Browser issue

It looks like the browser you're using doesn’t work well with our website. For a better experience, please update to the latest version of Chrome, Edge, Firefox or Safari.

Have your say

Cyber resilience data collection

We asked for feedback on our proposed approach to improve our collection of cyber-related information to build cyber resilience in our regulated entities.

Consultation opened:
Consultation closed:
Published:
Updated:
Status:
Closed
Closed

Response to submissions and final decisions

On 4 March 2024, we published the submissions we received and our response to submissions.

Cyber Data Collection Response to Submissions (PDF, 701 KB)

Cyber Data Collection Consolidated Submissions (PDF, 6.5 MB)

You can find the templates to comply with the cyber resilience data collection requirements on the page below.

Improving cyber resilience for regulated entities

About the consultation

Cyber risk – both malicious and non-malicious – continues to grow as an area of focus within the financial sector. Cyber risk can impact financial stability through loss of confidence and lack of substitutability and interconnectedness. Cyber resilience is important for promoting a sound and dynamic financial system.

We have been undertaking a 3-step approach to supporting building cyber resilience in our regulated entities.

Step 1 - Cyber Risk Management Guidance (Published Q2 2021)

Step 2 - Cyber Data Collection Requirements and Information Sharing Arrangements (the proposals in this paper relate to this step)

Step 3 - Enhanced Coordination and Response to Cyber Incidents (New Zealand-based decisions taken in Q2 2022, and trans-Tasman decisions taken in Q4 2022).

Find out more about how we are improving cyber resilience for regulated entities

question icon

What we asked for feedback on

We proposed 2 key components to improve our collection of cyber-related information.

Cyber incident reporting

A requirement to report all material cyber-incidents to us as soon as practicable, but within 72 hours (see Annex A in the consultation paper for the reporting template) and to report all cyber incidents (material and non-material) periodically.

Cyber capability survey

A periodic cyber resilience survey about organisation capabilities (see Annex B in the consultation paper for the draft questionnaire).

Cyber security icon

Why we asked for feedback

Collecting this cyber-related information will support a number of important functions:

  • measuring the effectiveness of our cyber resilience policy settings and informing further policy developments
  • helping guide meaningful discussions between financial regulators and regulated entities
  • supporting financial system risk monitoring efforts, and
  • providing insights and intelligence on the cyber threat landscape that could be shared with industry, public sector agencies, or others.

Working with the FMA

We have worked closely with the Financial Markets Authority - Te Mana Tātai Hokohoko (FMA) on these proposals reflecting our shared interest in cyber resilience in the financial sector arising from New Zealand’s ‘twin peaks’ approach to prudential and conduct regulation.

Our proposal is that the material incident reporting template can be used for reporting material cyber incidents to both us and the FMA.

We propose to share information collected under the 2 periodic surveys with the FMA and other relevant agencies. Our intention is to improve information flows between financial regulators and reduce compliance costs for our regulated entities by reducing the number of requests for cyber-related information.

Consultation materials

Cyber Resilience Data Collection Proposals consultation paper

PDF | 837KB

Material Cyber Incident Notification Report Template

XLSX | 212KB