New Zealand: Opened Consultation on Cyber Resilience Regulation in the Financial Sector

On 8 May 2023, the Reserve Bank of New Zealand opened a consultation on the Cyber Resilience Regulation in the financial sector. The consultation aims to improve the collection of cyber-related information through a requirement for entities, such as registered banks, deposit takers, and insurers, to report significant cyber incidents to the Reserve Bank as soon as practicable but within 72 hours. Entities are also required to report all cyber incidents to the Reserve Bank, regardless of materiality, with large entities required to report all cyber incidents every six months and other entities annually. In addition, regulated entities are required to conduct a cyber resilience survey. In particular, the regulation requires entities to report to the Reserve Bank on their self-assessment against the Bank's cyber resilience guidance, with large entities required to report annually and other entities every two years. The consultation is part of a three-step approach to support building cyber resilience in regulated entities, to promote a sound and dynamic financial system.