Cyber incident cost estimates and the importance of building resilience
Cyber-attacks could cost New Zealand’s financial sector more than $100 million a year on average according to a new Reserve Bank bulletin article, highlighting the need for industry resilience to counter these threats.
Part of an expanding programme of work on risks to the financial system, Cyber incident cost estimates and the importance of building resilience examines the financial sector’s resilience to cyber threats and estimates the potential costs to the country’s financial system, using two internationally recognised methods.
The authors Aria Zhang, Rosie Collins, and Cavan O'Connor-Close estimate an indicative average cost of cyber incidents of $104 million a year for the banking sector and $38 million annually for the insurance sector, or the equivalent of 2-3 percent of annual profits for the two industries.
The modelling also indicates that in any given year there is a 5 percent chance the costs could exceed $2.3 billion a year.
While quantifying these costs is difficult, the findings indicate the financial cost has the potential to be significant. The study did not capture any additional costs such as the possible loss of confidence in the financial system.
The country’s cyber-security agency CERT NZ found more than 60 percent of cyberattacks on New Zealand organisations in 2018 targeted firms in the financial and insurance services sector.
With the frequency and severity of cyber security incidents on the rise, the study highlights the importance of the financial sector remaining vigilant and managing cyber risks effectively.
The Reserve Bank is strengthening its efforts to enhance the resilience of the financial system from cyber threats, including developing risk management guidance and promoting information-sharing in collaboration with industry and other public organisations.