The Reserve Bank of New Zealand (RBNZ) announced plans to introduce formal cyber reporting requirements in stages throughout 2024, mandating banks to report significant cyber incidents within a 72-hour window. This initiative follows supportive feedback from regulated entities regarding proposals by the RBNZ to enhance cyber resilience through better information sharing.
Kate Le Quesne, RBNZ’s Director of Prudential Policy, emphasized the importance of obtaining prompt and accurate information on cyber threats. To achieve this, the RBNZ has been working in conjunction with New Zealand’s Financial Markets Authority (FMA) to establish unified reporting standards that benefit both regulatory bodies.
Feedback from the sector highlighted the need for streamlined processes and better coordination with other agencies. “It’s imperative for us to have a clear understanding of the risks our entities face and their capabilities in managing cybersecurity incidents,” Le Quesne stated.
The upcoming regulations will require banks to notify the RBNZ of any cybersecurity breaches. Larger institutions will need to report all cyber incidents bi-annually, while smaller entities will do so once a year. Additionally, banks will have to submit self-assessments of their cybersecurity measures.
This move reflects New Zealand’s commitment to fortifying its financial sector against the increasing threat of cyber attacks, ensuring the safety and resilience of the country’s banking infrastructure.
