By Eric Frykberg
The Reserve Bank (RBNZ) is moving forward with steps to boost its oversight of cyber security at financial institutions.
These include proposals for mandatory reporting of all material cyber security incidents to the Reserve Bank (RBNZ) within 72 hours.
The institutions that would have to comply would be registered banks, non-bank deposit takers, licensed insurers and designated financial market infrastructure services.
The RBNZ defines a material cyber incident as; "one which materially affected, or had the potential to materially affect, financially or non-financially, the entity or the interests of its stakeholders such as depositors, policyholders, beneficiaries, other customers, system participants, or more broadly raises prudential concerns."
The mandatory reporting proposal is among several that have been worked on for some time by the RBNZ and are now being sent out to the finance industry for consultation. The proposals include mandatory reporting of non-material cyber incidents on a regular basis and a periodic survey of cyber resilience among regulated entities.
Providing context around the volume of cyber-attacks the banking industry faces, Ross McEwan, CEO of BNZ's parent National Australia Bank (NAB), last October said NAB faced more than 50 million attacks on its digital channels on a monthly basis.
The RBNZ says the ability of cyber attackers to undermine, disrupt, and disable technology systems used by financial entities is a threat to financial stability. They can harm individuals and businesses and bring loss of confidence in the financial sector.
"Collection of this information will improve our understanding of cyber resilience in the financial sector. It will also support industry engagement by sharing insights and ultimately enable better responses to cyber incidents," RBNZ Director of Prudential Policy Kate Le Quesne says.
In supporting documentation, the RBNZ said the estimated average cost of cyber incidents is $104 million for the banking industry annually and $38 million for the insurance industry. But it added there was a risk that the cost could be far higher in any one year.
The RBNZ said it was working closely with the Financial Markets Authority on cyber data collection to share data and avoid duplication.
The RBNZ request for feedback came simultaneously with a series of webinars put on by the Privacy Commission, many of which focused on a series of hacks of large institutions in Australia and New Zealand.
The RBNZ's consultation paper is here.
*Also see: Why it's time for NZ to take cybercrime & cybersecurity much more seriously.
2 Comments
Questions arising:
1./ How will this be monitored and policed?
2./ Can the method identified above realistically be expected to keep banks from withholding information?
3./ What will penalties be for a breach of the mandate? It will need to be very significant to even make the banks batt an eyelid after the profits they have scraped from the country and the RBNZ
RBNZ normally ask banks to use an external auditor if they need assurance.
Banks no longer withhold information from the RBNZ, unless it is an unknown unknown.
The banks already informally share cyber info between themselves. This is a smart move, not a biggie.
Some in this industry see an external state sponsored cyber event as a real threat. Its good RBNZ see the same.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.