The Reserve Bank is letting the finance sector, regulators and other authorities steer their own course through cyber issues and security, opting to leave the prescriptive approach on the backburner.
Last week Reserve Bank Head of Prudential Supervision Toby Fiennes spoke at the Future of Financial Services conference in Auckland. He said that cybersecurity approaches must be nimble and focused on outcomes – rather than a prescriptive compliance approach.
He also said that risk management and disaster recovery are not part of a one-size-fits-all approach.
“The nature and incidence of cyber risk is unique, meaning that typical approaches to risk management and disaster recovery planning may not be appropriate. While cyber vulnerabilities can be mitigated, the potential sources of cyber threats and the attack footprint are just too broad, so they can never be eliminated,” he explained.
He said that given the rapid changes in both the cyber threat world and the technology used to defend them, the Reserve Bank has chosen not impose prescriptive regulations, opting instead to review the policy stance ‘from time to time’.
Fiennes added that the Reserve Bank focuses on mitigating systemic risks such as cyberattacks on financial institutions that lead to a loss of confidence in the financial sector; an attack that disrupts critical banking, financial and economic functions; and an attack that could lead to the ‘outright failure’ of a large firm that could have wider systemic impacts.
The Reserve Bank has been hot on the heels of the effect generated by digital disruption in the financial sector, driven by customers’ demand for an online experience.
“In the short term, digital disruption may result in new risks and increased instability in the financial system but in the long term, digital disruption of the banking sector may improve the efficiency of the financial system. The long-term impact on financial system soundness is less clear,” he explained.
The Reserve Bank is working along the Financial Markets Authority and the Ministry of Business, Innovation and Employment to make sure digital innovation is conducted in a safe way, he explains.
He also points out that while the Reserve Bank is separate from other security agencies such as CERT NZ, New Zealand’s Cyber Security Strategy links to the Bank’s financial stability objective through resilience.
The Reserve Bank is also undergoing reviews of its capability and maturity of its security practices, Fiennes said. Those reviews include cyber-resilience self-assessments, reviews of key information assets, critical functions, threat exposures, vulnerabilities and appropriate mitigants.
“As the prudential regulator, we’re looking at whether financial institutions appear to be taking cyber risks sufficiently seriously. We look to self-discipline and market discipline to provide the defences, agility and crisis preparedness that are required,” he concluded.