RBNZ to impose cyber reporting rules on financial institutions

The Reserve Bank of New Zealand (RBNZ) is to implement new cyber reporting rules in the financial sector, including a requirement for banks and other regulated entities to report major incidents within 72 hours.

The central bank made the announcement today (March 4) after receiving generally supportive feedback on its proposals to strengthen cyber resilience in the sector.

From April 8, entities regulated by the RBNZ will need to report “material” cyber incidents to the bank as soon as practicable, but within 72 hours. These entities include registered banks, non-bank deposit-takers and insurers. 

The 72-hour timeframe includes non-business hours, public holidays and weekends, the central bank said in a consolidated response to views received in the consultation.

It said regulated entities would also need to inform it of all cyber incidents regardless of their seriousness. From April 30 of next year, large entities – those with at least NZD$2 billion (US$1.22 billion) in total assets – will need to report all cyber incidents every six months. Other entities will have to report incidents annually, with their next deadline scheduled for October 30, 2025.

The entities will also need to fill out a periodic survey to assess their own capabilities in managing cyber risks. Large entities will have to submit the survey results to the central bank every year, and other entities every two years.

The bank said it had developed the new reporting requirements with regulatory body the Financial Markets Authority. 

The RBNZ said that cyber risks, whether malicious and non-malicious, can impact financial stability, and that managing such risks was an expanding area of focus within the financial sector.

“As a prudential regulator, it is important the Reserve Bank can adequately understand the nature of cyber risks facing our regulated entities, as well as their ability to respond to cyber incidents,” Kate Le Quesne, director of prudential policy, said in a statement. “Having accurate, timely information is key.” 

The RBNZ received 14 responses in its consultation, which was conducted between May and July of last year. The responses came from financial market organisations, banks, insurance companies, technology companies and one non-bank deposit-taker.

The New Zealand government made efforts to bolster its cyber defences last year by setting up a lead cyber security agency. This involved integrating two existing bodies: the National Cyber Security Centre and the Computer Emergency Response Team.

In 2022, the RBNZ said a cyberattack in January 2021 had breached a file-sharing service it used to share information with external stakeholders. The bank did not reveal details of the affected organisations but estimated the cost of responding to the breach to be around NZ$3.5 million.