For financial institutions in the Philippines, the Bangko Sentral ng Pilipinas (BSP) sets the central expectations for information security and technology risk. Understanding the key circular and its requirements is essential. This article presents only verified facts.
What BSP Circular 982 Is
BSP Circular No. 982 is the "Enhanced Guidelines on Information Security Management," issued in 2017 (Series of 2017). The Monetary Board approved the revisions via Resolution No. 1854 dated 2 November 2017, amending relevant provisions of the Manual of Regulations for Banks (MORB) and the Manual of Regulations for Non-Bank Financial Institutions. It applies to BSP-Supervised Financial Institutions (BSFIs).
Circular 982 sits alongside other BSP issuances, including the earlier Circular No. 808 (2013) on IT Risk Management and Circular No. 1019 on technology and cyber-risk reporting and notification requirements.
The Risk-Based Classification Approach
A defining feature of Circular 982 is its risk-based, proportionate approach. It classifies financial institutions into three categories — Complex, Moderate, or Simple — based on factors such as their use of technology, the digital services they offer, and their interconnectivity. Complex institutions, which rely heavily on technology and offer a wide range of digital banking services, face the most extensive expectations; the controls expected of an institution should be commensurate with its operations and IT profile.
Security Testing Expectations
Under Circular 982 and the broader BSP framework, financial institutions are expected to conduct regular vulnerability assessments, prioritise high-risk vulnerabilities based on potential impact, and remediate promptly. The framework emphasises a risk-based approach to vulnerability management, with penetration testing among the tools used to identify threats early.
Notably, the framework recognises that as BSFIs become more interconnected, information security risk management must consider controls over third-party service providers, customers, and other stakeholders linked to the institution's network and systems — because attackers may target an institution through these connections.
The Evolving Landscape
The BSP has continued strengthening its cybersecurity posture. The 2024–2029 Financial Services Cyber Resilience Plan provides a roadmap for the sector, and the BSP issued guidance (Memorandum M-2024-029) connected to the Anti-Financial Account Scamming Act (AFASA). Financial institutions should track these developments alongside the foundational circulars.
How Simuna Infosec Helps
Our human-led VAPT methodology directly supports the vulnerability assessment and penetration testing expectations of the BSP framework. We help Philippine financial institutions — across the Complex, Moderate, and Simple classifications — identify and prioritise their real exposures, including risks introduced through third-party connections. Our experience securing a major automotive operation in the Philippines gives us familiarity with the local enterprise environment.
*This article reflects publicly available information as of mid-2026. Regulatory details evolve; consult qualified Philippine legal counsel for compliance decisions.*