UPDATED: RBNZ ascribes data breach to third-party file sharing service
The Reserve Bank (Te Pūtea Matua) has been affected by a data breach which compromised ‘commercially and personally sensitive’ information.
According to a statement issued yesterday, the bank is acting with urgency to uncover the source and implications of the breach.
Reserve Bank Governor Adrian Orr says the breach has been contained. The bank is working with both New Zealand and international cybersecurity experts and authorities, including the National Cyber Security Centre (NCSC) to conduct its investigation.
According to the statement, attackers accessed a third-party file sharing service called FTA that the bank uses to share and store information. This service, provided by Accellion, was 'illegally accessed'.
Work is continuing to confirm the nature and extent of information that has been potentially accessed, and the system has been taken offline. The compromised data may include some commercially and personally sensitive information.
“The nature and extent of information that has been potentially accessed is still being determined, but it may include some commercially and personally sensitive information,” says Orr.
“The system has been secured and taken offline until we have completed our initial investigations. It will take time to understand the full implications of this breach, and we are working with system users whose information may have been accessed. Our core functions remain sound and operational.”
In October 2020 the bank commenced draft guidance on the expectations around cyber resilience. This includes cyber risk management relating to all entities that the Reserve Bank regulates.
The aim is to educate boards and senior management about cyber risk management within institutions.
“As cyber risk continues to rise, there is growing awareness that cyber incidents could present risks to the stability of the entire financial system. Improving cyber resilience has become a key priority for prudential regulators around the world,” commented Deputy Governor and General Manager of Financial Stability Geoff Bascand last year.
“We are open to feedback on the guidance, but we expect it will be useful for firms as they develop their own frameworks to address the cyber risks they face.”
In 2019 the bank noted that: "Previously, the Reserve Bank took the view that public and private interests on cyber risk were relatively well aligned, but that a useful role for prudential regulators was not yet clear."
"However, cyber risks are evolving as digitalisation of the financial system deepens, and there is now broad acceptance that cyber risk presents particular challenges that set it apart from other operational risks. For instance, cyber-attacks are seen to be inevitable, rapidly evolving, and highly contagious. Among other things, these features mean that sharing information about cyber events and coordinating responses are crucial to help mitigate impacts and promote the resilience of the financial system."
The bank believes its role is to help promote information sharing and guidance, particularly risk management guidance, which is what it aims to achieve.
Feedback on the draft guidance closes on 29 January.
Details of the information gathering and sharing plan are under development and will be published for public consultation in mid-2021.