RBNZ – Guidance on Cyber Resilience – 1 May 2021

On 1 May 2021, the RBNZ released the final version of its guidance on cyber resilience for its regulated entities came into effect.

This guidance has been designed to set out the Reserve Bank of New Zealand’s expectations for its regulated entities regarding cyber resilience. It aims to raise awareness of, and ultimately promote, the cyber resilience of the financial sector, especially at the board and senior management level of entities. It applies to all entities regulated by the Reserve Bank, including registered banks, licensed non-bank deposit takers, licensed insurers and designated financial market infrastructures.

This guidance draws upon leading international and national cybersecurity standards and guidelines and is intended to provide high-level principle-based recommendations for entities. This guidance primarily serves as an overarching framework for the governance and management of cyber risk, which entities can tailor to their own specific needs and technologies, rather than as an explicitly detailed or technical set of instructions.

The principle of proportionality applies throughout this guidance. This guidance should be employed in a manner proportionate to the size, structure and operational environment of an entity, as well as the nature, scope, complexity and risk profile of its products and services. This guidance provides the baseline-level of cyber resilience recommendations for entities and, where necessary, also provides recommendations for enhanced-level practices. This list of baseline, and enhanced, level practices is not intended to be exhaustive. The intention is to illustrate current best practice and encourage continual improvement beyond these practices into all areas where entities can further strengthen their cyber resilience.

In most cases, this guidance does not specify the frequency of actions that an entity should take. Entities should assess their cyber risk tolerance, set their cyber risk appetite and ensure their cyber risk mitigation efforts are commensurate with the cyber risk they face.

This guidance has not been designed as a checklist for cyber resilience minimum requirements. Instead, entities should design and develop their own cyber resilience framework that adequately addresses the specific cyber threats they individually face. Entities that require more detailed guidance on specific aspects of cyber resilience should refer to the guidance and frameworks developed by New Zealand’s cybersecurity agencies (for example, the New Zealand Information Security Manual (NZISM)) and international organisations. The Annex provide a list of well-known cyber resilience frameworks entities may refer to.

Read the report here:


Access more information about the NIST Cybersecurity framework here: