FMA + RBNZ Cyber-Resilience Expectations — Obligations and Insurance for NZ Financial Firms

NZ financial-services firms face cyber-resilience expectations from two primary regulators. The Financial Markets Authority (FMA) supervises licensed financial-advice providers (FAPs), licensed fund managers, licensed DIMS providers, licensed peer-to-peer and crowdfunding platforms, and licensed derivative issuers. The Reserve Bank of New Zealand (RBNZ) supervises registered banks, non-bank deposit takers (NBDTs), and licensed insurers. Both regulators have published cyber-resilience guidance setting expectations on board-level governance, operational resilience, and incident management. This guide maps those obligations to specific cyber-insurance policy responses — what the policy pays for, and where the gaps usually sit for NZ-licensed firms.

FMA cyber-resilience expectations

For FMA-supervised firms, cyber-resilience expectations sit within the broader licensing-conditions framework. FMA-licensed FAPs (under the Financial Markets Conduct Act 2013) must have systems and controls reasonably sufficient to comply with their statutory duties — and increasingly, FMA has signalled that "reasonable" includes cyber-resilience proportionate to the firm's size and customer-data exposure.

The published FMA expectations cover:

• Board and management oversight — cyber risk is treated as a business risk, not just an IT risk; board-level visibility on the firm's cyber posture and known weaknesses.
• Customer-data protection — financial firms handle particularly sensitive data (financial position, identity documents, investment portfolios). FMA expects controls proportionate to this sensitivity, including access controls, encryption-in-transit and at-rest, and clear data-handling policies.
• Third-party / supply-chain risk management — many NZ financial firms outsource technology (cloud, CRM, custody, transaction processing). FMA expects due-diligence on outsourcers and contractual protections that flow regulatory expectations down.
• Incident response and reporting — clear plans for detection, containment, and external communication. FMA expects licensed firms to notify the FMA of significant cyber incidents that affect their licensed activities.
• Business continuity — cyber events sit alongside natural-disaster events in the BCP framework. FMA wants to see scenarios that include cyber-driven outages of critical systems.

None of these are prescriptive standards (FMA hasn't published a tick-list); they are principles-based expectations communicated through guidance, monitoring activity, and licensing-condition conversations.

RBNZ cyber-resilience expectations

For RBNZ-supervised entities, cyber-resilience expectations are more formalised because the prudential consequences of cyber events are larger (deposit-taker continuity, insurer solvency, payment-system stability). RBNZ's cyber-resilience guidance covers:

• Cyber Resilience Framework expectations for registered banks, including governance, identification and assessment, protection, detection, response and recovery, and learning. Banks are expected to evidence each capability area to RBNZ on a periodic basis.
• Incident reporting — RBNZ-supervised entities are expected to report material cyber incidents to RBNZ promptly. The reporting threshold considers severity, customer impact, and operational continuity.
• Cyber stress testing — for systemically important entities, RBNZ may require participation in cyber-stress-testing exercises (sometimes joint with Australian counterparts).
• Supervisory expectations on licensed insurers — under IPSA (Insurance (Prudential Supervision) Act 2010), licensed insurers must maintain sound governance, including cyber-risk governance. Cyber-risk capital expectations are evolving.

RBNZ's approach is more prudential than FMA's — driven by financial-stability concerns rather than market-conduct concerns. For most NZ financial firms (FAPs, fund managers, smaller NBDTs, smaller insurers), FMA's market-conduct lens is the dominant one; for banks and large insurers, RBNZ's prudential lens dominates.

Privacy Act 2020 — the cross-cutting obligation

On top of FMA and RBNZ expectations, all NZ financial firms are subject to the Privacy Act 2020. Section 117's mandatory breach-notification obligation applies regardless of FMA or RBNZ regulation. For financial firms, this means a cyber incident that exposes customer personal information triggers a Privacy Commissioner notification process in parallel with any FMA or RBNZ reporting.

The interaction matters because the regulators have different concerns and timelines. The Privacy Commissioner cares about affected individuals and remediation. FMA cares about market conduct, licensing-condition compliance, and customer outcomes. RBNZ cares about financial-stability impact and prudential-resilience evidence. A material cyber incident at a licensed firm can trigger engagement with two or three regulators at the same time, each asking different questions.

How cyber insurance responds to regulator obligations

A well-structured cyber insurance policy for a licensed financial firm will pay for:

Regulatory defence and engagement

Most NZ cyber wordings include a regulatory defence coverage section that pays for legal advice and representation in front of regulators following a covered cyber event. The scope is typically:

• Privacy Commissioner engagement (notification preparation, response to formal information requests, defence in section 116 investigations)
• FMA engagement (notification of material incidents, response to monitoring information requests, defence if licensing conditions are tested)
• RBNZ engagement (incident reporting, defence in supervisory follow-up)

Sub-limits matter here. Some NZ cyber wordings cap regulatory defence at a sub-limit well below the policy aggregate; if your business has material regulator exposure, ask specifically what sub-limit applies and whether it's separate from the breach-response sub-limit.

Forensic investigation

Both FMA and RBNZ will ask "what happened, what data was accessed, what's the scope of impact?". Answering those questions requires a credible forensic investigation. Cyber insurance pays for insurer-panel forensics firms — your insurer's pre-arranged forensic vendor list. Forensic spend is typically the largest single line on a cyber claim, varying widely by incident complexity.

Communications and crisis management

For a financial firm, public confidence is a real asset. Crisis-management coverage pays for PR firms to coordinate customer communications, media engagement, and reputational protection. Sub-limits vary by wording — check your policy's specific cap and whether it can be increased on negotiation.

Business interruption

For RBNZ-supervised entities particularly, operational continuity matters prudentially. Cyber business-interruption coverage pays for lost income during a covered cyber-event-driven outage. Key things to check on your wording:

• Waiting period (hours after incident before BI cover kicks in — often 8-24 hours)
• Indemnity period (months during which BI cover continues — often 6-12 months)
• Whether dependent-business outages are covered (your critical vendor goes down, not just you)
• Whether the policy includes a contingent business interruption sub-limit for these scenarios

Cyber crime — the most common gap

"Cyber crime" coverage — for fraudulent funds transfer, social engineering, invoice manipulation — is the coverage most often missing or sub-limited well below the financial-firm's exposure. Financial firms handle large outbound and inbound transfers; a single successful BEC or wire-fraud event can be in the high six figures. Standard cyber-policy crime extensions typically sit well below the realistic exposure for a firm with material payment flows. Stack with a standalone crime policy if needed — see our companion guide on social-engineering coverage for the typical structure.

Particular considerations by firm type

Financial Advice Providers (FAPs)

FAPs typically have moderate customer-data exposure (KYC documents, financial position, beneficiary data) and lower transaction-volume than fund managers. Cyber wording priorities: regulatory defence (FMA + Privacy Commissioner), forensic investigation, breach response. Cyber-crime sub-limit matters less unless the FAP handles client money or facilitates transactions directly. Aggregate limit of $1M-$5M is typical for NZ FAPs.

Licensed fund managers and DIMS providers

Higher customer-data exposure (full investment-portfolio data, identity documents) and higher financial-systems integration. Cyber wording priorities: forensic investigation, regulatory defence, business interruption (a custodian outage matters), cyber crime (custody-related transfer fraud), and supply-chain coverage (custodian and platform provider risk). Aggregate limit often $5M-$25M depending on funds under management.

Banks and NBDTs

RBNZ prudential supervision dominates. Cyber resilience is part of the prudential capital and governance framework. Cyber insurance is a complement to (not substitute for) RBNZ-expected operational resilience. Aggregate limits often very high ($25M-$250M+ for larger banks), often using global insurance towers with multiple insurers in layers.

Licensed insurers

Cyber is double-edged for licensed insurers — they need their own cyber cover for own-operations exposure, AND they may be writing cyber risk on customers' policies. The two are typically managed separately (own-cyber-cover via a third-party insurer; cyber-risk-they-write via reinsurance treaties). Cyber-insurance-buying for an insurer's own operations follows similar logic to any other financial firm.

Practical pre-renewal checklist for licensed financial firms

1. Map your regulator exposure. List which regulators you report to, what cyber-related notifications you'd need to file, and the timeframes each expects.
2. Quantify your data-and-transaction exposure. Number of customer records, sensitivity of data, volume of outbound transfers, dependency on third-party platforms.
3. Score your control posture against CERT NZ's 10 Critical Controls and any sector-specific guidance. NZISM mapping if you're Government-contracted.
4. Match your aggregate limit and sub-limit structure to that profile. The headline aggregate limit is the easy number; the sub-limits within the policy are where coverage either responds or fails.
5. Ensure cyber-crime cover is sized for your transfer volume. The standard sub-limit is rarely enough for any firm with material outbound payments.
6. Confirm regulatory-defence coverage scope. All three relevant regulators (Privacy Commissioner, FMA or RBNZ, FSCL or IFSO) within the policy's defence-cover scope.
7. Review the wording's notification clauses. Many cyber policies have strict notification requirements; getting them wrong can void coverage. Build them into your incident-response plan.

Primary sources cited in this guide

• Financial Markets Authority (fma.govt.nz)
• RBNZ — Cyber Resilience Guidance (rbnz.govt.nz)
• Privacy Act 2020 (legislation.govt.nz)
• NCSC / CERT NZ — Critical Controls (ncsc.govt.nz)
• Companion guide: Privacy Act 2020 — section 117 breach notification mechanics

Disclaimer: This article is general information about regulator expectations and cyber-insurance mechanics, not personalised regulatory, legal, or insurance advice. Each firm's obligations depend on its licence, activities, and customer base. Always confirm with your regulator and legal counsel. Cyber Insurance Quotes NZ is operated by First Commercial Insurance Brokers Ltd (FSP748591). FCIB Disclosure Statement.