The Reserve Bank – Te Pūtea Matua is today releasing draft guidance on what regulated entities should consider when managing cyber resilience.
The cyber world has long been recognised as a significant source of operational risk for financial institutions, Deputy Governor and General Manager of Financial Stability Geoff Bascand says.
The draft guidance, which is open for feedback, outlines the Reserve Bank’s expectations around cyber resilience, and draws heavily from leading international and national cybersecurity standards and guidelines.
“As cyber risk continues to rise, there is growing awareness that cyber incidents could present risks to the stability of the entire financial system. Improving cyber resilience has become a key priority for prudential regulators around the world,” Mr Bascand says.
“Last November we announced an evolution in our policy stance towards taking a more proactive interest in improving the cyber resilience of the financial sector in New Zealand. The spate of cyber attacks across New Zealand earlier this year was a reminder of the disruption that they can cause, and shows the importance of taking an increasing proactive role in improving the cyber resilience of New Zealand’s financial sector.”
The consultation document presents draft cyber risk management guidance which would apply to all entities the Reserve Bank regulates. This includes registered banks, licensed non-bank deposit takers, licensed insurers and designated financial market infrastructures. The consultation paper also seeks feedback on how information gathering and sharing by the Reserve Bank with relevant public sector bodies can help to build cyber resilience.
“We are open to feedback on the guidance, but we expect it will be useful for firms as they develop their own frameworks to address the cyber risks they face.”
“We recognise that managing cyber resilience is a shared responsibility and that it is important to collaborate and coordinate with all relevant stakeholders. The proposed guidance and our information collection plans have been designed to complement the work of other government agencies with a direct interest in promoting cyber resilience in the financial sector – including the Financial Markets Authority, the ³Ô¹ÏÍøÕ¾ Cyber Security Centre and the Computer Emergency Response Team.”
The consultation is open for 14 weeks and closes on 29 January 2021. The Reserve Bank will release the final guidance early next year.