues where login systems and user sessions are not properly secured.
Additionally, Secuna’s data revealed information disclosure issues where sensitive data is unintentionally exposed, and security misconfigurations where systems are set up with weak or incorrect security settings.
SETBACKSWhile VAPT exercises help banks identify and patch vulnerabilities in their systems, the process itself isn’t immune to challenges. The effectiveness of these security assessments often depends on complex interactions between the banks’ existing infrastructure and the cybersecurity firms’ testing capabilities.
In a double-bind, cybersecurity firms could get hindered by their own clients due to their clients’ technological setbacks. This affects the very tools and results these firms may use to test and diagnose vulnerabilities properly.
For Red Rock, a common challenge is the lack of usable logs for investigation — “akin to investigating a crime scene without any security camera footage to review.”
It also said that while capturing system snapshots is the crucial next step after a security incident, it frequently encounters cases where the relevant computers have already been wiped clean.
“In this instance, it would be comparable to investigating a crime wherein the victims’ bodies were already disposed of and missing,” Red Rock said.
Meanwhile, Mr. Pineda said that despite outlining clear requirements and prerequisites during the planning and scoping phase, some clients attempt to proceed with incomplete data and setup due to the resource-intensive nature of the preparation process.
Another challenge for the firm is the depth of the assessment.
“In VAPT, you usually try to simulate what an attacker would actually do,” Mr. Pineda said. “However, in actual testing, the customer will sometimes halt intrusive tests, which may affect the quality and results of the tests.”
Secuna identified slow vulnerability remediation as a widespread challenge across all sectors, not just finance.
It added that despite offering a month of unlimited retesting and validation services to verify their clients’ security fixes, organizations often fail to address all identified vulnerabilities within this timeframe, even though such security issues demand urgent attention.
“It’s pretty much obligatory that [security vulnerabilities] should be addressed as soon as possible, because the longer we keep those vulnerabilities out in the open without fixing them, the higher the risk that they’ll be discovered by malicious hackers or threat actors.”
GOING BEYOND COMPLIANCEThese hindrances, as constraining as they may be, only point towards a need for more rigorous and VAPT exercises for financial institutions in the Philippines.
“Organizations should go beyond compliance by including more assets in the testing scope instead of just focusing on assets that are needed to meet regulatory requirements,” Secuna said.
“The government should establish clear requirements for VAPT and Red Teaming engagements to ensure penetration testing is performed effectively, rather than relying solely on automated VA,” Red Rock said.
“I always say that VAPT programs should be included in all phases of the IT service lifecycle,” said Mr. Pineda.
“If we do security assessments as early as project initiation/inception, we can identify weaknesses and fix them prior to implementation.”
On the bright side, financial industries continue to develop their security posture in light of developments in VAPT.
Mr. Tengkiat said that one of the main goals of the RCBC is to address vulnerabilities not only at the tail end but also during development.
“We are currently shifting our development approach to adopt more of the DevSecOps (development, security, and operations) approach.”
“From 2020 to 2024, PNB undoubtedly saw a significant improvement in its security processes,” the PNB Office of the CISO/DPO said.
“The VAPT program helped in strengthening the Bank’s security architecture and played a key role in fostering a security-centric culture within the organization.”
“Under the Financial Services Cyber Resilience Plan, BSP is considering updates to VAPT requirements, focusing on scope, deliverables, team qualifications, and methodology,” said the BSP.
“BSP is also benchmarking testing methodologies from other jurisdictions and will make policy improvements as needed.”
