Reserve Bank proposed approach on cyber resilience data collection

30 May 2023

The Reserve Bank of New Zealand (RBNZ) is consulting on how best to collect cyber resilience data and to manage cyber incident reporting. The framework will apply to all RBNZ regulated entities. Submissions are due by 3 July 2023.

Cyber incident reporting

A cyber incident is defined by RBNZ as a cyber event, whether or not resulting from malicious activity, that:

  • Jeopardises the cybersecurity of an information system or the information the system processes, stores or transmits; or
  • Violates the security policies, security procedures or acceptable use policies.

Two forms of reporting are proposed:

  • Mandatory reporting of all material cyber incidents as soon as practicable but no later than 72 hours after detection (these timeframes will also be applied to financial institution licence holders under the upcoming Conduct of Financial Institutions (CoFI) regime); and
  • Periodic reporting of all cyber incidents (material and non-material) on a six-monthly basis for large entities (assets in excess of NZ$2b), annually for all others.

Mandatory reporting

The proposed materiality threshold would capture cyber incidents which:

“materially affected, or had the potential to materially affect, financially or non-financially, the entity or the interests of its stakeholders such as depositors, policyholders, beneficiaries, other customers, system participants, or more broadly raises prudential concerns.”

This definition is based on the Australian Prudential Regulation Authority’s (APRA) materiality threshold for cyber incident reporting in CPS 234, which would allow regulated entities to align reporting practices across both Australia and New Zealand. Entities will be expected to provide both qualitative and quantitative information on the detection, development of, and response to, a material cyber incident. The consultation includes a template form for reporting material cyber incidents.

The RBNZ has set out eight factors to guide decision-making around whether an incident should be treated as material. These include, for example, the extent to which the cyber incident could result in financial consequences to the New Zealand financial system or to other financial entities.

The RBNZ proposes regulated entities must report material cyber incidents no later than 72 hours after detection. The consultation document does not define whether the 72 hour timeframe begins on detection by the entity or detection by one of its suppliers. APRA CPS 234 specifically requires reporting no later than 72 hours after the APRA-regulated entity becomes aware of the relevant incident. If the RBNZ’s proposed timeframe begins on detection of the incident by one of the entity’s suppliers, we expect most entities would need to review and renegotiate existing supplier arrangements to build in detection and reporting timelines.

Periodic reporting

The RBNZ plans to develop a standardised approach to periodic reporting, including information on the number, type and impact of all cyber incidents (both material and non-material). The expected reporting periods are on a six-monthly basis for large entities and annually for all others.

Broad regulatory approach

RBNZ is working with the Financial Markets Authority (FMA) to develop a coordinated cyber policy that:

  • Aims to minimise compliance costs;
  • Builds on existing information sharing arrangements; and
  • Imposes certain standardised reporting requirements (such as notification timeframes for material incident reporting).

Cyber capability survey

RBNZ is also developing a template for a periodic self-assessment survey of regulated entities on their cyber resilience capabilities. The frequency of reporting would be annual for large institutions and two-yearly for the rest. 

The draft survey questionnaire is structured around governance, capability building, information sharing and third party management.

What next?

Consultation on cyber resilience data collection is the second step in a three-step approach being undertaken by the RBNZ to build cyber resilience in the financial sector. The first step was completed in 2021 with the publication of the Guidance on Cyber Resilience, setting best practice expectations for the governance and management of cyber risk by regulated entities. The RBNZ intends to implement the new Cyber Incident Reporting requirements and finalise the Cyber Capability Survey this year.

If you would like more information or assistance with making a submission, please get in touch with one of our experts.