The Reserve Bank – Te Pūtea Matua has finalised its guidance on what regulated entities should consider when building
their cyber resilience.
The guidance outlines the Reserve Bank’s expectations around cyber resilience, and draws heavily from leading
international and national cybersecurity standards and guidelines. The guidance applies to all entities the Reserve Bank
regulates, including registered banks, licensed non-bank deposit takers, licensed insurers and designated financial
The finalised guidance on cyber resilience aims to raise awareness of, and ultimately promote, the cyber resilience of
the financial sector, especially at the board and senior management level of regulated entities.
The guidance provides high-level principle-based recommendations for entities and primarily serves as an overarching
framework for the governance and management of cyber risk, which entities can tailor to their own specific needs and
technologies, rather than as an explicitly detailed or technical set of instructions.
The intention is to illustrate current best practice and encourage continual improvement beyond these practices into all
areas where entities can further strengthen their cyber resilience.
The recent illegal data breach of a third party file sharing application used by the Reserve Bank is a timely reminder
of the risks associated with managing and sharing information, Deputy Governor and General Manager of Financial
Stability Geoff Bascand says.
As part of the investigation into the breach the Bank appointed KPMG to undertake an independent review of its systems
and processes. This report is due to be published in early May and we are committed to continuing our own improvements
in this area and sharing any relevant lessons with the firms that we regulate.More information:Guidance on Cyber ResilienceSummary of submissions: Risk management guidance on cyber resilience and views on information gathering and sharingReserve Bank releases guidance to help build cyber resilience – October 2020