The Reserve Bank of New Zealand (RBNZ) and the Financial Markets Authority (FMA) have recently introduced new cyber resilience reporting requirements for banks, non-bank deposit takers, and insurers. These regulations aim to enhance the financial sector’s ability to respond effectively to cyber threats and incidents. The key points of these new requirements are listed below, but the main take-away is that if you fall under the jurisdiction of the RBNZ or FMA, your reporting requirements and expected cyber resiliency will be much more robust. To help you navigate these requirements and to set you up to comply, we have worked with representative from the Financial Services industry to develop a concise and cost-effective consulting package. Aimed at mid-market financial services organisations, and with an expected duration of 3-4 weeks, we’ll review the requirements as they relate to your organisation, including the relevant internal processes and documentation, and provide tangible recommendations for any improvements. If you’re a mid-market organisation that falls under the RBNZ or FMA, get in touch for a no-obligation discussion.

Key Points

  1. Material Cyber Incidents Reporting:
  • Regulated entities must report “material cyber incidents” to the RBNZ as soon as practicable (and within 72 hours).
  • The reporting requirements came into effect on April 8, 2024.
  • Entities need to submit an initial report, an incident update, and post-incident conclusions.
  • “Cyber Incident” is defined as an event that adversely affects the cyber security of an information system or the information the system processes, stores, or transmits, whether resulting from malicious activity or not.
  • A Cyber Incident is considered “material” if it has materially affected or had the potential to materially affect the entity or the interests of depositors, policyholders, beneficiaries, or other customers.
  1. Periodic Reporting:
  • All cyber incidents, whether material or not, must be periodically reported.
  • Large entities (with total assets of at least NZ$2 billion) must report every six months, while other entities report annually.
  1. Challenges and Definitions:
  • Regulated entities may face challenges in applying these definitions in practice.
  • Determining whether a brief and temporary disruption to services qualifies as “material” can be complex.


The new reporting obligations are a significant step toward strengthening New Zealand’s financial sector’s cyber resilience. Entities must now be vigilant in monitoring and reporting cyber incidents promptly to ensure the safety and security of their operations and customer data.

For further information contact or call us on 0800 002 015.