The Reserve Bank – Te Pūtea Matua is today releasing draft guidance on what regulated entities should consider when
managing cyber resilience.
The cyber world has long been recognised as a significant source of operational risk for financial institutions, Deputy
Governor and General Manager of Financial Stability Geoff Bascand says.
The draft guidance, which is open for feedback, outlines the Reserve Bank’s expectations around cyber resilience, and
draws heavily from leading international and national cybersecurity standards and guidelines.
“As cyber risk continues to rise, there is growing awareness that cyber incidents could present risks to the stability
of the entire financial system. Improving cyber resilience has become a key priority for prudential regulators around
the world,” Mr Bascand says.
“Last November we announced an evolution in our policy stance towards taking a more proactive interest in improving the
cyber resilience of the financial sector in New Zealand. The spate of cyber attacks across New Zealand earlier this year
was a reminder of the disruption that they can cause, and shows the importance of taking an increasing proactive role in
improving the cyber resilience of New Zealand’s financial sector.”
The consultation document presents draft cyber risk management guidance which would apply to all entities the Reserve
Bank regulates. This includes registered banks, licensed non-bank deposit takers, licensed insurers and designated
financial market infrastructures. The consultation paper also seeks feedback on how information gathering and sharing by
the Reserve Bank with relevant public sector bodies can help to build cyber resilience.
“We are open to feedback on the guidance, but we expect it will be useful for firms as they develop their own frameworks
to address the cyber risks they face.”
”We recognise that managing cyber resilience is a shared responsibility and that it is important to collaborate and
coordinate with all relevant stakeholders. The proposed guidance and our information collection plans have been designed
to complement the work of other government agencies with a direct interest in promoting cyber resilience in the
financial sector – including the Financial Markets Authority, the National Cyber Security Centre and the Computer
Emergency Response Team.”
The consultation is open for 14 weeks and closes on 29 January 2021. The Reserve Bank will release the final guidance
early next year.More information:Cyber resilience consultation pageReserve Bank Bulletin: Cyber incident cost estimates and the importance of building resilience – February 2020The Reserve Bank’s role in supporting cyber resilience – November 2019