Firms in the finance sector, regulators, and other authorities all have a part to play in managing cyber security risks while still benefiting from the opportunities of new financial technology.
“The dynamic cyber environment means organisations have to be nimble in their approach to cyber security - focused on outcomes, rather than prescriptive compliance exercises,” Reserve Bank Head of Prudential Supervision, Toby Fiennes, said in a speech delivered today to the Future of Financial Services conference, in Auckland.
He said that cyber-attack poses a significant threat to the global financial system, as shown by the ‘WannaCry’ ransom-ware attack that affected more than 200,000 systems around the world and the more recent ‘Notpetya’ attack.
“The nature and incidence of cyber risk is unique, meaning that typical approaches to risk management and disaster recovery planning may not be appropriate. While cyber vulnerabilities can be mitigated, the potential sources of cyber threats and the attack footprint are just too broad, so they can never be eliminated,” Mr Fiennes said.
The Reserve Bank had thought about whether to introduce more prescriptive requirements but decided not to at this stage.
“We doubt that prescriptive regulations would appreciably improve the outcome, when the technology and threat landscape are both changing so rapidly. We will, however, review this policy stance from time-to-time to ensure that it remains appropriate,” Mr Fiennes said.
“The Reserve Bank is closely watching the emerging wave of ‘digital disruption’ affecting the financial sector as firms react to customer demand for a more online experience. In the short term, digital disruption may result in new risks and increased instability in the financial system but in the long term, digital disruption of the banking sector may improve the efficiency of the financial system. The long-term impact on financial system soundness is less clear.
“We’re working with other agencies, such as the FMA and Ministry of Business, Innovation and Employment, to ensure that New Zealand presents an environment where digital financial innovation can flourish, provided it is done safely. In our view, New Zealand’s financial market regulatory settings support innovation and industry-based solutions and we see no need to actively steer potential solutions from industry by providing a concessionary environment for new entrants.
“As the prudential regulator, we’re looking at whether financial institutions appear to be taking cyber risks sufficiently seriously. We look to self-discipline and market discipline to provide the defences, agility and crisis preparedness that are required,” Mr Fiennes said.
· Speech: The Reserve Bank, cyber security and the regulatory framework
· Audio: listen to excerpts of the speech on Soundcloud
| A RBNZ release || July 19, 2017 |||