Story image

Reserve Bank keeps watchful eye on security; steers away from prescriptive rules

24 Jul 17

The Reserve Bank is letting the finance sector, regulators and other authorities steer their own course through cyber issues and security, opting to leave the prescriptive approach on the backburner.

Last week Reserve Bank Head of Prudential Supervision Toby Fiennes spoke at the Future of Financial Services conference in Auckland. He said that cybersecurity approaches must be nimble and focused on outcomes – rather than a prescriptive compliance approach.

He also said that risk management and disaster recovery are not part of a one-size-fits-all approach.

“The nature and incidence of cyber risk is unique, meaning that typical approaches to risk management and disaster recovery planning may not be appropriate. While cyber vulnerabilities can be mitigated, the potential sources of cyber threats and the attack footprint are just too broad, so they can never be eliminated,” he explained.

He said that given the rapid changes in both the cyber threat world and the technology used to defend them, the Reserve Bank has chosen not impose prescriptive regulations, opting instead to review the policy stance ‘from time to time’.

Fiennes added that the Reserve Bank focuses on mitigating systemic risks such as cyberattacks on financial institutions that lead to a loss of confidence in the financial sector; an attack that disrupts critical banking, financial and economic functions; and an attack that could lead to the ‘outright failure’ of a large firm that could have wider systemic impacts.

The Reserve Bank has been hot on the heels of the effect generated by digital disruption in the financial sector, driven by customers’ demand for an online experience.

“In the short term, digital disruption may result in new risks and increased instability in the financial system but in the long term, digital disruption of the banking sector may improve the efficiency of the financial system. The long-term impact on financial system soundness is less clear,” he explained.

The Reserve Bank is working along the Financial Markets Authority and the Ministry of Business, Innovation and Employment to make sure digital innovation is conducted in a safe way, he explains.

He also points out that while the Reserve Bank is separate from other security agencies such as CERT NZ, New Zealand’s Cyber Security Strategy links to the Bank’s financial stability objective through resilience.

The Reserve Bank is also undergoing reviews of its capability and maturity of its security practices, Fiennes said. Those reviews include cyber-resilience self-assessments, reviews of key information assets, critical functions, threat exposures, vulnerabilities and appropriate mitigants.

 “As the prudential regulator, we’re looking at whether financial institutions appear to be taking cyber risks sufficiently seriously. We look to self-discipline and market discipline to provide the defences, agility and crisis preparedness that are required,” he concluded.

Read his full speech here.

SonicWall secures hybrid clouds by simplifying firewall deployment
Once new products are brought online in remote locations, administrators can manage local and distributed networks.
What MSPs can learn from Datto’s Channel Ransomware Report
While there have been less high profile attacks making the headlines, the frequency of attacks is, in fact, increasing.
Cisco expands security capabilities of SD­-WAN portfolio
Until now, SD-­WAN solutions have forced IT to choose between application experience or security.
AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
Kiwis losing $24.7mil to scam calls every year
The losses are almost five times higher compared to the same period last year, from reported losses alone.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why Australian enterprises are prime targets for malware attacks
"Only 14% of Australian organisations are continuously training employees to spot cyber attacks."
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”