The Reserve Bank of New Zealand (RBNZ) has mandated that banks report significant cyber incidents within 72 hours as it introduces a phased implementation of formal cyber reporting requirements this year.
Regulated entities welcomed the RBNZ’s proposals, emphasizing the importance of the central bank having timely access to information on cyber resilience. Kate Le Quesne, the Director of Prudential Policy at RBNZ, highlighted the crucial role of accurate and timely information in managing cyber risks effectively.
RBNZ worked closely with New Zealand’s financial markets regulator, the Financial Markets Authority (FMA), to develop shared reporting requirements applicable to both agencies. Le Quesne stated that valuable feedback was received, contributing to the simplification and coordination of processes with other agencies.
The proposed rules dictate that banks promptly inform RBNZ of all cyber incidents. Large entities are required to report incidents every six months, while other entities must report annually. Additionally, self-assessment measures implemented by these entities need to be reported.
New Zealand witnessed a surge in online security breaches, prompting the government to bolster its cyber defense in 2023 by establishing a lead agency. This initiative aims to facilitate public and business assistance during network intrusions.
In 2021, RBNZ itself fell victim to a cyberattack, compromising its data systems and affecting a file-sharing service utilized for information exchange with external stakeholders. The move to enforce stringent reporting rules reflects the ongoing commitment to bolstering cybersecurity measures across the financial sector in New Zealand.
Comments