New Zealand central bank to implement cyber reporting rules through 2024 By Reuters

SYDNEY (Reuters) – New Zealand’s central bank on Monday said banks must report major cyber incidents within 72 hours, as it plans to implement formal cyber reporting requirements in phases through this year.

The move comes after regulated entities supported proposals by the Reserve Bank of New Zealand (RBNZ) on the importance of having access from the central bank to information on cyber resilience.

Having accurate, timely information is key, RBNZ Director of Prudential Policy Kate Le Quesne said in a statement.

RBNZ collaborated closely with New Zealand’s financial markets regulator, the Financial Markets Authority (FMA), to develop shared reporting requirements that can be used for both agencies, Le Quesne said.

“We received useful feedback on ways to simplify and coordinate our processes with other agencies,” Le Quesne said, adding that it was critical that RBNZ adequately understood the nature of risks facing entities and their ability to respond to incidents.

Under the proposed rules, banks must inform RBNZ of all cyber incidents, with large entities required to report all cyber incidents every six months and other entities annually. Self-assessment measures put in place must also be reported.

New Zealand has seen a rise in online break-ins, prompting the government last year to boost its cyber defence by setting up a lead agency to make it easier for the public and businesses to seek help during network intrusions.

RBNZ in 2021 said a cyberattack had breached its data systems and affected a file-sharing service used by the bank to share information with external stakeholders.