Uplifting financial sector cyber resilience and the role of the Reserve Bank in addressing system risks

This page contains information on Uplifting financial sector cyber resilience and the role of the Reserve Bank in addressing system risks from the November 2021 Financial Stability Report.

Malicious attempts to exploit IT system vulnerabilities have risen substantially in recent years, and organisations face greater cyber threats than ever before. Cyber attacks have become more sophisticated, targeted and widespread, and cybersecurity is an increasingly important focus for financial institutions’ management and boards. Additionally, the economic and operational disruption caused by the COVID-19 pandemic has increased both the motivation and opportunity for cyber attackers, who have looked to exploit the large-scale shift to remote working.

This rising trend in cyber attacks is especially noticeable in the financial sector, which is a prime target for cybercrime. Consumer fraud remains the top form of financial crime; however, other forms of cybercrime such as banking Trojans and distributed-denial-of-service (DDoS) attacks have also been increasing in frequency and sophistication in recent years. While the frequency of cyber incidents regularly rises and falls, recent activity suggests that the severity of attacks is increasing.

It is essential that financial sector entities continue to undertake proactive actions to further bolster their cyber resilience strategies wherever possible, working collaboratively with other entities, government departments, and regulators. The costs and consequences of disruption mean that institutions already have strong incentives to develop their cyber resilience. That said, cyber risk poses a threat to financial stability and, as such, financial institutions as well as prudential regulators are increasingly taking a proactive approach to building resilience.

Highlighting the increased sophistication of cyber attacks, several organisations were impacted by sustained and spreading DDoS attacks over a four-week period starting in September 2021, including two of the largest banks in New Zealand. The attacks resulted in some or all of the banks’ online services being intermittently unavailable over the period. The overall impact of the DDoS attacks across the financial sector included significant operational disruption and customer dissatisfaction. The series of incidents affected customers’ access to their digital services, but did not affect customer payments or access to physical cash.

Reserve Bank policy and supervisory response to growing cyber risks

We have increased our focus on cyber risks in recent years. This has included publishing guidance11 and a cyber incident data collection plan. The guidance encourages financial institutions to consider governance, identification, protection, and third-party cyber risks.

We played a central role in coordinating and managing the financial sector response to the September 2021 cyber attacks. A cyber incident response team was set up: the Financial Sector Cyber Incident Response Team (FS-CIRT). This involved us collaborating with Computer Emergency Response Team (CERT NZ), National Cyber Security Centre (NCSC), New Zealand Treasury, and the Financial Markets Authority (FMA).

This experience provided an opportunity to highlight the guidance to regulated entities and to incorporate lessons learned from these attacks into future policy considerations.

We have also taken the opportunity to incorporate lessons from this series of incidents into future policy work. We continue to develop supervisory practices to monitor emerging risks with regulated entities. We have been progressing our work to build cyber resilience in the financial sector, including the development of the three-step work programme (figure C.1).

Further, we have been working closely and collaboratively with other relevant agencies, including NCSC and CERT NZ, to ensure that the work is well coordinated and does not create unnecessary compliance burdens for industry. There is an opportunity to develop a collaborative cyber incident response across New Zealand agencies and our trans-Tasman counterparts, and we have started to progress this. Collecting data will enable us to share meaningful information with our counterparts to help measure the impacts of cyber attacks over time.

We will continue to take a more proactive and collaborative regulatory stance, looking for opportunities to optimise policy and incorporate cyber considerations whenever relevant. Other workstreams include developing a specific cyber standard under the Financial Markets Infrastructures Act 2021 and future Deposit Takers Act.

Figure C.1: Reserve Bank policy incorporates a three-step approach to promote cyber resilience in regulated entities