Published on the 29/10/2020 | Written by Heather Wright
Reserve Bank releases cyber resilience guidance…
Newly released draft guidance on cyber resilience from none other than the Reserve Bank of New Zealand, could provide a valuable framework for all sectors as Kiwi businesses grapple with increasing cyber threats.
The RBNZ released its draft guidance on what regulated entities, including registered banks, licensed non-bank deposit takers, licensed insurers and designated financial market infrastructures, should consider when managing cyber resilience.
“Using cloud services does bring more challenges to assess legal and regulatory obligations.”
The draft guidance, which is currently open for feedback, provides risk management guidance, drawn heavily from national and international cybersecurity standards and guidelines, which would apply to all entities the Reserve Bank regulates. It sets out a baseline level, along with recommendations for ‘enhanced-level’ practices and aims to provide principles-based guidance, rather than prescriptive oversight.
But while the guidance might technically apply only for those regulated by the RBNZ, it could potentially create a framework for other Kiwi businesses, and a benchmark against which all New Zealand businesses could be measured.
Geoff Bascand, RBNZ deputy governor and general manager of financial stability, says improving cyber resilience has become a key priority for regulators around the world.
“There is a growing awareness that cyber incidents could present risks to the stability of the entire financial system,” Bascand says.
“The spate of cyberattacks across New Zealand earlier this year was a reminder of the disruption that they can cause, and shows the importance of taking an increasing proactive role in improving the cyber resilience of New Zealand’s financial sector.”
DDoS attacks took down the NZX website for five trading days in a row in late September, with TSB, Kiwibank and Metservice also hit by DDoS attacks at the same time. The NZX attacks, which were preceded by an email, prompted involvement from the GCSB, which stood up a ‘serious group’ to deal with the ongoing attacks.
It’s a similar story across the Tasman, where the number of breaches increased 50 percent from 2018 to 2019.
The RBNZ guidance has four parts: Governance, capability building, information sharing and third-party management, which includes a subsection on the use of cloud computing services. That section, if accepted, includes stricter controls than those issued by some other regulators, requiring financial companies to notify the Reserve Bank if they outsource critical functions to cloud service providers.
“Using cloud services does bring more challenges to assess legal and regulatory obligations and financial institutions may also run the risk of potentially underinvesting in risk mitigation if the shared tasks are not well articulated and understood,” the draft says.
“The trend of relying on a narrow set of major cloud service providers also puts concentration risks on the financial system. Therefore, in addition to following all recommendations on general third-party management, financial institutions should pay special attention when outsourcing to cloud service providers.”
The capability section includes five technical building blocks which the RBNZ says forms the foundation for robust cyber resilience, allowing organisations to identify, protect against, detect, respond to and recover from cyber threats and incidents. Baseline and enhanced suggestions are provided for each of the five areas.
Information gathering and sharing also comes in for closer scrutiny, with RBNZ noting that sharing information is a crucial component of a collective response to cyberthreats.
“We recognise that managing cyber resilience is a shared responsibility and that it is important to collaborate and coordinate with all relevant stakeholders.
“The proposed guidance and our information collection plans have been designed to complement the work of other government agencies with a direct interest in promoting cyber resilience in the financial sector – including the Financial Markets Authority, the National Cyber Security Centre and the Computer Emergency Response Team,” the RBNZ says.
“The guidance primarily serves as an overarching framework for the governance and management of cyber risk, which entities can tailor to their own specific needs and technologies, rather than as an explicitly detailed or technical set of instructions,” the draft says
The principle of proportionality applies, with the draft advocating that guidance be employed ‘in a manner proportionate to the size, structure and operational environment of an entity, as well as the nature, scope, complexity and risk profile of its products and services’.
The draft guidance comes as Accenture New Zealand says cyber security investment is running high, but Kiwi companies aren’t successfully scaling the tools across their organisations, and while we might need to up our security game, that doesn’t necessarily mean buying even more solutions.
Accenture New Zealand managing director Ben Morgan, says recent cyberattacks against the NZX and Metservice should be a wake-up call Kiwi businesses rethinking their cyber security.
“Organisations are spending more money on state-of-the-art security tools but if these are not scaled across their business then there will be vulnerabilities that can be exploited by cyber criminals and other malicious actors,” Morgan says.
Accenture’s recent State of Cybersecurity report found that while companies are investing big in new cybersecurity tools – globally 11 percent of organisations’ IT budgets are being spent on cybersecurity programs – only a quarter of those are being successfully scaled across their business.
“While the technology is there to thwart these increasingly sophisticated attacks, and companies are purchasing these solutions, they are coming unstuck when it comes to scaling them across their organisations,” Morgan says.
“The problem isn’t the technology, it is having the technology deployed correctly and making sure employees know how to use it.”
Consultation on the RBNZ guidance is open until 29 January 2021, with final guidance expected to be released early 2021.