New Zealand: Adopted Cyber Resilience Reporting Requirements

On 4 March 2024, the Reserve Bank of New Zealand made changes to cyber resilience reporting requirements following a public consultation. Entities, such as registered banks, deposit takers, and insurers, are required to report significant cyber incidents to the Reserve Bank as soon as practicable but within 72 hours. Entities are also required to report all cyber incidents to the Reserve Bank, regardless of materiality, with large entities required to report all cyber incidents every six months and other entities annually. In addition, regulated entities are required to conduct a cyber resilience survey. In particular, the regulation requires entities to report to the Reserve Bank on their self-assessment against the Bank's cyber resilience guidance, with large entities required to report annually and other entities every two years. The Reserve Bank of New Zealand has issued new templates to comply with the new requirements. The requirement to report material cyber incidents, periodic reporting of all cyber incidents, and surveys of the cyber resilience of regulated entities will be implemented in phases through 2024.