sign up log in
Want to go ad-free? Find out how, here.

Financial institutions must report cyber incidents to the RBNZ; can decide themselves if they're 'material'

Technology / news
Financial institutions must report cyber incidents to the RBNZ; can decide themselves if they're 'material'
Hacker at work

Banks, non-bank deposit takers and insurers will be required to report material cyber incidents to the Reserve Bank (RBNZ), starting April 8 this year.

Entities captured by the requirement have to report incidents to the RBNZ as soon as possible, but within 72 hours, the regulator said. Six-monthly or annual periodic reporting by large entities will also be required, along with self-assessment surveys against the RBNZ Guidance on Cyber Resilience.

Larger entities will have to produce the reports every year whereas smaller ones can do them every two years.

Information will be shared with the Financial Markets Authority (FMA), which the RBNZ has worked closely with on the cyber incident reporting proposals

The RBNZ has left to the institutions themselves to decide what a "material cyber incident" constitutes.

"We have purposely not defined specifically materiality because the nature of what is material for individual regulated entities will vary according to the nature of their business and information technology systems. We consider that a degree of subjectivity is unavoidable," an RBNZ spokesperson told

"The obligation is on the entity to ensure that they sufficiently understand their systems to identify an incident that will/may materially impact their business," the spokesperson added.

New Zealand is aligning with Australia on the reporting requirements, the spokesperson confirmed.

"Our approach is also consistent with that undertaken by APRA [the Australian Prudential Regulation Authority]."

"We have sought close alignment given the close nature of our respective financial systems to reduce unnecessary differences in regulatory approaches. This means our approach is familiar to many entities operating in New Zealand." the RBNZ spokesperson said.

The reporting requirements follow a round of submissions to the RBNZ, and a plan devised by Basel, Switzerland-based Financial Stability Board in April last year, to mitigate an increasing number of cyber incidents.

The RBNZ itself was the subject of a data breach in late 2020, with unknown attackers abusing the Accellion file transfer application which was used to share sensitive information by banks.

Financial institutions are increasingly targeted by hackers. Ross McEwan, the chief executive of National Australia Bank (NAB), the parent of BNZ, said in October 2022 that NAB experienced over 50 million attacks a month on its digital channels.

Richard Massey and Jaimee Miller of law firm Bell Gully note in their reading of the new rules that the definitions introduced are broad, and regulated entities may face challenges in applying them in practice.

"For example, it remains unclear if a cyber incident that results in only a brief and temporary disruption to services, but is quickly resolved, can be 'material'," the lawyers said.

Getting it wrong when it comes to reporting incidents could be costly for the entities the rules capture, however.

Although the RBNZ's paper is silent on enforcement, Bell Gully said the central bank requires the reports under its information gathering powers as set out in existing legislation.

Failing to supply information under those provisions can trigger penalties of up to $1 million under the Banking (Prudential Supervision) Act 1989, or $500,00 under the Insurance (Prudential Supervision) Act 2010.

Entities may be required to notify up to three authorities of incidents and breaches as well. The RBNZ has prepared a "material cyber incidents" template, a spreadsheet, that can be used for reports to the FMA as well.

However, the two agencies have different thresholds for reporting, Bell Gully said.

"This means that regulated entities will need to consider whether to report to the RBNZ, or the FMA, or both, depending on the nature of the incident," Bell Gully advised.

The Office of the Privacy Commissioner (OPC) may require notification too, if a breach involves personally sensitive information and is likely to cause serious harm to affected individuals, under the Privacy Act of 2020.

Failure to notice the OPC carries a far lower penalty of just $10,000.

Incident reports won't be made public

The Reserve Bank also confirmed that the incident reports will kept confidential.

"The material incident reports will not be made public. This is confidential information intended to support the Reserve Bank’s prudential supervision of regulated entities," the RBNZ spokesperson said.

Likewise, individual surveys will not be made public.

"The primary purpose of the surveys is to support the Reserve Bank’s understanding of cyber risk in the financial sector and the cyber resilience capability of regulated entities," the spokesperson said.

"It is possible that aggregated, anonymised data, may be used in public reporting to support understanding of cyber risk in the financial sector," the spokesperson added.

We welcome your comments below. If you are not already registered, please register to comment.

Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.


Everyone knows if you ask the industry to self regulate and report it never gets done. Even with knowledge of the governance in these companies many have actually asked payment providers if they can access & store information illegally they had no rights to. So not only will they never honesty report given their own leeway in a high trust system even more information misuse occurs, security and customer access to control their own data is left to get worse.

Sadly ethical practices are heavily discouraged within the organizations and in the industry itself. So only an incredible fool or extremely malicious person would suggest self assessments and leaving the institutions themselves to decide what a "material cyber incident" constitutes. Using Hanlon's razor the most likely case is those in the RBNZ are incredibly ignorant of the technology and the industry practices (and very commonly known flaws that are widely reported in tech & information security sites).

NZ actually has a very well established information security organization but no RBNZ staff ever turn up, they never attend or read reports so it is clear who is feeding them the policy advice. It is certainly not anyone with experience on information security & privacy, (or even just basic good governance). When even Jacinda Ardern can get a job as a tech governance "expert" with zero qualifications or education in the matter, and even less experience it is clear how far NZ & international standards have dropped over time.



When things go wrong at banks, they coverup by offering a few thousand $$$ as compensation but you're never allowed to speak to anyone about the incident. In essence, your silence is bought. My expectation is the banks will only self report major incidences that they can't coverup and will fight tooth and nail against admitting liability and/or paying compensation. So, in a nutshell, nothing much will change.


re ... "Larger entities will have to produce the reports every year whereas smaller ones can do them biannually."

Biannually? The word can mean either every six months (more common) or once every two years. From the context I assume every two years.

I'd expect smaller entities to be more exposed albeit a breach may have lesser impacts. I expect there's a cost to producing these reports but standard ITIL practice is to keep a log of all such incidents so surely the cost would be minimal? Seems about face to me.

Or are the smaller entities so far down the capability maturity model that such ITIL practices aren't in place? If so, that's a far bigger worry.

More on the capability maturity model (basically, it's a model that describes how much investment has been made in the systems being used and can be used when valuing an entity's 'systems').


It's every two years. Will edit for clarity.