As cyber risks continue to grow worldwide, they pose a serious threat to the stability of the entire financial system. We are taking action to improve the cyber resilience of the entities we regulate.
The cyber world is a significant source of operational risk for financial institutions. The importance of building cyber resilience has grown over time. The pace of change has accelerated as a result of the digital economy and disruptions brought by COVID-19.
Cyber risk presents challenges that set it apart from other operational risks. For instance, many see cyber-attacks as inevitable, rapidly evolving and highly contagious. Sharing information about cyber events and coordinating responses are crucial. This helps to mitigate impacts and promote the resilience of the financial system.
Exposure to cyber risks will continue to grow for the financial sector in the future. This means cyber resilience will remain an important area of focus for us.
Read about the cyber incident cost estimates and the importance of building resilience
Since 2019, we have been working on building cyber resilience in the financial sector. We are doing this alongside industry and other public bodies including:
We have developed a 3-step approach to promoting cyber resilience, which:
There is a strong case for close coordination among agencies. We work closely with the NCSC, CERT NZ and the FMA to develop information gathering and sharing arrangements. This avoids duplication and reduces unnecessary compliance costs.
We published cyber risk management guidance in April 2021 for all entities we regulate.
The guidance outlines our expectations around cyber resilience. It draws from leading international and national cybersecurity standards and guidelines. Our intention is to illustrate current best practice. While also encouraging entities to further strengthen their cyber resilience through continual improvement.
The guidance serves as a governance framework for managing cyber risk. It has high-level, principle-based recommendations, which entities can tailor to their specific needs and technologies.
The guidance is in 4 parts:
In 2020, we consulted on the draft guidance for cyber resilience. We asked for feedback on how our information gathering and sharing with relevant public sector bodies – including the Financial Markets Authority, the National Cyber Security Centre and the Computer Emergency Response Team – could help to build cyber resilience.
The consultation closed on 29 January 2021. We have since published a summary of submissions and the individual submissions.
In 2023 we consulted on requirements to improve our collection of cyber resilience related information. Registered banks, non-bank deposit takers and insurers are required to report to us with cyber resilience related information in 3 areas:
Templates for fulfilling these requirements are below.
Below is a link to a Frequently Asked Questions (FAQs) document, which is intended to provide guidance to entities on the material incident notification process. If you have any further questions not answered in the FAQs, please contact your supervisor in the first instance.