New Zealand’s central bank released a statement on Sunday confirming the Bank had been hacked. An unidentified cybercriminal had illegally accessed one of its systems. Although the breach has been contained, it remains unclear if any commercially or personally sensitive information has been stolen. The Bank’s core functions “remain sound and operational”.
Central Bank’s Urgent Response to Data Breach
The Reserve Bank of New Zealand, Te Pūtea Matua, is responding “with urgency” to a breach of one of its data systems. The Bank released a statement on Sunday confirming that a third-party file sharing service had been illegally accessed. The Bank used this service to share and store some sensitive information. It remains unclear when the breach took place and who may be behind it. The Bank also didn’t make public in what country the file sharing service is based.
Meanwhile, the breach has been contained. New Zealand’s Reserve Bank Governor, Adrian Orr, emphasized that the Bank is treating the matter with the highest priority. “We are working closely with domestic and international cyber security experts and other relevant authorities as part of our investigation and response to this malicious attack.” The system has been secured and taken offline until the Bank completes its initial investigations. Core functions remain sound and operational.
What information has been potentially accessed is still being determined, as is the nature and the extent of the hack. “It will take time to understand the full implications of this breach, and we are working with system users whose information may have been accessed”, Orr said. The Bank admitted that the accessed data may include some commercially and personally sensitive information.
Guidance on Building Cyber Resilience
Coincidentally, in October 2020, the Reserve Bank released a draft guidance on what regulated entities should consider when managing cyber resilience. “The cyber world has long been recognised as a significant source of operational risk for financial institutions”, Deputy Governor and General Manager of Financial Stability Geoff Bascand said.
The consultation document presents draft guidance on cyber risk management, which would apply to all entities the Reserve Bank regulates. The paper also seeks feedback on how information gathering and sharing by the Reserve Bank with relevant public sector bodies can help to build cyber resilience.
“A key aim is to raise awareness among boards and senior management and promote accountability for managing cyber risk within institutions. We are open to feedback on the guidance, but we expect it will be useful for firms as they develop their own frameworks to address the cyber risks they face.”
The consultation is open for 14 weeks and closes on 29 January 2021.
Growing Threat Worldwide
Cyberattacks against financial institutions are a growing threat worldwide. According to the Boston Consulting Group, they are 300 times more likely than other companies to experience cyberattacks. The reasons for this are their rich data resources, significant financial assets and relatively old and fragmented IT systems. As a result, almost all financial firms have been confronted with a cybersecurity incident in one form or another.
New Zealand’s cybersecurity agency, CERT NZ, previously warned the financial sector about ransomware campaigns targeting financial institutions. Several organizations have since fallen victim to cyberattacks. In August, a series of DDoS attacks kept the New Zealand stock exchange offline for four consecutive days.
In the first quarter of 2020, there was also a sharp increase in the use of Banker Trojans. These Trojans are developed to steal user account data from online banking, e-payment and credit card payment systems. Banks generally work very hard to make online banking as safe as possible. Nonetheless, there are several steps anyone can take to decrease the risks of online banking.