Outcome of consultation
After considering all of the submissions we received and consulting with experts from the National Cyber Security Centre (NCSC), we have revised and finalised the guidance on cyber resilience (the guidance).
Read the guidance on Improving the cyber resilience of regulated entities
The guidance is aligned with international standards and guidelines on cyber resilience, and provides a set of high-level, principle-based, recommendations. It applies to all entities we regulate: banks, non-bank deposit takers, insurers and financial market infrastructures.
A comparison between the confirmed version and the draft Guidance on cyber resilience (PDF 239 KB)
Summary of submissions
We have published a summary of submissions with all the feedback we received and our response to the feedback.
Summary of submissions (PDF 465 KB)
We received 16 submissions, 14 of which are published below. The remaining two submitters requested their submissions remain confidential.
- AWS (PDF 752 KB)
- Cigna (PDF 339 KB)
- CLS (PDF 120 KB)
- Datacom (PDF 135 KB)
- Fidelity Life (PDF 252 KB)
- Financial Services Federation (PDF 953 KB)
- FSC (PDF 269 KB)
- Insurance Council NZ (PDF 429 KB)
- Mastercard (PDF 509 KB)
- Microsoft (PDF 548 KB)
- NZBA (PDF 147 KB)
- Payments NZ (PDF 146 KB)
- Southern Cross (PDF 118 KB)
- Swiss Re (PDF 133 KB)
About the consultation
In our November 2019 Financial Stability Report we outlined our intention to become more proactive in promoting cyber resilience in New Zealand's financial sector. This was due to the rising cyber risk and growing clarity on a suitable role for financial sector regulators.
The consultation sought views on the draft of risk management guidance on cyber resilience.
Cyber resilience consultation paper (PDF 225 KB)
The consultation sought to raise awareness among boards and senior management and promote accountability for managing cyber risk within institutions.
The consultation paper also discussed our views on a collaborative approach to information gathering and sharing with other relevant government agencies (for example, the NCSC, Computer Emergent Response Team NZ and the Financial Market Authority).