Building cyber resilience to promote a sound and dynamic financial system
This page contains information on building cyber resilience to promote a sound and dynamic financial system from the November 2020 Financial Stability Report
Cyber resilience has become widely recognised as a public good, where there is a clear role for government agencies to help industry achieve socially desirable outcomes for New Zealand. The importance of building cyber resilience has grown over time alongside an increasingly digital economy, and the pace of change has recently accelerated as a result of disruptions brought by COVID-19. An example of this is the rapidly growing interest in the use of cloud computing services by financial sector entities. Cloud services offer the ability to improve efficiency and resilience, but also present new challenges and risks. Looking further ahead, the growing community of FinTech service providers presents opportunities for improved competition and inclusion in the delivery of financial services, alongside new points of potential vulnerability.
Exposure to cyber risks will continue to grow for the financial sector in the future, and this means cyber resilience will remain an important area of focus for the Reserve Bank. The recent series of high-profile DDoS attacks is a timely reminder of the ongoing need to build resilience across the financial sector.
A three-step approach to promote cyber resilience.
Over the past year the Reserve Bank has progressed its work to build cyber resilience in the financial sector. This has included releasing risk management guidance for public consultation,11 and seeking feedback on plans to collect cyber-related information from industry. The consultation period is open until the end of January 2021.
These activities fit with the Reserve Bank’s intention to become more proactive in supporting cyber resilience alongside industry and other public bodies, including the National Cyber Security Centre (NCSC), the Computer Emergency Response Team (CERT NZ) and the Financial Markets Authority (FMA).
The consultation document also outlines the Reserve Bank’s longer-term, three-step approach to help build the cyber readiness of the financial sector. The first two steps, risk management guidance and information collection, are being progressed in tandem and details are outlined in the consultation document. The third step is future oriented and aims to enhance coordination across industry, regulators and government agencies on a collective response to cyber incidents.
Principles-based risk management guidance adapted to New Zealand’s financial sector.
The risk management guidance seeks to clarify Reserve Bank expectations of regulated entities and aims to raise awareness of the importance of building cyber resilience, especially at board and senior management levels. The guidance draws heavily from well-known international and national cybersecurity frameworks but is adapted to reflect the scale, complexity and diversity of entities regulated by the Reserve Bank.
The guidance has four parts:
- Governance outlines clear roles and responsibilities for the board and senior management and emphasises the need for effective strategy to achieve cyber resilience.
- Capability building outlines five areas of focus for building cyber resilience.
- Information sharing encourages entities to choose reliable channels and cultivate a trusted environment for information sharing.
- Third-party management focuses on cyber risk related to outsourcing. Multi-agency landscape and a collaborative approach.
Cyber risks are widespread and borderless. The Reserve Bank recognises that there is a range of public sector bodies with interests in cyber security. In New Zealand, the NCSC and CERT NZ are centres of technical expertise but also have a broad focus, which means there is a role for financial sector regulators like the Reserve Bank and the FMA in supporting wider efforts to build cyber resilience.
Information gathering and sharing is an area where there is a strong case for close coordination among agencies. In developing information gathering and sharing arrangements, the Reserve Bank is working closely with the NCSC, CERT NZ and the FMA to avoid duplication and reduce unnecessary compliance costs.
Mullti-agency landscape in the cyber security domain
*FS-ISAC: Financial Services Information Sharing and Analysis Centre