RBNZ: No need for prescriptive cyber security rules

Employees read a ransomware demand for the payment of $300 worth of bitcoin on company computers infected by the 'Petya' software virus. Photo / Getty

Cyber-attack poses a significant threat to the global financial system but the Reserve Bank has decided not to introduce more prescriptive requirements at this stage due to the swiftly changing nature of both the threats and the technology, said Reserve Bank head of prudential supervision Toby Fiennes.

"The nature and incidence of cyber risk is unique, meaning that typical approaches to risk management and disaster recovery planning may not be appropriate. While cyber vulnerabilities can be mitigated, the potential sources of cyber threats and the attack footprint are just too broad, so they can never be eliminated," Fiennes said in a speech published on the central bank's website.

"The dynamic cyber environment means that organisations have to be nimble in their approach to cyber security - focused on outcomes, rather than prescriptive compliance exercises," he said.

Fiennes said the central bank did not believe prescriptive regulations would appreciably improve the outcome, when the technology and threat landscape are both changing so rapidly. "We will, however, review this policy stance from time-to-time to ensure that it remains appropriate," he added.

Fiennes said the central bank is focused on mitigating the systemic risks associated with a possible cyber-attack. These include a cyber-attack on one or more banks, non-bank deposit takers, financial market infrastructures (FMI) or insurers that would lead to a broad loss of confidence in the financial sector; an attack on more or more firms or FMIs that disrupts critical banking and financial services and economic functions; or an attack that would lead to the outright failure of a large, systemically important financial firm or FMI.

He also said the Reserve Bank is closely watching the "emerging wave of 'digital disruption' affecting the banking sector related to fintech, including peer-to-peer lending services, electronic wallets, crypto currencies and so-called "open-banking," among others.

In the short-term digital disruption may result in new risks and increased instability in the financial system but in the long term, it may improve its efficiency, said Fiennes. "Looking forward, the Reserve Bank and other regulators will need to make sure the regulatory regime in New Zealand is adaptive should any new business models become systemic, while not unduly harming innovation," he said.

He said the central bank is working closely with other agencies, such as the FMA and Ministry of Business, Innovation and Employment, to ensure that New Zealand presents an environment where digital financial innovation can flourish, provided it is done safely.