Executive Summary

Lawmakers in the Philippines are pushing for the creation of a dedicated national fund to combat cyber threats. Camarines Sur Representatives Migz and Luigi Villafuerte have proposed the establishment of a "Cybersecurity Risk Management and Mitigation Fund" (CRMMF). This fund would provide earmarked financial resources for proactive threat prevention, incident response, and system recovery for both government agencies and private businesses. The proposal follows a series of recent DDoS attack attempts against the country's banking sector and aligns with President Ferdinand Marcos Jr.'s priority legislative agenda, indicating strong political support for strengthening the nation's cybersecurity posture.

Regulatory Details

The proposed legislation aims to create a centralized financial resource to address cybersecurity challenges. Key provisions of the CRMMF include:

• Purpose: The fund is designed for a range of cybersecurity activities, including:
  • Threat identification and prevention.
  • Incident response and management.
  • System recovery and restoration.
  • Procurement of protective services and technologies.
• Quick Response Allocation: A critical component of the proposal is the allocation of 30% of the fund specifically for quick response activities. This portion is intended for the immediate restoration of compromised Critical Information Infrastructure (CII), ensuring that essential national services can be brought back online rapidly after an attack.
• Scope: The fund would support both public sector (government offices) and private sector entities, acknowledging the interconnected nature of the national digital ecosystem.

This legislative effort is part of a broader set of 44 priority measures approved by the Legislative-Executive Development Advisory Council (LEDAC), highlighting its importance to the current administration.

Affected Organizations

If passed into law, the fund would primarily affect:

• Philippine Government Agencies: Particularly those responsible for operating Critical Information Infrastructure (CII), such as the Department of Information and Communications Technology (DICT).
• Private Sector Companies: Especially those within critical sectors like banking, energy, and telecommunications, who may be eligible for support from the fund during a major national cyber incident.
• Cybersecurity Providers: The fund would likely create new opportunities for cybersecurity companies to provide services and technology to the Philippine government.

Compliance Requirements

This is not a compliance regulation for businesses, but rather a government funding initiative. However, its existence could lead to downstream effects:

• Enhanced Government Oversight: The DICT and other agencies, empowered by the fund, would likely increase their monitoring and regulation of CII operators.
• Incident Reporting Mandates: Access to fund resources might be contingent on timely and transparent incident reporting from affected private sector entities.

Implementation Timeline

The proposal is currently in the legislative process. It has strong political backing from the President and congressional leaders, suggesting it has a high probability of moving forward. The exact timeline for passage and implementation is yet to be determined.

Impact Assessment

The creation of a dedicated cybersecurity fund would have several positive impacts for the Philippines:

• Improved Incident Response: Earmarked funds would allow for faster procurement of IR services and tools, reducing the time to contain and recover from attacks.
• Strengthened Critical Infrastructure: The focus on protecting CII would enhance the resilience of essential services like banking, power, and communications.
• Proactive Defense: The fund could be used for proactive measures like national threat hunting, vulnerability assessments, and security infrastructure upgrades, moving the country away from a purely reactive posture.
• Public-Private Partnership: It would foster closer collaboration between the government and the private sector in defending against shared threats.

Compliance Guidance

For businesses operating in the Philippines, especially in critical sectors:

1. Engage with DICT: Stay informed about the development of this fund and related cybersecurity legislation. Participate in consultations to help shape the policies.
2. Align with CII Protection Goals: Proactively assess whether your organization operates what could be defined as CII. Begin implementing enhanced security measures in line with the government's stated priorities.
3. Review Incident Response Plans: Ensure your IR plan includes clear procedures for communicating and collaborating with government agencies like the DICT during a major incident.