How Cyberattacks Cost BSP-Overseen Institutions P5.82 Billion in 2024

In 2024, financial institutions under the Bangko Sentral ng Pilipinas (BSP) faced a staggering P5.82 billion in losses due to cybersecurity risks, a 2.6% jump from the P5.67 billion recorded in 2023. This alarming rise has put a spotlight on the growing threat of cyberattacks in the Philippines‘ financial sector. Speaking at the UK-Southeast Asia Tech Week, BSP Deputy Governor Chuchi G. Fonacier didn’t mince words: “Technological innovation, while it may have plenty of positive results, also has its fair share of negative externalities (which) take shape in the form of cybersecurity risks.” Her statement reflects a sobering reality—progress comes with a price.

The numbers tell a grim story. Reports of cybercrimes and losses submitted by BSP-supervised institutions skyrocketed by 150% from 16,246 in 2022 to 40,572 in 2023, climbing slightly to 40,780 in 2024. Under Circular No. 1019, these institutions must regularly report tech-related incidents, including major cyberattacks. What‘s driving this surge? Fonacier pointed to phishing, “card-not-present” fraud, account takeovers, and hacking as the top cybersecurity risks plaguing banks in 2024. Phishing alone racked up P1.8 billion in losses, while card-not-present fraud—a scam where thieves don’t need a physical card to strike—cost P1.5 billion. These figures show just how financially devastating these attacks have become.

Phishing, for the uninitiated, involves fake emails, texts, or websites designed to trick people into handing over sensitive info like credit card details or login credentials. Card-not-present fraud, meanwhile, thrives in the online shopping era, where a card‘s physical presence isn’t required. But it‘s not just old tricks causing havoc. Fonacier warned that threat actors are now weaponizing cutting-edge tools like artificial intelligence (AI). “So, for instance, artificial intelligence (AI) is being used to produce more convincing phishing e-mails, conduct identity takeover through deepfake technology, and create destructive malware variants,” she explained. These attacks don’t just hit bank accounts—they erode trust in the digital financial system, a cornerstone of modern banking.

Allan S. Cabanlong, Regional Director for Southeast Asia Hub at the Global Forum on Cyber Expertise, weighed in with a balanced take. In a phone interview, he noted, “On the other hand, it can also be used by financial institutions to block those criminals.” AI, he argued, is a double-edged sword—not the villain, but a tool that can either harm or help depending on who wields it. His advice? Banks need to overhaul internal policies, educate clients about evolving cyber threats, and bolster law enforcement. “The threats are constantly evolving. If your defense doesn‘t evolve and you’re stagnant, you wont be able to catch up with the new techniques of the criminals,” he cautioned.

The rapid shift to digital banking has only made things trickier. Dominic Vincent D. Ligot, an AI and tech consultant with the IT & Business Process Association of the Philippines (IBPAP), linked the spike in cyber losses to this transformation. “The rapid digitalization of financial services has expanded the attack surface, making financial institutions more vulnerable to breaches,” he said in a Viber message. Third-party IT systems, often interconnected with banks, add another layer of risk. Ligot highlighted that many incidents stem from phishing and social engineering—attacks that prey on human error rather than tech flaws. Worse still, homegrown threat actors in the Philippines are stepping up, exploiting local scams and even political motives to target BSP-supervised banks.

So, what‘s the fix? Experts agree it’s not a one-size-fits-all solution. Cabanlong stressed proactive measures—keeping defenses dynamic to match the criminals pace. Ligot called for a multi-pronged strategy: beef up cybersecurity infrastructure with firewalls, intrusion detection, and endpoint protection; leverage AI-driven threat monitoring; and tackle human vulnerabilities through training. He also urged stronger collaboration across the industry, pointing to initiatives like the Financial Cyber Resilience Governance Council as a model for sharing threat intelligence. Legislative support and tighter oversight of third-party risks are critical too.

The P5.82 billion loss in 2024 isn‘t just a number—it’s a wake-up call. Cybersecurity risks are evolving faster than ever, fueled by AI and digitalization. For BSP banks, staying ahead means adapting, collaborating, and educating everyone involved. Otherwise, the cost—both in pesos and public trust—will only climb higher.