The Reserve Bank – Te Pūtea Matua – today released draft guidance on what regulated entities should consider when managing cyber resilience.
In light of rising cyber risk and growing clarity on a suitable role for financial sector regulators, the Reserve Bank first outlined its intention to become more proactive in promoting cyber resilience in New Zealand’s financial sector in a November 2019 financial stability report.
That report announced an evolution in the Reserve Bank's policy stance towards taking more interest in improving the cyber resilience of the financial sector in New Zealand.
A spate of cyber attacks across New Zealand earlier this year was a reminder of the disruption that they can cause, and showed the importance of taking an increasing proactive role in improving the cyber resilience of New Zealand’s financial sector, deputy governor and general manager of financial stability Geoff Bascand said.
The New Zealand Stock Exchange (NZX) in particular suffered significant disruption from a massive denial of service attack.
The cyber world has long been recognised as a significant source of operational risk for financial institutions, he said.
The draft guidance, which is open for feedback, outlines the Reserve Bank’s expectations around cyber resilience, drawing heavily from leading international and national cybersecurity standards and guidelines.
“As cyber risk continues to rise, there is growing awareness that cyber incidents could present risks to the stability of the entire financial system," Bascand said.
"Improving cyber resilience has become a key priority for prudential regulators around the world."
The consultation document presents draft cyber risk management guidance which would apply to all entities the Reserve Bank regulates.
This includes registered banks, licensed non-bank deposit takers, licensed insurers and designated financial market infrastructures.
The principle of proportionality applies throughout this guidance.
"This guidance should be employed in a manner proportionate to the size, structure and operational environment of an entity, as well as the nature, scope, complexity and risk profile of its products and services," it says.
"This guidance provides the baseline-level of cyber resilience recommendations for entities and, where necessary, also provides recommendations for enhanced-level practices."
The consultation paper seeks feedback on how information gathering and sharing by the Reserve Bank with relevant public sector bodies can help to build cyber resilience.
“We are open to feedback on the guidance, but we expect it will be useful for firms as they develop their own frameworks to address the cyber risks they face," Bascand said.
The proposed guidance and the bank's information collection plans have been designed to complement the work of other government agencies with a direct interest in promoting cyber resilience in the financial sector – including the Financial Markets Authority, the National Cyber Security Centre and the Computer Emergency Response Team.
The consultation is open for 14 weeks and closes on 29 January 2021 with the final guidance to be released next year.