The Reserve Bank of New Zealand – Te Pūtea Matua is seeking feedback on its proposals for collecting data on financial entities to support cyber resilience.
The ability of cyber attackers to undermine, disrupt, and disable ICT systems used by financial entities was a threat to financial stability, the bank said today.
Service outages could affect individuals, businesses and organisations and lead to a loss of confidence where there was lack of alternative providers or disruptions between financial entities.
To improve the bank's understanding of cyber risks and resilience in the sector, it has releaed a consultation paper proposing the collection of data in three areas:
First, a material cyber incident reporting requirement that mandates regulated entities report all material cyber incidents to the Reserve Bank within 72 hours after detection.
Second, the reporting of all cyber incidents, regardless of materiality, on a periodic basis.
Finally, a periodic survey on the cyber resilience of regulated entities based on the Reserve Bank’s cyber resilience guidance.
“Collection of this information will improve our understanding of cyber resilience in the financial sector," said director of prudential policy Kate Le Quesne.
"It will also support industry engagement by sharing insights and ultimately enable better responses to cyber incidents."
The Reserve Bank is working closely with the Financial Markets Authority on cyber data collection. It is therefore proposing its material incident reporting template could be used for reporting to both entities and that information gathered from the proposals would be shared.
This would provide a joined-up approach across regulators and minimise the regulatory burden for regulated businesses.
"We observe that, with some notable exceptions, most successful cyber attacks impacting the financial sector affect one institution and produce limited damage," the consultation says.
"However, a successful attack with enough technical force to disable or disrupt a key institution or spread through the financial system could become a systemic event.
"A significant system failure could have the same effect."
The bank itself was hacked in late 2020, months after it had recognised internally that it was not investing adequately in cyber security.
In May 2021, the bank published guidance for regulated entities on cyber resilience, setting out its expectations on how they could build resilience to help promote a sound and dynamic financial system.