RBNZ consults on expansion of cyber breach data collection, new 72-hr reporting window

Reserve Bank of New Zealand cyber incident reporting

The Reserve Bank of New Zealand (RBNZ) and fellow NZ fin services regulator the Financial Markets Authority (FMA) have called for industry feedback on a proposal to collect more data from regulated entities following cyber breach incidents and set a strict reporting time frame for material breaches.

The proposal would put in place a requirement from regulated entities to report all material cyber-incidents to the RBNZ “as soon as practicable”, but no later than 72 hours after a breach is detected.

This matches an Office of the Australian Information Commissioner (OAIC) requirement for regulated Australian entities to report cyber breaches within a 72-hour window.

A second proposal from the RBNZ would require regulated entities to report all cyber incidents, regardless of materiality, to the Reserve Bank on a periodic basis. Large entities would report every six months, whilst all other entities would be required to submit these reports annually.

The Reserve Bank has also proposed that regulated businesses be required to complete a periodic survey covering an organisation’s cybersecurity capability and resilience.

Questions in the survey would cover concerns around governance (e.g. Is there a dedicated Chief Information Security Officer or senior executive accountable for the cyber resilience strategy?), capability building (e.g. What is the number of critical functions with unacceptable risk levels?), information sharing (e.g. Do you have the capability to share anomalous activities and events detected?), third-party management (e.g. Who are your third party providers of critical functions and what services do they provide?), and resources (e.g. an organisation’s total headcount and headcount of IT personnel).

According to the RBNZ, regular cyber incident reporting will “help fill two gaps”.

“First, it will contribute to a more coordinated response by the RBNZ and other government agencies to cyber-attacks when they do occur. Second, it will improve our understanding of the scale and severity of cyber risk in the financial sector.”

The regulator added: “The survey will improve our understanding of the ability of regulated entities to manage their cyber resilience and the overall level of cyber risk in the financial sector.”

Collection of this data will support a number of important functions:

  • measuring the effectiveness of our cyber resilience policy settings and inform further policy developments;
  • helping guide meaningful discussion between financial regulators and regulated entities;
  • supporting financial system risk monitoring efforts; and
  • providing insights and intelligence on the cyber threat landscape that could be shared with industry, public sector agencies or others.

The proposed changes are also set to bring the RBNZ’s and FMA’s cyber reporting requirements from co-regulated entities into line with one another, enabling a single material incident reporting template to be used for reporting cyber incidents to both the Reserve Bank and the FMA.

“Collection of this information will improve our understanding of cyber resilience in the financial sector. It will also support industry engagement by sharing insights and ultimately enable better responses to cyber incidents,” said the RBNZ’s director of prudential policy, Kate Le Quesne.

NZ’s National Cyber Security Centre (NCSC) detects at least seven cyber intrusions each month affecting one or more nationally significant organisations, including major financial services firms and critical infrastructure providers, according to its last report (covering the 2021/2022 period).

Submissions for the consultation can be emailed to cyberresilience@rbnz.govt.nz, with submission due by Monday, 3 July 2023.