Improving cyber resilience for regulated entities
As cyber risks continue to grow worldwide, they pose a serious threat to the stability of the entire financial system. We are taking actions to improve the cyber resilience of the entities we regulate.
Why improving cyber resilience is important
The cyber world has long been recognised as a significant source of operational risk for financial institutions. The importance of building cyber resilience has grown over time alongside an increasingly digital economy, and the pace of change has recently accelerated as a result of disruptions brought by COVID-19.
There is now broad acceptance that cyber risk presents particular challenges that set it apart from other operational risks. For instance, cyber-attacks are seen to be inevitable, rapidly evolving and highly contagious. Among other things, these features mean that sharing information about cyber events and coordinating responses are crucial to help mitigate impacts and promote the resilience of the financial system.
Exposure to cyber risks will continue to grow for the financial sector in the future, and this means cyber resilience will remain an important area of focus for us.
Our approach to promote cyber resilience
Since 2019, we have been progressing our work to build cyber resilience in the financial sector alongside industry and other public bodies, including the National Cyber Security Centre (NCSC), the Computer Emergency Response Team (CERT NZ) and the Financial Markets Authority (FMA).
We have developed a three-step approach to promoting cyber resilience, which:
- provides new risk management guidance for the entities we regulate (see below)
- develops an information collection and gathering plan (which is in development and will be released for consultation)
- enhances coordination across industry, regulators and government agencies on a collective response to cyber incidents.
Information gathering and sharing is an area where there is a strong case for close coordination among agencies. In developing information gathering and sharing arrangements, we are working closely with the NCSC, CERT NZ and the FMA to avoid duplication and reduce unnecessary compliance costs.
Cyber risk management guidance
We published cyber risk management guidance in April 2021 for all entities we regulate: registered banks, non-bank deposit takers, licensed insurers and designated financial market infrastructures.
The guidance outlines our expectations around cyber resilience. It draws heavily from leading international and national cybersecurity standards and guidelines. The intention is to illustrate current best practice and encourage continual improvement beyond these practices into all areas where entities can further strengthen their cyber resilience.
It provides high-level, principle-based recommendations and serves as a governance framework for managing cyber risk, which entities can tailor to their specific needs and technologies.
The guidance is in four parts:
- Governance outlines clear roles and responsibilities for the board and senior management and emphasises the need for effective strategy to achieve cyber resilience.
- Capability building outlines five areas of focus for building cyber resilience.
- Information sharing encourages entities to choose reliable channels and cultivate a trusted environment for information sharing.
- Third-party management focuses on cyber risk related to outsourcing.
2020 guidance consultation
Last year we consulted on the draft guidance for cyber resilience and also sought feedback on how our information gathering and sharing with relevant public sector bodies – including the Financial Markets Authority, the National Cyber Security Centre and the Computer Emergency Response Team – could help to build cyber resilience.
The consultation closed on 29 January 2021. We have since published a summary of submissions and the individual submissions.