New Zealand Central Bank to Enforce Comprehensive Cyber Reporting Rules

The Reserve Bank of New Zealand has unveiled plans to implement robust cyber reporting rules, following the publication of consultation feedback and decisions on collecting essential data to fortify defenses against cyber threats.

Cyber risks, ranging from malicious attacks to non-malicious incidents, pose a potential threat to financial stability. Recognizing the expanding importance of managing these risks, the Reserve Bank emphasizes the need to comprehend the nature of cyber threats faced by regulated entities and evaluate their ability to respond effectively to cyber incidents.

Kate Le Quesne, Director of Prudential Policy at the Reserve Bank, emphasizes the crucial role of accurate and timely information in addressing cyber risks. According to Le Quesne, the recent consultation has highlighted the significance of providing the Reserve Bank with access to information on cyber resilience, garnering overall support for the proposed measures.

Following the positive response from the consultation, the Reserve Bank is set to implement formal material cyber incident reporting requirements, periodic reporting of all cyber incidents, and surveys on the cyber resilience of regulated entities. The move is aimed at enhancing the overall understanding of cyber risks and responses within the financial sector.

Le Quesne notes, "We received useful feedback on ways to simplify and co-ordinate our processes with other agencies. We have taken this feedback on board and have collaborated closely with the Financial Markets Authority (FMA) to develop shared reporting requirements that can be used for both agencies."

The phased implementation of cyber resilience reporting requirements throughout 2024 includes:

1. Material Cyber Incident Reporting Requirement: Entities are mandated to report material cyber incidents to the Reserve Bank of New Zealand (RBNZ) as soon as practicable, but within 72 hours.
2. Periodic Reporting of All Cyber Incidents: Entities are required to inform RBNZ of all cyber incidents, regardless of materiality. Large entities will be obligated to report all cyber incidents every six months, while other entities will report annually.
3. Surveys on the Cyber Resilience of Regulated Entities: Entities will report to RBNZ on self-assessment against the bank's Guidance on Cyber Resilience. Large entities will be required to report every year, while other entities will report every two years.

The Reserve Bank, in collaboration with the Financial Markets Authority (FMA), is actively working on cyber resilience reporting requirements for dual-regulated entities. The commitment to ensuring efficient and streamlined notification, reporting, and information-sharing processes underscores the joint effort to fortify New Zealand's financial landscape against evolving cyber threats.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.