Cyber resilience: The ability of an organisation to continue to carry out its mission by anticipating and adapting to cyber threats and other relevant changes in the environment and by withstanding, containing and rapidly recovering from cyber incidents. - Cyber Lexicon, Financial Stability Board (FSB), 12 November 2018

In April the Reserve Bank of New Zealand (RBNZ) put out an official Guidance on Cyber Resilience that is pitched at the financial entities it regulates, including registered banks, licensed non-bank deposit takers (NBDTs), licenced insurers and designated financial market infrastructures.

However, the Guidance can just as well be referred to by debt issuers, managed investment scheme (MIS) managers, retirement village operators, and supervisors, as what it has to say concerning risks that cyber attacks pose to New Zealand’s financial sector is widely valid and applicable.

The Guidance is timely given that critical parts of our financial system infrastructure in the form of the NZX and the RBNZ itself have been subjected to recent cyberattacks that have had serious consequences. 

Cyber crime comes knocking on New Zealand’s door

From being something that happens to other organisations and people in foreign countries, major cyber crime and related cyberattacks have lately come home to roost among Kiwis.

NZX

The NZX fell victim to repeated distributed denial of service attacks (DoS) often associated with ransom demands in August and September 2020 that disrupted trading activities for several days and mutated into cyber attacks on companies listed on the exchange.  The Financial Markets Authority (FMA) responded to the NZX’s woes by publishing a targeted review in January 2021.

RBNZ

In January 2021 it was the RBNZ’s turn to suffer a disruptive data breach due to cyber attack through externally provided file-sharing software.   The RBNZ has since posted a dedicated webpage to publish updates on the consequences of that cyber incident. Most recently, it has issued a media release concerning the outcome of investigations carried out into the event.

Generate KiwiSaver

On a smaller scale for New Zealand’s financial system, KiwiSaver provider Generate Investment Management Limited suffered an identity theft attack in February 2020 that evidently caused considerable inconvenience to the investors affected.

Waikato DHB

Most recently, a non-financial institution, the Waikato District Health Board suffered severe disruption to clinical services due to a ransom cyber attack initially reported to have stemmed from a corrupted email attachment.  This rupture of the DHB’s IT systems has since reportedly escalated into identity theft and privacy breaches.

There can be no doubt that New Zealand now has the dubious distinction of being well and truly embedded in the global map of organised cyber crime, with a conspicuous giant neon sign attached flashing “Open for Criminal Business”. 

Colonial Pipeline

Overseas, notable recent cyber attacks include the successful ransomware extortion of the US fuel pipeline operator Colonial Pipeline.  An unfortunate precedent has been set in that the complete success of a ransomware attack has been publicly demonstrated in the Colonial Pipeline case.  The extorted company has paid a ransom of $US4.4 million to resume control of its cyber systems, but expects further flow-on losses in the order of tens of millions due to downstream business disruptions, while the knock on effects to the wider US economy are likely to run to hundreds of millions.

The Colonial Pipeline cyber extortionists who allegedly go by the brand name DarkSide also run their own PR campaign, depicting themselves as latter-day Robin Hoods motivated solely by plain old-fashioned greed for gain.  In a public statement issued in respect of the Colonial Pipeline shake down, the group reportedly said:

"Our goal is to make money and not creating problems for society.  We do not participate in geopolitics, do not need to tie us with a defined government and look for... our motives."

Financial and insurance services

In New Zealand, the greatest risk from cyberattacks is to be found in the financial and insurance services sectors.  The CERT NZ quarterly report for the fourth quarter of 2020 recorded that financial and insurance services suffered far and away the most cyber incidents reported at 117.  In one sense this type of contemporary criminality has not moved far on from the old stick-em-up days of pistol-point bank heists.  The simple logic of such looting was neatly encapsulated in a famous exchange between a naïve crime reporter and the notorious Irish American gunman Willie Sutton (1901 – 1980):

Reporter: "Willie, why do you rob banks?"

Sutton: "Because that's where the money is."

However, the Colonial Pipeline and Waikato DHB cases show that it is not fundamentally relevant whether the target is a financial institution to ransomware marauders.  What matters most is that the victim can likely buy its way out of trouble, with the bribe usually demanded in digital currency.  Nonetheless, it pays to be aware that within New Zealand’s wider financial services sector there are all sorts of non-banking entities such as fund managers, registries, custodians, supervisors, adviser groups and other entities that have possession of valuable client information ripe for stealing or pockets presumed deep enough to pay protection money to extortionists.

Counting cyber crime’s cost to New Zealand

The RBNZ has attempted a calculus of the potential cost of cyber crime to the New Zealand economy in a Bulletin paper of February 2020 entitled Cyber incident cost estimates and the importance of building resilience.  The paper focuses on New Zealand’s banking and insurance sectors as potential victims of cyberattack.  Noting that New Zealand is data-deficient on cyber incident cost statistics for such systemically important financial institutions, the paper relies upon much more complete information sourced from the Netherlands dating from 2017.  The statistics from the Netherlands were subjected to mathematical manipulation in order to synthesize a similar data set for New Zealand.

The authors of the paper then applied two alternative “bottom up” measurement methodologies to the derived data set for calculating the financial losses potentially flowing from cyber incidents on New Zealand’s banks and insurers: expected value loss and value-at-risk (VaR).  Based on this modelling, the authors estimated annual expected value losses of $104 million for banks and NBDTs, and $38 million for insurers, with a 5% VaR chance that these losses could exceed $2 billion and $300 million respectively.  Applying a “top down” approach using expected losses as a percentage of country GDP to cross check the “bottom up” analysis, the authors estimated New Zealand’s combined financial and insurance industry annual losses at $80 million to $134 million, and all industry losses at $1.306 billion to $2.193 billion.  These alternatively derived statistics are cumulative year after year, representing potentially huge economic risks over time, and entailing crippling opportunity costs and productivity losses from displacing alternatives, yet do not account for low-probability extreme “black swan events” that could prove even worse. 

While these numbers are staggering enough in themselves, they do not take in all the human costs that are not necessarily quantifiable in monetary terms.  If one loses one’s purse or wallet, there is a cost in time and inconvenience reporting missing credit cards, driver licenses, and other documents such as passports that require cancellation and replacement, not to mention filling out Police complaints and insurance claim forms.  In the case of mass identity data theft due to cyberattack, this sort of unpaid labour imposed on the victims is multiplied vastly and implicitly imposes huge financial costs if, say, the total hours involved are priced using a yardstick such as the adult minimum wage.  When a hospital’s IT systems crash due to a ransomware attack and normal services are suspended indefinitely as a consequence, the stress and suffering arising from the delay and dislocation of medical treatments, operations, and privacy for patients, their families and friends, employers and colleagues, and hospital staff veers towards the incalculable.

Small wonder then that the Bulletin paper states, “Cyber risk imposes costs upon the financial sector, not only for financial institutions but also for their customers and the financial system as a whole. These costs include both direct costs from financial loss and indirect costs such as reputational damage and the opportunity cost from foregoing more productive investment” (Bulletin paper p. iii) and concludes “Addressing cyber risk is a collaborative endeavour. No person is an island” (ibid. p. 9).

FMA surveys financial sector cyber resilience

In July 2019 the Financial Markets Authority (FMA) published a report on a thematic review it had conducted to find out the level of cyber resilience preparedness among financial service entities it regulates.  The report, Cyber-resilience in FMA-regulated financial services, provides a snapshot of how New Zealand’s financial service firms saw themselves in relation to cyber risks less than two years ago and reveals some disturbing patterns of complacency prevailing back then.  For example, while 56% of firms surveyed ranked cyber risk globally as “high/very high”, only 36% of them believed that the same ranking applied for New Zealand’s financial services, and just 25% thought that way about their own firms.  These statistics imply that New Zealand’s financial services are either extraordinarily well-protected against cyber risks and threats, or else overly optimistic about their true situation.  Since the FMA’s survey was completed, the latter option appears nearer the mark.

Digging deeper, the FMA looked at how the surveyed firms rated themselves against the United States’ National Institute of Standards Technology (NIST) cybersecurity framework core.  This framework has five key cybersecurity functions:

1. Detect
2. Respond
3. Identify
4. Recover
5. Protect

The FMA’s survey found a marked bias by respondents to “Protect”, with far less emphasis on the other four functions and the least of all on “Detect” and “Respond”.  These findings suggest lop-sided and haphazard approaches by financial services firms to managing cyber risks.

The FMA made a number of key recommendations in its thematic review for all market participants to adopt:

1. Make use of services provided by CERT NZ and the National Cyber Security Centre (NCSC);
2. Include own-firm and broader global level cyber risk assessments within their wider risk assessment and risk management programmes;
3. Consider the lessons to be learned from pages 3-4 of the FMA’s cyber resilience thematic review;
4. Use a recognized cyber security framework like NIST’s to assist with planning, prioritizing and managing their cyber resilience;
5. Ensure an appropriate balance between protection and detection measures, and not over-rely on protection;
6. Have an at least basic, circumstances-appropriate, response and recovery plan in respect of their regulated service;
7. Incorporate within governance arrangements board and/or senior management ownership and visibility of the cyber resilience framework and educational resources such as the Institute of Directors’ Cyber-Risk Practice Guide.

The RBNZ weighs in

The RBNZ’s Guidance on Cyber Resilience comes after and caps off a period of highly publicised and embarrassing cyberattacks on a KiwiSaver provider, the NZX, and the RBNZ itself that occurred in the wake of the FMA’s cyber resilience thematic review of the financial services sector.   By now some bitter lessons must have been well learned.   It should be expected that New Zealand companies, particularly those regulated by the FMA and the RBNZ, are currently in a much better cyber resilience position overall than the thematic review and subsequent major cyber incidents revealed them to have been since mid-2019.

As noted previously, the RBNZ’s Guidance deserves wider readership within New Zealand’s financial services sector than just those entities that the central bank regulates.  The Guidance is divided up into four core parts:

Part A: Governance

“Governance refers to the decisions and actions of those in charge of an entity. More specifically, cyber resilience governance is concerned with the overall formation, execution, and evaluation of a cyber risk management approach.” (RBNZ Guidance p. 3)

Part B: Capability Building

“Capability building encompasses five technical building blocks that form the foundation for robust cyber resilience. These building blocks allow an entity to identify, protect against, detect, respond to, and recover from, cyber threats and incidents.” (ibid. p. 7)

Part C: Information sharing

“Facing ever-evolving and contagious cyber threats, the benefits of collective action are apparent. A crucial component of a collective response to cyber threats is the sharing of information and how quickly it can be acted upon. In addition to the cyber threat environment, it is also crucial for an entity to understand the adequacy of its cyber risk mitigation measures through sharing and learning from industry best practice.” (ibid. p. 13)

Part D: Third-party management

It has become the norm for organisations to rely on a multitude of third-party service providers (including related parties, like parent companies or subsidiaries) to support core business functions. It is also common for these third-party entities to have access to a company’s data and its internal systems. If used prudently, third-party services may reduce an entity’s cyber risk, especially for those entities that lack cyber expertise. However, the third-party ecosystem provides an ideal environment for cyber criminals looking to infiltrate an organisation to thrive. (ibid. p. 14)

These various parts are well laid out, including in titled subparts divided into enumerated clauses for ease of reference, and come with Annexes that combine a Glossary, Acronyms, and a set of recommended cyber resilience frameworks for entities to refer to. 

The RBNZ’s recommended cyber resilience frameworks include:

GCSB (Government Communications Security Bureau) New Zealand Information Security Manual (NZISM)

NIST (National Institute of Standards and Technology) Cybersecurity Framework

Cyber Risk Institute Cybersecurity Profile (previously known as Financial Services Sector Cybersecurity Profile)

ISO/IEC 27000-series of information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)

Altogether the RBNZ’s Guidance is an excellent, practical contribution to the cyber resilience requirements of New Zealand organisations which provides an effective application ambit well beyond banks, NBDTs, insurers and financial market infrastructures.  As might be expected, and building upon the FMA’s previous thematic review work, the Guidance promotes NIST’s Framework for Improving Critical Infrastructure Cybersecurity, but does so in an itemised fashion that minutely identifies the specific components of an ideal model cyber resilience framework. 

Conclusion

“Major criminal cyberattacks and cyber incidents within New Zealand over the past two years have served to underscore the urgent need to develop and maintain effective and adaptive cyber resilience programmes as an enduring organisational priority throughout our country,” said Matthew Band, General Manager of Corporate Trustee Services at Trustees Executors.

“New Zealand’s geographical isolation is no protection against international cyber piracy, which knows no boundaries and respects no borders.”

“Arguably, New Zealand has done a better job collectively at managing COVID-19 than it has with cyber risks to date.”

“The Reserve Bank’s Guidance on Cyber Resilience should be read at corporate board and senior management levels throughout the financial services sector to help ensure that corporate culture and governance is sufficiently informed and prepared to meet and manage growing and ever-changing cyber risks and threats.”

“It can be a fruitful exercise for corporate boards and senior management to take the FMA’s thematic review of cyber resilience in the financial services sector as a baseline to measure their own companies’ situations against and then undertake a detailed and comprehensive comparative assessment against the RBNZ’s itemized standards as set out in the Guidance.”

“In doing so, particular attention should be paid to the robustness of cyber resilience programmes maintained by third-party outsourced providers, such as custodians and registry services, and embedding periodic checks to be carried out in relation to them.”

“It is quite likely that performing such a review exercise will reveal many gaps to fill and much more work to do, including the need to change attitudes, priorities, policies and practices concerning cyber resilience.”

“It should be expected as a routine matter of prudent good corporate conduct that cyber risk features prominently on the risk register which is in front of senior management and boards of directors at all times.”

“The FMA and the RBNZ have done good service to the enterprises they regulate by publishing high quality, accessible and practical work on cyber resilience.”

“It falls to the financial services sector to learn and apply the lessons that these two regulators have to teach.”

“As a licensed supervisor, Trustees Executors expects that its supervised entities will pay close attention to cyber resilience guidances published by the FMA and the RBNZ and respond promptly and appropriately in addressing any relevant cyber risk and cyber resilience matters arising therefrom.”

For comment or more information, or to be added to the free email subscriber list of “The Supervisor”, please contact Matt at [email protected].