The 22-page document covers what The Reserve Bank – Te Pūtea Matua believes regulated entities should be considering when building cyber resilience and draws heavily from leading international and national cybersecurity standards and guidelines.
The guidance applies to all entities the Reserve Bank regulates, including registered banks, licensed non-bank deposit takers, licensed insurers and designated financial market infrastructures.
The finalised guidance aims to raise awareness of, and ultimately promote, the cyber resilience of the financial sector, especially at the board and senior management level.
In a statement, the bank says the guidance provides "high-level principle-based recommendations for entities and primarily serves as an overarching framework for the governance and management of cyber risk, which entities can tailor to their own specific needs and technologies, rather than as an explicitly detailed or technical set of instructions".
RBNZ deputy governor and general manager of financial stability, Geoff Bascand says the intention is to illustrate current best practice and encourage continual improvement beyond these practices into all areas where entities can further strengthen their cyber resilience.
"The recent illegal data breach of a third party file sharing application used by the Reserve Bank is a timely reminder of the risks associated with managing and sharing information," Bascand says.
"As part of the investigation into the breach, the bank appointed KPMG to undertake an independent review of its systems and processes.
This report is due to be published in early May and we are committed to continuing our own improvements in this area and sharing any relevant lessons with the firms that we regulate."
According to the recently published guidance document boards of directors "...should be ultimately responsible for the cyber resilience of an entity".
"The board should ensure that it understands the cyber risk environment faced by the entity. If necessary, the expertise required to understand the cyber risk could be accessed through other experienced in-house staff or external independent organisations."
Guidance for what a cyber resilience strategy should look like is also covered in the document along with a section on capability building and options for "baseline" resilence and "enhanced" resilience.