New measures to build cyber resilience – Reserve Bank of New Zealand – Te Pūtea Matua

Cyber risks – both malicious and non-malicious – can impact financial stability, and managing them is an expanding area of focus within the financial sector.

As a prudential regulator, it is important the Reserve Bank can adequately understand the nature of cyber risks facing our regulated entities, as well as their ability to respond to cyber incidents. Having accurate, timely information is key, says Director of Prudential Policy Kate Le Quesne.

“Our recent consultation shows respondents recognise the importance of us having access to information on cyber resilience and generally support our proposals. We will now proceed with implementing formal material cyber incident reporting requirements, periodic reporting of all cyber incidents and a survey on cyber resilience of regulated entities.

“We received useful feedback on ways to simplify and co-ordinate our processes with other agencies. We have taken this feedback on board and have collaborated closely with the Financial Markets Authority (FMA) to develop shared reporting requirements that can be used for both agencies.”

The following cyber resilience reporting requirements will be implemented in phases through 2024:

  • Material cyber incident reporting requirement: entities to report material cyber incidents to RBNZ as soon as practicable, but within 72 hours.
  • Periodic reporting of all cyber incidents: entities to inform RBNZ of all cyber incidents regardless of materiality – large entities to be required to report all cyber incidents every six months and other entities annually.
  • Surveys on the cyber resilience of regulated entities: entities to report to the RBNZ on self-assessment against the RBNZ’s Guidance on Cyber Resilience with large entities to be required to report every year and other entities every two years.

The Reserve Bank and the FMA continue to work together on cyber resilience reporting requirements for dual regulated entities. We are committed to ensuring our notification, reporting and information-sharing processes are as efficient and streamlined as possible.

More information

Cyber resilience data collection consultation summary of submissions

Changes to templates

/Public Release. View in full here.