Story image

Reserve Bank keeps watchful eye on security; steers away from prescriptive rules

24 Jul 17

The Reserve Bank is letting the finance sector, regulators and other authorities steer their own course through cyber issues and security, opting to leave the prescriptive approach on the backburner.

Last week Reserve Bank Head of Prudential Supervision Toby Fiennes spoke at the Future of Financial Services conference in Auckland. He said that cybersecurity approaches must be nimble and focused on outcomes – rather than a prescriptive compliance approach.

He also said that risk management and disaster recovery are not part of a one-size-fits-all approach.

“The nature and incidence of cyber risk is unique, meaning that typical approaches to risk management and disaster recovery planning may not be appropriate. While cyber vulnerabilities can be mitigated, the potential sources of cyber threats and the attack footprint are just too broad, so they can never be eliminated,” he explained.

He said that given the rapid changes in both the cyber threat world and the technology used to defend them, the Reserve Bank has chosen not impose prescriptive regulations, opting instead to review the policy stance ‘from time to time’.

Fiennes added that the Reserve Bank focuses on mitigating systemic risks such as cyberattacks on financial institutions that lead to a loss of confidence in the financial sector; an attack that disrupts critical banking, financial and economic functions; and an attack that could lead to the ‘outright failure’ of a large firm that could have wider systemic impacts.

The Reserve Bank has been hot on the heels of the effect generated by digital disruption in the financial sector, driven by customers’ demand for an online experience.

“In the short term, digital disruption may result in new risks and increased instability in the financial system but in the long term, digital disruption of the banking sector may improve the efficiency of the financial system. The long-term impact on financial system soundness is less clear,” he explained.

The Reserve Bank is working along the Financial Markets Authority and the Ministry of Business, Innovation and Employment to make sure digital innovation is conducted in a safe way, he explains.

He also points out that while the Reserve Bank is separate from other security agencies such as CERT NZ, New Zealand’s Cyber Security Strategy links to the Bank’s financial stability objective through resilience.

The Reserve Bank is also undergoing reviews of its capability and maturity of its security practices, Fiennes said. Those reviews include cyber-resilience self-assessments, reviews of key information assets, critical functions, threat exposures, vulnerabilities and appropriate mitigants.

 “As the prudential regulator, we’re looking at whether financial institutions appear to be taking cyber risks sufficiently seriously. We look to self-discipline and market discipline to provide the defences, agility and crisis preparedness that are required,” he concluded.

Read his full speech here.

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Verifi takes spot in Deloitte Asia Pacific Fast 500
"An increasing amount of companies captured by New Zealand’s Anti-Money laundering legislation are realising that an electronic identity verification solution can streamline their customer onboarding."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.