New Zealand’s central bank announced that banks must report major cyber incidents within 72 hours, as it plans to implement formal cyber reporting requirements over the next year after regulators supported proposals by the Reserve Bank of New Zealand (RBNZ) on the importance of having access to information on cyber resilience from the central bank.
Last year, after New Zealand saw a rise in cyber-attacks, the government was motivated to boost its cyber defenses by setting up a lead agency to make it easier for the public and businesses to seek help during network intrusions. Furthermore, RBNZ collaborated with the Financial Markets Authority (FMA), New Zealand’s financial markets regulator, to develop shared reporting requirements that can be used for both agencies.
The following RBNZ cyber resilience reporting requirements will be implemented in phases through 2024:
- Material cyber incident reporting requirement: within 72 hours
- Periodic reporting of all cyber incidents: large entities to be required to report all cyber incidents every six months and other entities annually
- Self-assessment using the RBNZ’s Guidance on Cyber Resilience: large entities every year and other entities every two years.
Dave Ratner, CEO, HYAS had this comment:
“Regulations requiring timely reporting are popping up across multiple geographies and verticals, and while they are in general a good thing, the definition of what is and isn’t ‘material’ is often not entirely clear. Nevertheless, for an organization to be in a position to comply with these new regulations will require cyber resiliency solutions that are capable of alerting them to the telltale signs of a breach and see the initial digital exhaust indicating an attack in progress. Most organizations are likely not prepared today and need to prioritize resiliency in 2024 to ensure that they are.”
Mark B. Cooper, President & Founder, PKI Solutions follows with this comment:
“With regulators adopting stricter notification requirements, now more than ever, banks need to respond with their own stricter, higher levels of security posture management practices if they’re going to avoid having to report incidents.
“The challenges organizations face is no longer limited to just advanced encryption or identity protection measures, but it highlights the critical need for pro-active, vigilant monitoring to quickly identify misconfigurations and alert security resources and staff. Prompt remediation is essential to defend against attacks that lead to triggering a notification.”
Requirements like these are a good thing from two perspectives. First it makes sure that any incident isn’t covered up. Second, it will “encourage” organizations to up their game in terms of their cyber defences to make sure that they don’t get pwned. These sorts of requirements need to be put into effect everywhere as that is one thing that will make us safer.
Like this:
Like Loading...
Related
This entry was posted on March 5, 2024 at 8:40 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
New Zealand Central Bank Announces New 72 Hour Cyber Incident Notification Requirement
New Zealand’s central bank announced that banks must report major cyber incidents within 72 hours, as it plans to implement formal cyber reporting requirements over the next year after regulators supported proposals by the Reserve Bank of New Zealand (RBNZ) on the importance of having access to information on cyber resilience from the central bank.
Last year, after New Zealand saw a rise in cyber-attacks, the government was motivated to boost its cyber defenses by setting up a lead agency to make it easier for the public and businesses to seek help during network intrusions. Furthermore, RBNZ collaborated with the Financial Markets Authority (FMA), New Zealand’s financial markets regulator, to develop shared reporting requirements that can be used for both agencies.
The following RBNZ cyber resilience reporting requirements will be implemented in phases through 2024:
Dave Ratner, CEO, HYAS had this comment:
“Regulations requiring timely reporting are popping up across multiple geographies and verticals, and while they are in general a good thing, the definition of what is and isn’t ‘material’ is often not entirely clear. Nevertheless, for an organization to be in a position to comply with these new regulations will require cyber resiliency solutions that are capable of alerting them to the telltale signs of a breach and see the initial digital exhaust indicating an attack in progress. Most organizations are likely not prepared today and need to prioritize resiliency in 2024 to ensure that they are.”
Mark B. Cooper, President & Founder, PKI Solutions follows with this comment:
“With regulators adopting stricter notification requirements, now more than ever, banks need to respond with their own stricter, higher levels of security posture management practices if they’re going to avoid having to report incidents.
“The challenges organizations face is no longer limited to just advanced encryption or identity protection measures, but it highlights the critical need for pro-active, vigilant monitoring to quickly identify misconfigurations and alert security resources and staff. Prompt remediation is essential to defend against attacks that lead to triggering a notification.”
Requirements like these are a good thing from two perspectives. First it makes sure that any incident isn’t covered up. Second, it will “encourage” organizations to up their game in terms of their cyber defences to make sure that they don’t get pwned. These sorts of requirements need to be put into effect everywhere as that is one thing that will make us safer.
Share this:
Like this:
Related
This entry was posted on March 5, 2024 at 8:40 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.