The central bank acknowledged in the past, growing awareness that cyber incidents presents risks to the stability of financial systems.
The Reserve Bank of New Zealand – Te Pūtea Matua issued a statement stating it was responding with urgency to a breach of one of its data systems.
A third-party file sharing service used by the Bank to share and store some sensitive information, has been illegally accessed.
Governor Adrian Orr said the breach has been contained, and the Bank is treating the matter with the highest priority and acting with urgency.
“We are working closely with domestic and international cyber security experts and other relevant authorities as part of our investigation and response to this malicious attack,” he stated.
“The nature and extent of information that has been potentially accessed is still being determined, but it may include some commercially and personally sensitive information.”
According to the Governor the system has been secured and taken offline until an initial investigation has been completed.
“It will take time to understand the full implications of this breach, and we are working with system users whose information may have been accessed. Our core functions remain sound and operational,” he noted.
In October 2020, the Reserve Bank released draft guidance on what regulated entities should consider when managing cyber resilience.
The cyber world has long been recognised as a significant source of operational risk for financial institutions, Deputy Governor and General Manager of Financial Stability Geoff Bascand said.
The draft guidance, which is open for feedback, outlines the Reserve Bank’s expectations around cyber resilience, and draws heavily from leading international and national cybersecurity standards and guidelines.
“As cyber risk continues to rise, there is growing awareness that cyber incidents could present risks to the stability of the entire financial system. Improving cyber resilience has become a key priority for prudential regulators around the world,” said Bascand.
“Last November we announced an evolution in our policy stance towards taking a more proactive interest in improving the cyber resilience of the financial sector in New Zealand. The spate of cyber-attacks across New Zealand earlier this year was a reminder of the disruption that they can cause, and shows the importance of taking an increasing proactive role in improving the cyber resilience of New Zealand’s financial sector.”
The consultation document presents draft cyber risk management guidance which would apply to all entities the Reserve Bank regulates.
This includes:
- Registered banks
- Licensed non-bank deposit takers
- Licensed insurers and designated financial market infrastructures
The consultation paper also seeks feedback on how information gathering and sharing by the Reserve Bank with relevant public sector bodies can help to build cyber resilience.
“We are open to feedback on the guidance, but we expect it will be useful for firms as they develop their own frameworks to address the cyber risks they face,” he noted at the time.
“We recognise that managing cyber resilience is a shared responsibility and that it is important to collaborate and coordinate with all relevant stakeholders.
The proposed guidance and our information collection plans have been designed to complement the work of other government agencies with a direct interest in promoting cyber resilience in the financial sector – including the Financial Markets Authority, the National Cyber Security Centre and the Computer Emergency Response Team.”
The consultation paper was to close on the 29th of January this year.
