RBNZ provides detailed cyber procedure guide

RBNZ provides detailed cyber procedure guide

For more information

The Reserve Bank of New Zealand (RBNZ) has outlined cyber resilience guidelines targeted at raising awareness amongst boards and senior management in financial services.

The four-part guide, which comes after a major data breach at the central bank this year, details how to manage cyber risk procedure in the areas of governance, capability building, information sharing and third-party management.

“Cyberattacks are increasing in frequency and sophistication, and are generally stealthy in their execution,” the RBNZ says. “Possessing the capability to spot the signs of an impending cyber incident and detect a breach is vital to an entity’s cyber resilience.”

“It is therefore crucial that the board and senior management of entities ensure that they adequately manage cyber risks.”

Deputy Governor and GM of Financial Stability Geoff Bascand says the illegal data breach in January of Accellion – a third-party file sharing application used by the RBNZ – was a timely reminder of the risks associated with managing and sharing information.

“We are committed to continuing our own improvements in this area and sharing any relevant lessons with the firms that we regulate,” he said.

After almost 50 customers of California-based Accellion were hit by the breach, including corporate regulator the Australian Securities and Investments Commission (ASIC) – RBNZ Governor Adrian Orr apologised, saying the RBNZ fell short of the standards expected and he personally “owned” the issue and was “disappointed and sorry”.

An independent review of the RBNZ’s systems and processes by KPMG is due to be published early this month.

The new cyber security guidelines lay out the Reserve Bank’s expectations around cyber resilience, drawing on international standards.

“The finalised guidance on cyber resilience aims to raise awareness of, and ultimately promote, the cyber resilience of the financial sector, especially at the board and senior management level of regulated entities,” the RBNZ says.

It says that due to the increasing interconnectedness of the financial sector, the ability to respond quickly and with accuracy can be instrumental in preventing the most catastrophic of cyberattack consequences, from loss of customer data, to complete systemic failure.

It is “imperative that all entities focus on building their governance to at least the baseline level,” it says.

“Response and recovery plans are essential to an entity’s ability to return to business as usual when a cyber incident has occurred.”

The 22-page guidance gives detail around Planning, Due Dilligence, Contract Negotiation, Ongoing cyber risk management, Review and accountability, Documentation, Termination and Outsourcing to Cloud Service Providers.

Contact HDL to discuss how we can help.

To discuss your risk and insurance needs contact us.

The information provided in this article is of a general nature only and has been prepared without taking into account your individual objectives, financial situation or needs. If you require advice that is tailored to your specific business or individual circumstances, please contact HDL.

HDL news, updates and publications may contain links to non-HDL websites that are created and controlled by other organisations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by HDL, as we have no responsibility for information referenced in material owned and controlled by other parties. HDL strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Find this article helpful? Click on one of the links below to share the content.