Your browser is not supported

Our website does not support the browser you are using. For a better browsing experience update to a compatible browser like the latest browsers from Chrome, Firefox and Safari.

Cyber resilience consultation 2020

In 2020, we consulted on risk management guidance for cyber resilience. The consultation closed in January 2021 and we have published the final guidance, a summary of the submissions received and the individual submissions.

Outcome of consultation 

After considering all of the submissions we received and consulting with experts from the National Cyber Security Centre (NCSC), we have revised and finalised the guidance on cyber resilience (the guidance).  

Read the guidance on Improving the cyber resilience of regulated entities

The guidance is aligned with international standards and guidelines on cyber resilience, and provides a set of high-level, principle-based, recommendations. It applies to all entities we regulate: banks, non-bank deposit takers, insurers and financial market infrastructures.

A comparison between the confirmed version and the draft Guidance on cyber resilience (PDF 239 KB)

Summary of submissions

We have published a summary of submissions with all the feedback we received and our response to the feedback.

Summary of submissions (PDF 465 KB)

We received 16 submissions, 14 of which are published below. The remaining two submitters requested their submissions remain confidential.

About the consultation

In our November 2019 Financial Stability Report we outlined our intention to become more proactive in promoting cyber resilience in New Zealand's financial sector. This was due to the rising cyber risk and growing clarity on a suitable role for financial sector regulators.

The consultation sought views on the draft of risk management guidance on cyber resilience.

Cyber resilience consultation paper (PDF 225 KB)

The consultation sought to raise awareness among boards and senior management and promote accountability for managing cyber risk within institutions.

The consultation paper also discussed our views on a collaborative approach to information gathering and sharing with other relevant government agencies (for example, the NCSC, Computer Emergent Response Team NZ and the Financial Market Authority).