Material Cyber Incident Notifications FAQs

1

Material Cyber Incident Notification FAQs November 2024

2 Introduction Material cyber incident notifications (MCINs) are one of three cyber resilience reporting requirements1 and serve to collect information during a material cyber incident. This reporting requirement commenced on 8th April 2024. This form of data collection aims to guide meaningful discussion between regulators and regulated entities, support monitoring efforts of financial system risk and provide intelligence on the cyber threat landscape. Entities will notify the Reserve Bank of New Zealand (‘RBNZ’) of material cyber incidents using the MCIN report template (which can be found here) and can use the same template to report incidents to the Financial Markets Authority (‘FMA’) (and potentially to other regulatory bodies) thus reducing the reporting burden on entities. The RBNZ has produced this FAQs document, in consultation with the FMA, to further support industry to meet the data collection requirements. Questions Definition

1. Could you provide some further clarification on the definitions of ‘material cyber incident’ and ‘cyber incident’? ◦ A material cyber incident is defined as an information security incident that materially affects, or has the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries, or other customers. ▪ Note that the term ‘information security incident’ should be interpreted consistently with ‘cyber incident’. ▪ A cyber incident is defined as a cyber event that adversely affects the cyber security of an information system or the information the system processes, stores or transmits whether resulting from malicious activity or not. ▪ A cyber event is defined as in RBNZ’s Guidance on Cyber Resilience 2021 (the “Guidance Note”) as any observable occurrence in an information system. Cyber events sometimes provide indication that a cyber incident is occurring. ▪ Cyber Security is defined in the Guidance Note as the preservation of confidentiality, integrity, and availability of information and/or information systems through the cyber medium. ◦ The definitions have been adapted from the Financial Services Board (FSB) Cyber Lexicon and Australian Prudential Regulation Authority’s (APRA) prudential standard CPS 234 following a consultation with the wider sector. Please refer to the glossary below for key definitions.

---

1 Alongside the periodic cyber incident reporting and the cyber capability survey

3 Please refer to the visual guidance below on how to classify a material cyber incident: Please note that this is intended as a guide only. Each instance is different and RBNZ and FMA are not limited to an entity’s self-assessment when assessing if any decision not to report an instance was reasonable in the circumstances. If you have any questions arising, please contact your RBNZ and FMA supervisor. Has there been an observable occurrence in an information system? No: It is NOT a cyber event Yes: It is a cyber event Does the cyber event adversely affect the cyber security (confidentiality, integrity, and availability) of the information or the information system? Note that this includes whether the event results from malicious activity or not. No: It is NOT a cyber incident Yes: It is a cyber incident Does the cyber incident materially affect, or have the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries, or other customers? No: It is NOT a material cyber incident. All cyber incidents (both material and non￾material) must be reported via the template here on a periodic basis. Yes: It is a material cyber incident. Material cyber incidents must be reported via the template here within 72 hours of detection.

4 2. If an entity does not have all the information in 72 hours, can they just send what they know and provide an update in Part B as they get more information? Yes. For clarity, the 72 hours begins from the time the materiality of the cyber incident has been established. 3. Should any material technology outage be regarded as material and be included in this? If it meets the definition of a material cyber incident, then yes, it should be included. Please refer to the visual guidance and the example in Scenario 1 of the Appendix. Scope of incidents 4. If a third-party vendor has been attacked, is that a cyber-attack or internal outage? This depends on the circumstances and could change during the course of investigations into the incident (for example, once the cause and impact of the incident are established). The MCIN reporting template is split into three parts (Parts A, B and C) requiring reporting at different stages of the incident’s life cycle, which provides flexibility for entities to update the incident during its investigation and following its conclusion. 5. If it is a third-party provider that causes an outage in the system of the bank, does this require reporting? ◦ If the incident meets the definition of a material cyber incident, then yes, it should be reported. Please refer to the visual guidance on page 2. ◦ For completeness, please note that this type of incident would be captured in the periodic incident reporting regardless of materiality. 6. Do attacks on the group level of branches require a report? For overseas banks or insurers, reporting is limited in scope to New Zealand banking or insurance business, including all relevant information and information systems. If, for example, the group entity in the UK has an incident, but it effects operations in NZ the entity will have to report it. BOX and reporting process 7. For the uploads to BOX will there be a specific “cyber” reporting folder, or do we upload to “ad hoc” reporting? ◦ Yes, there are specific cyber folders in BOX. BOX is a secure file transfer service to securely send and receive documents with the Reserve Bank. ◦ Alongside the MCIN, the data collection includes periodic incident reporting and a capability survey. Entities should be able to see the following three folders:

5 BoxFT folder Purpose [Entity] Cyber Material Incident Notification For the template entitled ‘Material Cyber Incident Notification Report’ [Entity] Cyber Periodic Capability Survey For the survey template entitled ‘Cyber Capability Survey’ [Entity] Cyber Periodic Incident Report For the template entitled ‘Periodic Cyber Incident Report’ for reporting of all cyber incidents (material and non￾material) on a periodic basis ◦ If you cannot see any of the folders referred to in the table above or for any other BOX specific queries, please refer to Reserve Bank's Secure File Transfer Service - BOX - Reserve Bank of New Zealand - Te Pūtea Matua (rbnz.govt.nz) or reach out to your supervisor. 8. For the dual-registered2 entities, will reporting be done for the subsidiary and for branch separately? We give the flexibility to the entity. If entities choose to submit together, please have them put a remark in the comments box in the sign-off tab. Additionally, if the entities submitted together in the first instance, subsequent submissions from these entities must also be together for consistency. 9. For notifications, are entities expected to notify only their RBNZ supervisor, or is there anyone else that should be notified? Entities regulated by the Reserve Bank are expected to notify their RBNZ supervisors; entities that are also regulated by FMA may have to notify the FMA as well. Entities can notify the FMA via the FMA’s online portal and opt to upload RBNZ’s notification form. Refer to FMA’s guidance on “Notifications of incidents relating to operational resilience of technology systems” (April 2024). It is for the financial institution to determine, in line with the scale and scope of their service, when an event will be considered to trigger a notification to the FMA. For queries related to FMA reporting, please contact: operationalresilience@fma.govt.nz. 10. Where an entity determines that there is no material cyber incident and none of Parts A to C are applicable, is any other reporting required? No, there will not be any additional reports if there is no material cyber incident. However, there may be instances where RBNZ and FMA require entities to provide information on these incidents, for example, in cases of widespread public coverage.

---

2 Where an overseas deposit taker operates both a branch and a locally incorporated subsidiary licensed by the RBNZ

6 Glossary Term Definition Reference Material cyber incident A material cyber incident is an information security incident that materially affects, or had the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries, or other customers. Relevant definitions for interpretation of the material cyber incident requirement: Cyber Incident A cyber event that adversely affects the cyber security of an information system or the information the system processes, stores or transmits whether resulting from malicious activity or not. FSB Cyber Lexicon, April 2023 (updates the definition in the RBNZ Cyber Guidance) Cyber Security Preservation of confidentiality, integrity, and availability of information and/or information systems through the cyber medium. RBNZ Cyber Guidance Cyber Event Any observable occurrence in an information system. Cyber events sometimes provide indication that a cyber incident is occurring. RBNZ Cyber Guidance Cyber Relating to, within, or through the medium of the interconnected information infrastructure of interactions among persons, processes, data, and information systems. RBNZ Cyber Guidance

7 Appendix Examples of defining scenarios using the visual guide on page 2. Scenario 1: An entity has an IT outage which has impacted core banking services including online banking channels. The entity has classified the incident as a Priority 1 (P1) incident. Has there been an observable occurrence in an information system? No: It is NOT a cyber event Yes: It is a cyber event Yes, the entity can observe that core banking services are unavailable. It is a cyber event. Does the cyber event adversely affect the cyber security (confidentiality, integrity, and availability) of the information or the information system? Note that this includes whether the event results from malicious activity or not. Yes, the outage has adversely affected the availability of online banking channels. It is a cyber incident. No: It is NOT a material cyber incident. All cyber incidents (both material and non￾material) must be reported via the template here on a periodic basis. Yes, the entity has classified the outage as a P1 incident. It is a material cyber incident. Material cyber incidents must be reported via the template here within 72 hours of detection. No: It is NOT a cyber incident Does the cyber incident materially affect, or have the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries, or other customers?

8 Scenario 2: An entity has discovered that one user PC has been encrypted with ransomware. The entity has classified the incident as a P3 incident while investigation continues. Has there been an observable occurrence in an information system? No: It is NOT a cyber event Yes, the entity can observe the user PC has been encrypted It is a cyber event Does the cyber event adversely affect the cyber security (confidentiality, integrity, and availability) of the information or the information system? Note that this includes whether the event results from malicious activity or not. Yes, the ransomware has adversely affected the availability of the information system. It is a cyber incident. No, the entity has classified the incident as a P3 incident. It is NOT a material cyber incident. All cyber incidents (both material and non￾material) must be reported via the template here on a periodic basis. Note: this position could change if the incident is re-classified and considered material as investigations continue. Yes. It is a material cyber incident. Material cyber incidents must be reported via the template here within 72 hours of detection. No: It is NOT a cyber incident Does the cyber incident materially affect, or have the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries, or other customers?