Download: Flyer - Black&White (.PDF 406kb)
Course Outline (.PDF 366kb)
This SEC-accredited executive briefing provides the valid, verifiable, acceptable and actionable understanding of cybersecurity as a critical outcome of good corporate governance.
It identifies, analyzes and applies the published rules and standards that provide clear, coherent, complete and consistent view of the policies, organization, process and metrics that enable control of cybercrime and protection of the business enterprise from cybersecurity risks that violate the confidentiality, integrity and availability of digital information assets.
The Leadership and management of a business enterprise or government institution have to fully understand their mandated participation and legal liability in the implementation of the rules and standards on cybersecurity governance and management.
A. Why is the need for Cybersecurity?
Cybersecurity is defined as safeguarding the entities associated with people, society, organization and nation from cyber risks. Cyber risks are associated with threats that exploit the vulnerabilities of the computers, network, storage, and application of digital information and thereby threaten the safety of entities located in the cyberspace. (ISO 27100 -3.2)
Cyber threats are considered potential cause of unwanted cybersecurity incident that can harm people, society, organization or country that resides in the digital environment of networks, services, system, people, processes, organization, and traverses public infrastructure called Internet. (ISO 27100 3.6)
Cyber threats are manifested by security incidents in the networked people, process, data, application or infrastructure of a business enterprise and considered as cybercrime.
Cybercrime is identified in R.A. 10175, Cybercrime Protection Act of 2012 as punishable offenses associated to the following (Section 4):
1. Illegal activities against confidentiality, integrity and availability of computer data and system
2. Computer related forgery
3. Computer related fraud
4. Computer related identity theft
5. Content related offenses like cybersex, child pornography and libel
6. All crimes defined and penalized by the Revised Penal Code, as amended, and special laws,
if committed by, through and with the use of information and communications technologies
If the commission of the cybercrime was made possible due to lack of supervision or control by the judicial person or organization, the juridical person shall be held liable for a fine equivalent to at least double the fines imposable in Section 7 up to a maximum of Five million pesos (PhP5,000,000.00) R.A. 10175, Section 9.
Failure in cybersecurity may also result in data loss, breach or similar incident that are considered penalized violation of data privacy as described in Rule VIII of R.A. 10173 Data Privacy Act of 2012. The fine for data breach that violates privacy ranges from one hundred thousand pesos to five million pesos and imprisonment from six months to six years.
The leadership and management of the business enterprise who failed to implement the required security measures have administrative, civil, or criminal liability under pertinent provisions of the Data Privacy Act of 2012.
"If the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime.( R.A. 10173, Section 34)"
Cybersecurity is a critical function of leadership and management that are doing business with cyber. Cyber means computer or a computer network, the electronic medium on which online communication takes place, according to R.A. 10175, section 3i)
Cybersecurity is described in R.A. 10175, section 3k, as:
"Collection of tools, policies, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and users assets. (Section 3-k)"
Associated with cybersecurity is security measures to protect personal Information that are described in Chapter V of R.A. 10173 Data Privacy Act of 2012. It obligates the personal information controller to implement the following:
1. "Reasonable and appropriate organizational, physical and technical measures intended for the protection of
personal information against any accidental or unlawful destruction, alteration and disclosure, as well as
against any other unlawful processing" (section 20a).
2. "Reasonable and appropriate measures to protect personal information against natural dangers such as
accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse,
unlawful destruction, alteration and contamination" (section 20b).
The personal information controller of a corporation is identified as "person or organization that controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf." The personal information controller is commonly recognized as the governing board, chief executive officer, president, or head of the organization.
B. Why is there a need for cybersecurity governance and management?
B.1 Cybersecurity Framework Requirement for Regulated Entities
The Securities and Exchange Commission has released a drafted guidance for regulated entities to establish and maintain a cybersecurity framework. The guidance was posted for public comment on December 16, 2020 in SEC website. It identifies the practices that must be implemented in order to demonstrate cybersecurity governance.
The guidance has determined and described the cybersecurity functions that a regulated entity must implement in order to control the cybersecurity risks.
1. Identification - It is making visible the assets and the cyber threats. It connects cybersecurity
to the enterprise risk management system.
2. Protection - It is adoption of security measures and cybersecurity risks assessment methodology
to ensure protection of the enterprise assets critical to the business mandates.
3. Detection - It is maintaining monitoring system to alert the regulated entities of abnormal pattern
of access and other anomalies.
4. Response - It is development, maintenance and implementation of an incident response plan
that addresses any breach of cybersecurity.
5. Recovery - It is development, maintenance and implementation of a disaster recovery plan
and business continuity plan that integrate cybersecurity risks.
The regulated entities are provided guidance on their implementation of data protection in accordance with R.A. 10173 rules and regulations.
B.2 Security Incident Management Requirement of Data Privacy Law
National Privacy Commission Circular 16-03, Guidelines for Personal Data Breach Management identifies the requirement for the personal information controller to implement policies and procedures to manage security incidents, which includes personal data breach.
The governing body reviews and approves the cyber security incident management policy and the corresponding security incident response plan and the associated insuring resources and costs.
C. What are the governance competency that enables corporate leadership and management to direct and
control cybersecurity implementation in order to protect the business critical assets associated with
people, process, data, application, infrastructure?
1. Cybersecurity Threats and the Regulatory Compliance Context of a Corporation
a. R.A. 10175 - Cybercrimes
b. R.A. 10173 - Data Privacy Violations
c. R.A. 10844 - National Cybersecurity Plan
d. Draft SEC Guidance on Cybersecurity Framework
2. Cybersecurity and Business Risks Management
a. Cybersecurity and Enterprise Risk Management
b. Privacy Impact Assessment
3. Cybersecurity and Enterprise Policy Management
a. Cybersecurity Functions of a Corporation
b. Cybersecurity Enterprise Policies and Normative Standards
4. Cybersecurity Organization
a. Cybersecurity Governance
b. Chief Information Security Officer Organization
5. Cybersecurity Incident Management
a. Security Incident Management Framework
b. Cybersecurity Incident Response and Operation Center
c. Cybersecurity and Enterprise Disaster Recovery and Business Continuity Plan
D. What are the learning content of the three hours executive briefing for the governing body and
management officers of a business enterprise?
|Learning Session||Learning Topic||Learning Output|
(Duration 45 minutes)
|Cybersecurity Threats and Enterprise Risk Management||Assessment of the enterprise cybersecurity risks|
(Duration 1 hour)
|Cybersecurity Policies and Standards||Cybersecurity control policy requirement|
(Duration 1 hour)
|Security Incident Management and the Chief Information Security Officer Organization||Cybersecurity incident management policy, plans and organization|
Who should attend:
Personal Information Controller (Those decision makers who set policies)
- Business Owners and Board Directors
- CEOs /COOs and other C-Level Executives
- GMs, Administrators
- HR Leaders
Personal Information Processor (Those who process information)
- HR Managers and Supervisors
- Business Managers
- Sales People, Agents
- Record keepers, Registrars
Data Protection Officer
Compliance Officer for Privacy
IT Directors, IT Managers
This 3-hour training is applicable to all types of business organizations and government institutions.
*Optional: Add P450 for a printed copy of a certificate of attendance inclusive of delivery charge