The Reserve Bank has decided against using its powers to impose more prescriptive cyber security requirements on the financial institutions it regulates saying it does not believe doing so would significantly improve outcomes.
The bank’s head of prudential supervision, Toby Fiennes, told the Future of Financial Services conference, in Auckland that, with both the technology and threat landscape changing rapidly, organisations needed to be nimble and have an outcomes-focussed approach to cyber security, rather than putting their energies into “prescriptive compliance exercises.”
Fiennes said: “We at the Reserve Bank are not the technical cyber experts. Given our systemically-focused objectives, the existence of industry guidelines and our consideration that public and private incentives are relatively well aligned, to date we have not imposed prescriptive cyber security regulations on the financial sector.”
He did not rule out a change in the Bank’s approach, saying: We will, however, review this policy stance from time-to-time to ensure that it remains appropriate.”
Fiennes said that, while the Bank as a financial regulator requires financial firms to adequately identify, measure, and control the risks they face, cyber risk is not precisely defined but would fall within the category of operational risk.
He said operational risk had been defined in the early 2000s by the Basel Committee on Banking Supervision as “The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.”
Fiennes said that when a definition of cyber risk did emerge, it would likely to be similar to that adopted by the Committee on Payments and Market Infrastructures (CPMI) and the International Organisation of Securities Commissions (IOSCO) in their 2015 guidance on cyber resilience for Financial Market Infrastructures, namely: “The combination of the probability of an event occurring within the realm of an organisation’s information assets, computer and communication resources and the consequences of that event for the organisation.”
Notwithstanding the lack of a definition of cyber risk in financial regulation, and the Bank’s decision not to impose more prescriptive cyber security requirements, Fiennes said the existing regime allowed it to respond to the threat of cyber-attack on the institutions it regulates.
“Supervised institutions are expected to manage operational risks — and cyber is covered indirectly in high level management, disclosure and attestation requirements as well as business continuity planning,” he said.
“IT and cyber security risks are implicit in our existing regulatory framework. Our Capital Adequacy Framework is designed to ensure banks are adequately capitalised against the risks they face, including cyber risk. Banks that face greater operational risk, including higher risk of cyber-attack (or where the impact of an attack is greater, including because of weak operational resilience planning) should have higher capital requirements.”
However he warned that banks might underestimate their exposure to cyber risk. “In practice cyber risks are hard to quantify. It is difficult and expensive to generate a complete map of cyber weaknesses, and even more challenging to keep it up-to-date in a rapidly changing environment. Banks may underestimate the amount of capital they need to hold against cyber risk.”
He added: “There is a more general point too: that for cyber risk, and similar types of operational risk, capital may not be an effective mitigant. It can absorb final losses but it cannot solve the presenting technology problem.”