The Reserve Bank of New Zealand (RBNZ) and the Financial Markets Authority (FMA) have recently introduced new cyber resilience reporting requirements for banks, non-bank deposit takers, and insurers. These regulations aim to enhance the financial sector’s ability to respond effectively to cyber threats and incidents. RBNZ Regulated entities need to be aware of and respond to the following reporting deadlines.

The first ‘Cyber Capability Survey‘ is due on 1 October 2024:

RBNZ Regulated entities are required to submit their first ‘Cyber Capability Survey’ which is due on 1 October 2024.

The subsequent submissions for large entities are due exactly 1 year after the due date of the last report, while for other entities, the due date is exactly 2 years after the due date of the last report.

Large entities are entities with total assets of at least NZ$2 billion excluding agency partners in the context of insurance companies while other entities are entities with total assets of less than NZ$2 billion excluding agency partners in the context of insurance companies.

The first ‘Periodic Incident Report‘ is due on 30 April 2025 if:

The entity has total assets of at least NZ$2 billion excluding agency partners in the context of insurance companies, and  must provide periodic reporting on a six-monthly basis thereafter.

Reporting Period:  1 October 2024 to 31 March 2025

The first ‘Periodic Incident Report‘ is due on 30 October 2025 if:

The entity has total assets less than NZ$2 billion excluding agency partners in the context of insurance companies, and  must provide periodic reporting on annually thereafter.

Other entities must report annually, with the first report due on 30 October 2025

Period: from 1 October 2024 to 30 September 2025

We can help your organisation set up the reporting mechanisms and aid in answering the surveys. For further information contact sales@securecom.co.nz or call us on 0800 002 015.