The Reserve Bank has finalised its guidelines for the financial sector on 'cyber resilience', following a consultation process that began in October 2020.
The RBNZ says the guidance outlines the RBNZ's expectations around cyber resilience for the entities it regulates, and draws heavily from leading international and national cybersecurity standards and guidelines. The guidance applies to all entities the Reserve Bank regulates, including registered banks, licensed non-bank deposit takers, licensed insurers and designated financial market infrastructures.
The finalised guidance on cyber resilience aims to raise awareness of, and ultimately promote, the cyber resilience of the financial sector, especially at the board and senior management level of regulated entities, the RBNZ says.
It says the guidance provides the "baseline-level" of cyber resilience recommendations for entities and, where necessary, also provides recommendations for enhanced-level practices.
"The guidance provides high-level principle-based recommendations for entities and primarily serves as an overarching framework for the governance and management of cyber risk, which entities can tailor to their own specific needs and technologies, rather than as an explicitly detailed or technical set of instructions."
The intention, the RBNZ says, is to illustrate current best practice and encourage continual improvement beyond these practices into all areas where entities can further strengthen their cyber resilience.
Release of the guidance comes as the central bank continues to deal with the fallout from a very substantial data breach over the Christmas period involving a third party file sharing application used by the RBNZ.
RBNZ Deputy Governor and General Manager of Financial Stability Geoff Bascand said the breach was "a timely reminder of the risks associated with managing and sharing information".
As part of the investigation into the breach the RBNZ appointed KPMG to undertake an independent review of its systems and processes.
"This report is due to be published in early May and we are committed to continuing our own improvements in this area and sharing any relevant lessons with the firms that we regulate," Bascand said.