Contents
Implementation of the new cyber resilience reporting requirements to apply to Reserve Bank of New Zealand (RBNZ) regulated financial institutions will begin on Monday, 8 April with the roll out of the Material Cyber Incident Notification Report Template (accessible here).
The other elements of the new cyber resilience reporting framework – the periodic reporting of all cyber incidents and periodic cyber capability surveys – will commence on 1 October 2024.
The RBNZ consulted last year on these information reporting proposals, mandated under the RBNZ’s general information gathering powers for banks, non-bank deposit takers and insurers.
It has now published its response to the submissions received. We summarise the key decisions.
Mandatory cyber incident reporting
Mandatory material cyber incident reports must be filed with the RBNZ within 72 hours of being detected. In response to submissions seeking clarification on what is required, RBNZ has provided the following detail.
The definition of “cyber incident” in the report template has been updated to reflect changes to the cyber lexicon of the Financial Stability Board (FSB) since the RBNZ’s Cyber Resilience Guide was first published. The “material cyber incident” definition has also been updated and now more closely aligns to APRA’s definition, although we note that APRA uses the term “information security incident”).
In response to other submissions on what constitutes a "material cyber incident", the RBNZ notes that:
- the definition in the report template has not been amended to align to the Financial Markets Authority (FMA) definition on the basis that RBNZ’s and FMA’s objectives differ slightly.
- the reference in the definition to “the extent to which the cyber incident could result in financial consequences to the New Zealand financial system or to other financial entities” has been retained as it is considered necessary.
- the guidance on assessing materiality of an incident (set out on page 11 of the consultation document) has been drawn from the RBNZ’s approach to breach reporting for registered banks so is not new. It may contain some imprecision and the thresholds may at times be subjective but RBNZ’s view is that this cannot be avoided.
In terms of the 72-hour timeframe for reporting, “detection” occurs when the materiality of the cyber incident has been established, and the 72-hour period is consecutive and includes non-business hours, public holidays and weekends.
Initial material incident reports may have incomplete information, the emphasis should be on contacting supervisors as soon as practicable.
The frequency and timing of update reports (provided for in Part B of the material incidents report template) will vary through the course of an incident, but the RBNZ expects to be kept regularly informed. The template has been updated with further instructions in this regard.
Other template amendments provide more flexibility, remove some repeated questions, insert additional definitions and guidance for completion of the report, allow for text to be copied from one part to another, and provide for changes in the severity of the incident to be indicated in update reports.
The template report can also be used for reporting material operational incidents and to meet the FMA’s reporting requirements for events that materially impact the operational resilience of critical technology systems.
Reports are to be submitted using RBNZ’s secure file transfer services. Entities may contact their supervisors when providing updates, but all three parts of the reporting template have been retained.
Periodic cyber incident reporting
Overarching concerns raised in relation to the periodic cyber incident reporting proposals were:
- The cost of compliance (and the risk that this might distract resources away from material cyber-incidents); and
- The requirement to collect “low-level” information, which is not aligned with international data collection practices, including APRA, and is redundant as the data is already collected by CERT NZ and NCSC.
Despite these objections, the RBNZ has decided to maintain the requirement on the basis that it will provide a broader understanding of cyber risk in the financial sector (including the nature and volume of non-material incidents).
The reporting frequency has been maintained at six months for “large entities” (total assets -excluding agency partners in the case of insurance companies - of over $2 billion) and at 12 months for others.
Periodic cyber capability survey
The RBNZ considers this will be an important tool to assist its understanding of the approach entities are taking toward evolving cyber risk, but it has sought to ease compliance by removing some numeric response questions and amending the survey format to better align with the RBNZ Cyber Resilience Guidance.
Entities can complete and submit their survey when they choose, ahead of the applicable annual or bi-annual deadline (with the assessment period being the prior 12 months for large entities and the prior 24 months for other entities).
Information sharing and other policies
Many submitters were concerned about the security of their data. The RBNZ has given an assurance that any new technology capability will have appropriate security controls and that information will only be shared for a proper purpose.
Next steps
Failure to comply with the new reporting requirements will be an offence punishable by fines (for banks and NBDTs) of up to $1m and up to $500,000 for licensed insurers), with lesser fines or imprisonment for individuals.
In addition to preparing for material cyber incident reporting from 8 April, entities should be working now to ensure they have in place the systems, processes and resources necessary to gather and record, in an easily accessible form, the required information for inclusion in:
- annual (for large entities) and bi-annual (for other entities) periodic cyber capability surveys, the first one of which is due on 1 October 2024; and
- periodic cyber incident reports for periods commencing 1 October 2024. For large entities, the first of these (for the six months from 1 October 2024 to 31 March 2025) is due by 30 April 2025. For others (covering the twelve months to 30 September 2025) the first survey due date is 30 October 2025.
If you would like assistance with your preparations for compliance with the RBNZ cyber reporting regime, please get in touch with one of our experts.
Related article: Reserve Bank proposed approach on cyber resilience data collection
