The Reserve Bank (RBNZ) is taking a hands-off approach towards cyber security, leaving the financial institutions it supervises to manage their own risks without specific regulation.
The RBNZ has decided it won’t introduce requirements around cyber security for banks, non-bank deposit takers, insurers and financial market infrastructure operators to meet, having considered this last year.
It says: “The nature and incidence of cyber risk is unique, meaning that typical approaches to risk management and disaster recovery planning may not be appropriate.”
Rather, it is encouraging organisations to refer to international standards and best practice guidance to develop their own cyber-risk management frameworks.
With firms already having “strong reputational and financial incentives to address the cyber risks they face”, it believes “self discipline” and “market discipline” provide the “defences, agility and crisis preparedness that are required”.
The oversight the RBNZ already has over cyber security
Speaking at the Future of Financial Services conference in Auckland, the RBNZ’s Head of Prudential Supervision, Toby Fiennes, explains the RBNZ’s job is to “promote the soundness and efficiency of the New Zealand financial system and the insurance sector”.
“Unlike many other prudential regulators around the world, we chiefly have a systemic focus, rather than a focus on customers or individual institutions…
“We would allow a regulated entity to fail under circumstances where the negative impacts on the rest of the New Zealand financial system were limited.”
With this in mind, the RBNZ already has the remit to keep tabs on how firms plan to respond to cyber threats by requiring them to manage their “operational risks”.
“This engagement mostly focuses on firms’ high level strategy to manage information technology and security threats,” Fiennes explains.
“For example, they inform us about the types of attacks they might be experiencing and we explore their broader situational awareness (i.e. are they keeping up with cyber trends nationally and globally), and the processes they have in place for preventing, detecting, and responding to threats.”
By requiring banks to meet a Capital Adequacy Framework, the RBNZ also ensures they have enough capital to deal with cyber risks, among other risks.
Nonetheless, Fiennes recognises cyber risks are hard to quantify.
“There is a more general point too: that for cyber risk, and similar types of operational risk, capital may not be an effective mitigant. It can absorb final losses but it cannot solve the presenting technology problem.”
Why the RBNZ doesn’t want to get more involved
Fiennes recognises “the Reserve Bank needs other ways to think about the challenge”.
However he explains why the RBNZ has stopped short of introducing prescriptive requirements related to cyber security:
“We at the Reserve Bank are not the technical cyber experts.
“Given our systemically-focused objectives, the existence of industry guidelines and our consideration that public and private incentives are relatively well aligned, to date we have not imposed prescriptive cyber security regulations on the financial sector.
“We doubt that doing so now would appreciably improve the outcome, when both the technology and threat landscape is changing so rapidly. We will, however, review this policy stance from time-to-time to ensure that it remains appropriate.”
Drawing on international guidance and information sharing
Fiennes says: “The dynamic cyber environment means organisations have to be nimble in their approach to cyber security – focused on outcomes, rather than prescriptive compliance exercises.
“They need to be always abreast of their internal vulnerabilities and the external threat environment, and stay up to date with ways to protect and manage these.
“This is where international standards and best practice guidance can help financial firms to develop appropriate cyber-risk management frameworks…
“Obviously, there is no ‘one size fits all’ guide out there: firms will have to consider what parts of the various guidance materials are most appropriate.”
Fiennes goes on to say: “It is crucial that firms share information about the threats they have identified, or attacks they have been subject to.
“Despite the tension around sharing commercially sensitive information, it is important that industry approaches cyber risks in the spirit of collaboration rather than competition.”