Bank staying fluid on cyber-attack rules
Changing nature of threat means nimble approach needed, says Reserve Bank
Cyber-attack poses a significant threat to the global financial system but the Reserve Bank has decided not to introduce more prescriptive requirements at this stage because of the swiftly changing nature of both the threats and the technology, says Reserve Bank head of prudential supervision Toby Fiennes.
“The nature and incidence of cyber risk is unique, meaning that typical approaches to risk management and disaster recovery planning may not be appropriate,” Fiennes said in a speech published on the central bank’s website.
“While cyber vulnerabilities can be mitigated, the potential sources of cyber threats and the attack footprint are just too broad, so they can never be eliminated,” he said.
“The dynamic cyber environment means that organisations have to be nimble in their approach to cyber security — focused on outcomes, rather than prescriptive compliance exercises.”
Fiennes said the central bank did not believe prescriptive regulations would appreciably improve the outcome, when the technology and threat landscape were both changing so rapidly.
“We will, however, review this policy stance from time-to-time to ensure that it remains appropriate.”
Fiennes said the central bank was focused on mitigating the systemic risks associated with a possible cyberattack.
These include a cyber-attack on one or more banks, non-bank deposit takers, financial market infrastructures (FMI) or insurers that would lead to a broad loss of confidence in the financial sector; an attack on more firms or FMI that disrupts critical banking and financial services and economic functions; or an attack that would lead to the outright failure of a large, systemically important financial firm or FMI.
He also said the Reserve Bank was closely watching the emerging wave of digital disruption affecting the banking sector related to fintech, including peer-to-peer lending services, electronic wallets, crypto currencies and so-called open-banking.
In the short-term, digital disruption may result in new risks and increased instability in the financial system but in the long term, it may improve its efficiency, Fiennes said.
“Looking forward, the Reserve Bank and other regulators will need to make sure the regulatory regime in New Zealand is adaptive should any new business models become systemic, while not unduly harming innovation.”
Fiennes said the central bank was working closely with other agencies, such as the Financial Markets Authority and Ministry of Business, Innovation and Employment, to ensure New Zealand presented an environment where digital financial innovation could flourish, provided it was done safely.