The Reserve Bank of New Zealand (RBNZ) has decided against strict cyber-risk rules for financial businesses, opting for a flexible approach.

“We doubt prescriptive regulations would appreciably improve the outcome when the technology and threat landscape are both changing so rapidly,” Head of Prudential Supervision Toby Fiennes said.

The regulator will review its policy “from time to time” to ensure it remains appropriate, and will also monitor whether financial institutions are taking risks seriously.

“We look to self-discipline and market discipline to provide the defences, agility and crisis preparedness that are required,” Mr Fiennes told the Future of Financial Services conference in Auckland last week.

Businesses should take a collaborative approach to cyber risk by sharing information about threats identified or attacks experienced, he says.

Mr Fiennes told the conference the RBNZ is “not the technical cyber expert”, but a range of standards and guidance has been developed internationally and in New Zealand that businesses can draw upon.

RBNZ concerns centre on the broader financial systemic risk from a cyber attack, while the regulator also has a statutory objective to promote confidence in the insurance sector.

“An attack that caused large-scale loss or theft of policyholders’ data could undermine confidence,” Mr Fiennes said.

Fintech developments are also posing challenges, with the RBNZ balancing the benefits of allowing innovations to flourish while being alert to systemic risks emerging.

Mr Fiennes says the dynamic cyber environment requires organisations to be nimble in their approach to security and abreast of internal vulnerabilities, as well as external threats.

“In the final analysis there is no simple silver bullet,” he said. “Businesses, regulators and other authorities all need to play a part and remain alert to emerging risks and opportunities.”