NZ Reserve Bank outlines stance on cyber issues

The New Zealand Reserve Bank had thought about whether to introduce more prescriptive requirements in managing cyber security risks but decided not to at this stage.

A recent paper by the Committee on the Global Financial System (CGFS) and Financial Stability Board highlights that financial risk in fintech platforms may be higher than at banks due to greater exposure to digital processes. Some new fintech platforms rely on investor confidence for new business, so are particularly vulnerable to a significant operational risk event, including cyber-attack that may result in a loss of investor confidence.

Firms in the finance sector, regulators, and other authorities all have a part to play in managing cyber security risks while still benefiting from the opportunities of new financial technology.

“The dynamic cyber environment means organisations have to be nimble in their approach to cyber security – focused on outcomes, rather than prescriptive compliance exercises,” Reserve Bank Head of Prudential Supervision, Toby Fiennes, said in a speech delivered today to the Future of Financial Services conference, in Auckland.

He said that cyber-attack poses a significant threat to the global financial system, as shown by the ‘WannaCry’ ransom-ware attack that affected more than 200,000 systems around the world and the more recent ‘Notpetya’ attack.

“The nature and incidence of cyber risk is unique, meaning that typical approaches to risk management and disaster recovery planning may not be appropriate. While cyber vulnerabilities can be mitigated, the potential sources of cyber threats and the attack footprint are just too broad, so they can never be eliminated,” Mr Fiennes said.

“We doubt that prescriptive regulations would appreciably improve the outcome, when the technology and threat landscape are both changing so rapidly. We will, however, review this policy stance from time-to-time to ensure that it remains appropriate,” Mr Fiennes said.

“The Reserve Bank is closely watching the emerging wave of ‘digital disruption’ affecting the financial sector as firms react to customer demand for a more online experience. In the short term, digital disruption may result in new risks and increased instability in the financial system but in the long term, digital disruption of the banking sector may improve the efficiency of the financial system. The long-term impact on financial system soundness is less clear.

“We’re working with other agencies, such as the FMA and Ministry of Business, Innovation and Employment, to ensure that New Zealand presents an environment where digital financial innovation can flourish, provided it is done safely. In our view, New Zealand’s financial market regulatory settings support innovation and industry-based solutions and we see no need to actively steer potential solutions from industry by providing a concessionary environment for new entrants.

“As the prudential regulator, we’re looking at whether financial institutions appear to be taking cyber risks sufficiently seriously. We look to self-discipline and market discipline to provide the defences, agility and crisis preparedness that are required,” Mr Fiennes said.

 

Author: Martin North

Martin North is the Principal of Digital Finance Analytics

Leave a Reply