Your browser is not supported

Our website does not support the browser you are using. For a better browsing experience update to a compatible browser like the latest browsers from Chrome, Firefox and Safari.

Improving cyber resilience for regulated entities

As cyber risks continue to grow worldwide, they pose a serious threat to the stability of the entire financial system. We are taking action to improve the cyber resilience of the entities we regulate.

Why improving cyber resilience is important

The cyber world is a significant source of operational risk for financial institutions. The importance of building cyber resilience has grown over time. The pace of change has accelerated as a result of the digital economy and disruptions brought by COVID-19.

Cyber risk presents challenges that set it apart from other operational risks. For instance, many see cyber-attacks as inevitable, rapidly evolving and highly contagious. Sharing information about cyber events and coordinating responses are crucial. This helps to mitigate impacts and promote the resilience of the financial system.

Exposure to cyber risks will continue to grow for the financial sector in the future. This means cyber resilience will remain an important area of focus for us.

Read about the cyber incident cost estimates and the importance of building resilience

Our approach to promoting cyber resilience

Since 2019, we have been working on building cyber resilience in the financial sector. We are doing this alongside industry and other public bodies including:

  • the National Cyber Security Centre (NCSC)
  • the Computer Emergency Response Team (CERT NZ), and
  • the Financial Markets Authority (FMA).

We have developed a 3-step approach to promoting cyber resilience, which:

  1. provides new risk management guidance for the entities we regulate (see below)
  2. develops an information collection and gathering plan (in development and will be consulted on)
  3. enhances coordination across industry, regulators and government agencies on a collective response to cyber incidents.

There is a strong case for close coordination among agencies. We work closely with the NCSC, CERT NZ and the FMA to develop information gathering and sharing arrangements. This avoids duplication and reduces unnecessary compliance costs.

Cyber risk management guidance

We published cyber risk management guidance in April 2021 for all entities we regulate.

  • Registered banks
  • Non-bank deposit takers
  • Licensed insurers, and
  • Designated financial market infrastructures.

The guidance outlines our expectations around cyber resilience. It draws from leading international and national cybersecurity standards and guidelines. Our intention is to illustrate current best practice. While also encouraging entities to further strengthen their cyber resilience through continual improvement.

The guidance serves as a governance framework for managing cyber risk. It has high-level, principle-based recommendations, which entities can tailor to their specific needs and technologies.

The guidance is in 4 parts:

  1. Governance outlines clear roles and responsibilities for the board and senior management. It emphasises the need for an effective strategy to achieve cyber resilience.
  2. Capability building outlines 5 areas of focus for building cyber resilience.
  3. Information sharing encourages entities to choose reliable channels. It also cultivates a trusted environment for information sharing.
  4. Third-party management focuses on cyber risk related to outsourcing.

2020 guidance consultation

In 2020, we consulted on the draft guidance for cyber resilience. We asked for feedback on how our information gathering and sharing with relevant public sector bodies – including the Financial Markets Authority, the National Cyber Security Centre and the Computer Emergency Response Team – could help to build cyber resilience.

The consultation closed on 29 January 2021. We have since published a summary of submissions and the individual submissions.

Cyber resilience data collection

In 2023 we consulted on requirements to improve our collection of cyber resilience related information. Registered banks, non-bank deposit takers and insurers are required to report to us with cyber resilience related information in 3 areas:

Material cyber incident reporting requirement

  • Entities are required to report material cyber incidents to us as soon as practicable, but within 72 hours. 

Periodic reporting of all cyber incidents

  • Entities are required to report all cyber incidents regardless of materiality to us.
  • Large entities will be required to report all cyber incidents every 6 months and other entities annually. 

Surveys on the cyber resilience of regulated entities

  • Entities to report to us on self-assessment against our Guidance on Cyber Resilience.
  • Large entities to be required to report every year and other entities every 2 years. 

Cyber resilience data collection templates

Templates for fulfilling these requirements are below.