As cyber risks continue to grow worldwide, they pose a serious threat to the stability of the entire financial system. We are taking actions to improve the cyber resilience of the entities we regulate.
The cyber world has long been recognised as a significant source of operational risk for financial institutions. The importance of building cyber resilience has grown over time alongside an increasingly digital economy, and the pace of change has recently accelerated as a result of disruptions brought by COVID-19.
There is now broad acceptance that cyber risk presents particular challenges that set it apart from other operational risks. For instance, cyber-attacks are seen to be inevitable, rapidly evolving and highly contagious. Among other things, these features mean that sharing information about cyber events and coordinating responses are crucial to help mitigate impacts and promote the resilience of the financial system.
Exposure to cyber risks will continue to grow for the financial sector in the future, and this means cyber resilience will remain an important area of focus for us.
Read about the cyber incident cost estimates and the importance of building resilience
Since 2019, we have been progressing our work to build cyber resilience in the financial sector alongside industry and other public bodies, including the National Cyber Security Centre (NCSC), the Computer Emergency Response Team (CERT NZ) and the Financial Markets Authority (FMA).
We have developed a three-step approach to promoting cyber resilience, which:
Information gathering and sharing is an area where there is a strong case for close coordination among agencies. In developing information gathering and sharing arrangements, we are working closely with the NCSC, CERT NZ and the FMA to avoid duplication and reduce unnecessary compliance costs.
We published cyber risk management guidance in April 2021 for all entities we regulate: registered banks, non-bank deposit takers, licensed insurers and designated financial market infrastructures.
The guidance outlines our expectations around cyber resilience. It draws heavily from leading international and national cybersecurity standards and guidelines. The intention is to illustrate current best practice and encourage continual improvement beyond these practices into all areas where entities can further strengthen their cyber resilience.
It provides high-level, principle-based recommendations and serves as a governance framework for managing cyber risk, which entities can tailor to their specific needs and technologies.
The guidance is in four parts:
Last year we consulted on the draft guidance for cyber resilience and also sought feedback on how our information gathering and sharing with relevant public sector bodies – including the Financial Markets Authority, the National Cyber Security Centre and the Computer Emergency Response Team – could help to build cyber resilience.
The consultation closed on 29 January 2021. We have since published a summary of submissions and the individual submissions.