The Reserve Bank of New Zealand (RBNZ) added new reporting requirements for its member banks to follow if they suffer a material cyber incident and for all types of cyberattacks.
In a press release issued March 4, the RBNZ said it will be building the cyber resiliency of the country’s banking system by implementing three new reporting requirements, in phases, over the course of the year.
The first is a requirement for member banks to report material cyber incidents “as soon as practicable” but within 72 hours.
The second is a requirement to report all cyber incidents to the regulator—regardless of materiality—every six months for large entities and annually for other entities.
Lastly, member banks will be required to provide a self-assessment on their progress against the RBNZ’s guidance on cyber resilience. Large banks must submit the self-assessment once a year; for other entities, every two years.
“As a prudential regulator, it is important the Reserve Bank can adequately understand the nature of cyber risks facing our regulated entities, as well as their ability to respond to cyber incidents,” the press release said. Kate Le Quesne, director of prudential policy at the RBNZ, added that having accurate, timely information regarding material cyber incidents is key.
The new cyber incident reporting requirements are in addition to reporting requirements already in place for banks doing business in New Zealand.
All registered banks operating in New Zealand are required by law to publish a disclosure statement twice a year. The disclosure requirements are administered by the RBNZ. The disclosure statements help to strengthen incentives to maintain sound banking practices and aid depositors and other investors in making well-informed decisions on where to put their money, the RBNZ said.
In the United States, the Securities and Exchange Commission recently passed a rule that all public companies must report cybersecurity incidents deemed to be material within four business days of that determination.
In the United Kingdom, the Department for Science, Innovation, and Technology proposed the creation of a U.K. cyber governance code, which could include reporting mechanisms for cyber incidents.
No comments yet