The Reserve Bank of New Zealand (RBNZ) has outlined cyber resilience guidelines targeted at raising awareness amongst boards and senior management in financial services.
The four-part guide, which comes after a major data breach at the central bank this year, details how to manage cyber risk procedure in the areas of governance, capability building, information sharing and third-party management.
“Cyberattacks are increasing in frequency and sophistication, and are generally stealthy in their execution,” the RBNZ says. “Possessing the capability to spot the signs of an impending cyber incident and detect a breach is vital to an entity’s cyber resilience.”
“It is therefore crucial that the board and senior management of entities ensure that they adequately manage cyber risks.”
Deputy Governor and GM of Financial Stability Geoff Bascand says the illegal data breach in January of Accellion – a third-party file sharing application used by the RBNZ – was a timely reminder of the risks associated with managing and sharing information.
“We are committed to continuing our own improvements in this area and sharing any relevant lessons with the firms that we regulate,” he said.
After almost 50 customers of California-based Accellion were hit by the breach, including corporate regulator the Australian Securities and Investments Commission (ASIC) – RBNZ Governor Adrian Orr apologised, saying the RBNZ fell short of the standards expected and he personally “owned” the issue and was “disappointed and sorry”.
An independent review of the RBNZ’s systems and processes by KPMG is due to be published early this month.
The new cyber security guidelines lay out the Reserve Bank’s expectations around cyber resilience, drawing on international standards.
“The finalised guidance on cyber resilience aims to raise awareness of, and ultimately promote, the cyber resilience of the financial sector, especially at the board and senior management level of regulated entities,” the RBNZ says.
It says that due to the increasing interconnectedness of the financial sector, the ability to respond quickly and with accuracy can be instrumental in preventing the most catastrophic of cyberattack consequences, from loss of customer data, to complete systemic failure.
It is “imperative that all entities focus on building their governance to at least the baseline level,” it says.
“Response and recovery plans are essential to an entity’s ability to return to business as usual when a cyber incident has occurred.”
The 22-page guidance gives detail around Planning, Due Dilligence, Contract Negotiation, Ongoing cyber risk management, Review and accountability, Documentation, Termination and Outsourcing to Cloud Service Providers.