The Reserve Bank’s role in supporting cyber resilience

This page contains information from the November 2019 Financial Stability Report.

The frequency and severity of cyber security incidents are on the rise in New Zealand and abroad. While the financial system is a frequent target of cyber criminals, there is also a broader threat to the economy and the wellbeing of New Zealanders. These far-reaching impacts mean that a range of public bodies has taken an interest in combating this risk, including the National Cyber Security Centre, established in 2011, and the Computer Emergency Response Team, established in 2017. New Zealand’s market conduct regulator, the Financial Markets Authority, has also become more active and published a report on the cyber-resilience of its regulated entities.

Cyber risk is a well-recognised source of operational risk for financial institutions and there are strong incentives for businesses to protect themselves from cyber-attacks. Previously, the Reserve Bank took the view that public and private interests on cyber risk were relatively well aligned, but that a useful role for prudential regulators was not yet clear.12

However, cyber risks are evolving as digitalisation of the financial system deepens, and there is now broad acceptance that cyber risk presents particular challenges that set it apart from other operational risks. For instance, cyber-attacks are seen to be inevitable, rapidly evolving, and highly contagious. Among other things, these features mean that sharing information about cyber events and coordinating responses are crucial to help mitigate impacts and promote the resilience of the financial system.

Individual firms may be reluctant to voluntarily disclose cyber events promptly because they could face adverse reputational costs if the event becomes widely known before it has been remedied. There are also high costs involved in establishing a trusted information-sharing system, which further disincentivises the sharing of information. In response, prudential regulators are becoming more proactive in promoting the cyber resilience of the financial system.

While a commonly agreed ‘best practice’ framework has yet to emerge for addressing cyber risks, a range of practices have recently been documented by the Bank for International Settlements.13 Publishing cyber resilience guidance and standards and promoting information-sharing are now common in many jurisdictions. Information-sharing requirements may include detail on both the internal resourcing applied to cyber resilience and data on actual incidents that have occurred.

While the Reserve Bank continues to see close alignment between public and private interests on cyber risks, it also recognises that a combination of promoting information-sharing and developing principle-based guidance is likely to enhance cyber resilience in the New Zealand financial system. In developing risk management guidance the Reserve Bank would draw from the range of international practices, tailored to New Zealand circumstances, and in consultation with industry and other stakeholders. Consultation is expected to take place in the first half of 2020.