Status: we have finalised the Guidance on Cyber Resilience with effect from 1 May 2021.
- Guidance on cyber resilience (PDF 326KB)
- Guidance on cyber resilience - comparison between the confirmed version and the draft (PDF 239KB)
After considering all of the submissions we received and consulting with experts from the National Cyber Security Centre (NCSC), we have revised and finalised the Guidance on Cyber Resilience. The summary of submissions attached below contains all the feedback we received and our response to the feedback.
- Summary of submissions (PDF 465KB)
- AWS (PDF 752KB)
- Cigna (PDF 339KB)
- CLS (PDF 120KB)
- Datacom (PDF 135KB)
- Fidelity Life (PDF 252KB)
- Financial Services Federation (PDF 953KB)
- FSC (PDF 269KB)
- Insurance Council NZ (PDF 429KB)
- Mastercard (PDF 509KB)
- Microsoft (PDF 548KB)
- NZBA (PDF 147KB)
- Payments NZ (PDF 146KB)
- Southern Cross (PDF 118KB)
- Swiss Re (PDF 133KB)
Consultation: Risk management guidance on cyber resilience and views on information gathering and sharing
In light of rising cyber risk and growing clarity on a suitable role for financial sector regulators, the Reserve Bank outlined its intention to become more proactive in promoting cyber resilience in New Zealand’s financial sector in the November 2019 Financial Stability Report.
The consultation paper seeks views on the draft of risk management guidance on cyber resilience. The guidance is aligned with international standard and guidelines on cyber resilience and provides a set of high-level principle-based recommendations.
A key aim is to raise awareness among boards and senior management and promote accountability for managing cyber risk within institutions. The guidance applies to all regulated entities of the Reserve Bank: banks, non-bank deposit takers, insurers and financial market infrastructures. The principle of proportionality applies throughout the guidance and should be employed in a manner proportionate to the size, structure and operational environment of an entity, as well as the nature, scope, complexity, and riskiness of its products and services.
The consultation paper also discusses the Reserve Bank’s views on a collaborative approach to information gathering and sharing. In the multi-agency landscape, the Reserve Bank plans to promote information gathering and sharing with other relevant government agencies (e.g. National Cyber Security Centre, Computer Emergent Response Team NZ, and the Financial Market Authority, etc.). Details of the information gathering and sharing plan are under development and will be published for public consultation.
After the consultation has closed, the Reserve Bank will publish the submissions it has received, a summary of the feedback and the finalised Guidance on cyber resilience.
The consultation closes at 5.00 pm on 29 January 2021.