Cyber Resilience

Status: we have finalised the Guidance on Cyber Resilience with effect from 1 May 2021.

After considering all of the submissions we received and consulting with experts from the National Cyber Security Centre (NCSC), we have revised and finalised the Guidance on Cyber Resilience. The summary of submissions attached below contains all the feedback we received and our response to the feedback.

Consultation: Risk management guidance on cyber resilience and views on information gathering and sharing

In light of rising cyber risk and growing clarity on a suitable role for financial sector regulators, the Reserve Bank outlined its intention to become more proactive in promoting cyber resilience in New Zealand’s financial sector in the November 2019 Financial Stability Report.

The consultation paper seeks views on the draft of risk management guidance on cyber resilience. The guidance is aligned with international standard and guidelines on cyber resilience and provides a set of high-level principle-based recommendations.

A key aim is to raise awareness among boards and senior management and promote accountability for managing cyber risk within institutions. The guidance applies to all regulated entities of the Reserve Bank: banks, non-bank deposit takers, insurers and financial market infrastructures. The principle of proportionality applies throughout the guidance and should be employed in a manner proportionate to the size, structure and operational environment of an entity, as well as the nature, scope, complexity, and riskiness of its products and services.

The consultation paper also discusses the Reserve Bank’s views on a collaborative approach to information gathering and sharing. In the multi-agency landscape, the Reserve Bank plans to promote information gathering and sharing with other relevant government agencies (e.g. National Cyber Security Centre, Computer Emergent Response Team NZ, and the Financial Market Authority, etc.). Details of the information gathering and sharing plan are under development and will be published for public consultation.

After the consultation has closed, the Reserve Bank will publish the submissions it has received, a summary of the feedback and the finalised Guidance on cyber resilience.

The consultation closes at 5.00 pm on 29 January 2021.