Cybersecurity update: new reporting obligations for financial sector

The new rules include requirements to report “material cyber incidents” to the RBNZ as soon as practicable (and within 72 hours). They also require periodic reporting of all cyber incidents, whether or not material, and a “self-assessment” survey. This adds to a crowded field of similar existing obligations – including reporting of “notifiable privacy breaches” under the Privacy Act, and reporting of “cyber security events” to the FMA under the new conduct regime.

What are the new rules?

The RBNZ’s new rules fall into three categories.

1. Material Cyber Incident Reporting

Regulated entities must report “material cyber incidents” as soon as possible and within 72 hours of detection. The relevant template report issued by the RBNZ consists of three parts: an initial report; an incident update; and “post-incident” conclusions. The obligation to submit material cyber incident reports starts on 8 April 2024. It will therefore be important for regulated entities to act quickly in integrating these new requirements into their broader cyber defence strategies and incident response plans.
The RBNZ has defined “Cyber Incident” as a “cyber event that adversely affects the cyber security of an information system or the information the system processes, stores or transmits whether resulting from malicious activity or not.” A Cyber Incident is “material” if it has “materially affected, or had the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers.”
These definitions are broad and regulated entities may face challenges in applying them in practice, notwithstanding brief comments in the RBNZ’s summary of key decisions (here) and the prior 2023 consultation paper. For example, it remains unclear whether a cyber incident that results in only a brief and temporary disruption to services, but is quickly resolved, can be “material.”

2. Periodic Reporting of All Incidents

The “Periodic” Cyber Incident Report will be used to inform the RBNZ’s understanding of cyber risk impacting the financial sector beyond material incidents.
Different standards apply to “large” entities (those with total assets of at least NZ$2 billion) who must provide periodic reporting on a six-monthly basis, with the first report due on 30 April 2025 (for the period from 1 October 2024 to 31 March 2025). Other entities must report annually, with the first report due on 30 October 2025 (covering the period from 1 October 2024 to 30 September 2025).
The questions in the form are relatively detailed and cover, for example, the total number of cyber incidents experienced during the reporting period, how many were material, and a breakdown by type (e.g. phishing, scams, malware, etc.) among other details. In addition, the forms require that “if possible” entities provide an estimate of the total number of clients impacted by the reported cyber incidents.

3. Surveys on Cyber Resilience

Regulated entities must complete a “Cyber Capability Survey”, to assist RBNZ in collecting information on the cyber resilience capabilities of regulated entities.
The questions in the survey cover four main topics:

1. Governance (i.e., board and senior management responsibilities, cyber resilience strategy and corporate culture and awareness);
2. Capability building (i.e., the entity’s ability to identify critical functions, protect systems and information, detect risks and respond to incidents);
3. Information sharing practices (i.e. processes and channels); and
4. Third-party management (i.e. the entity’s capability to mitigate the risks associated with engaging third-party service providers).

The first survey is due on 1 October 2024. Large entities must report annually, whereas other entities must report every two years.

How does this relate to other notification requirements?

Under the Financial Markets (Conduct of Institutions) Amendment Act 2022 (COFI) one of the standard licensing conditions requires each licensed entity to “make sure that their critical technology systems are operationally resilient” and provides that if it suffers “an event that materially affects the supply of its service, it must notify the FMA as soon as possible, or no later than 72 hours after it has determined the event is a material incident.”

Helpfully, the RBNZ has confirmed that its new template report for “material cyber incidents” can also be used to submit information to the FMA. However, the thresholds for reporting to the RBNZ and the FMA are not identical. This means that regulated entities will need to consider whether to report to the RBNZ, or the FMA, or both, depending on the nature of the incident.

In addition, if the breach involves personal information and is likely to cause “serious harm” to affected individuals, it will likely require notification to the Office of the Privacy Commissioner under the Privacy Act 2020.

What are the consequences of breach?

The RBNZ’s paper is silent on enforcement. However, it does state that the reports will be required under the RBNZ’s information-gathering powers under existing legislation.¹ Failing to supply information under those provisions can trigger significant statutory penalties (up to NZ$1 million under the Banking (Prudential Supervision) Act 1989, or NZ$500,000 under the Insurance (Prudential Supervision) Act 2010). That is a material potential liability when compared to current penalties for a failure to report a notifiable privacy breach (NZ$10,000 under the Privacy Act).

What should regulated entities be doing now?

To prepare for the new cyber resilience reporting requirements, regulated entities should:

Familiarise themselves with the RBNZ’s template reports which are available here (particularly the “Material Cyber Incident” Report).
Establish clear internal criteria for what will constitute “material cyber incidents” and “cyber incidents” and update current cyber defence strategies and incident response plans to include the new reporting obligations.
Identify relevant sources of information required for periodic reporting (ahead of the first reporting period commencing 1 October 2024).
Arrange internal training for relevant stakeholders on the processes and information required to populate the reports and surveys.

Bell Gully’s Consumer, Regulatory and Compliance (CRC) team have been closely monitoring these developments. If you would like further details on the new cyber resilience reporting requirements, or assistance in preparing for the changes, please get in touch with the authors or your usual Bell Gully adviser.

^[1] For Registered banks: Section 93 of the Banking (Prudential Supervision) Act 1989; for Licensed insurers: Section 121 of the Insurance (Prudential Supervision) Act 2010; For Licensed NBDTs: Section 47 of the Non-bank Deposit Takers Act 2013; and in all cases: Section 262 of the Reserve Bank of New Zealand Act 2021.

Disclaimer: This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.