SEC to mandate cyber resilience framework on regulated entities

December 19, 2025 | 12:00am

MANILA, Philippines — The Securities and Exchange Commission (SEC) is planning to mandate the establishment of cyber resilience frameworks  among capital market participants to protect investors, foster trust in the Philippine capital market and promote market stability.

The SEC has issued for public comment the latest draft memorandum circular providing for the guidance for regulated entities on establishing and maintaining a cyber resilience framework.

The commission said the proposal is in line with the government’s National Cybersecurity Plan 2023 to 2028, which recognizes cybersecurity as critical to peace, security and economic development.

The latest version of the proposed guidance require regulated entities to adopt a cyber resilience framework that outlines their cyber resilience objectives and cyber risk tolerance, as well as procedures on how they can effectively identify, mitigate and manage cyber risks to support their objectives.

It will cover publicly listed companies, broker dealers, investment houses, exchanges, self-regulatory organizations, clearing agencies, securities depositories, transfer agents and other similar capital market participants.

The board of directors of the regulated entities will be required to exercise oversight of risks stemming from cybersecurity threats.

It will also be responsible for the creation or appointment of a Computer Emergency Response Team. It will be led by a new position called the chief information security officer, who will be tasked to carry out the responsibilities of the chief information officer and serve as the primary liaison to the company’s authorizing officials, information system owners and information system security officers.

Based on SEC’s latest draft guidelines, covered entities will remain responsible for the cybersecurity and resilience of computer systems they rely on, even if those systems are managed by a third party.

Entities that rely on third-party-owned critical information infrastructure are required to secure legally binding commitments ensuring that the third party meets applicable cybersecurity standards, including incident reporting, auditing and risk assessment.

A cyber incident that is determined to be material experienced by a covered entity should be disclosed to the SEC within five days after the occurrence of the event. It should include the nature, scope and timing of the incident.

The company is also mandated to report its material impact or likely material impact, including its financial condition and results of operation.

The SEC is giving the public until Jan. 16, 2026 to submit their comments on the draft circular.