All licensed financial services firms should treat the risk of a cyberattack as real, and plan accordingly.
That is the call to action of the Financial Markets Authority (FMA) following its thematic review of cyber-resilience in New Zealand financial services. The report found that the majority of participants (56%) were aware of the high and increasing level of cyber-risk globally and 89% believe it will increase in the future. However, the level of “high / very high” risk ratings drops to 36% for New Zealand financial services and drops further to 25% when participants considered just their own firm.
Now, FMA has provided guidance for firms on areas where it has identified a need for improvement. The regulator said these recommendations will be useful for regulated sectors, to help ensure they comply with expectations and best practice.
Among the key recommendations for market participants include using recognized cybersecurity framework to assist with planning, prioritising and managing their cyber-resilience. It suggests the services provided by CERT NZ, New Zealand’s National CyberSecurity Centre (NCSC), the National Institute of Standards and Technology (NIST) and the Institute of Directors (IoD).
The regulator noted financial services firm should also include assessment of cyber-risk – both for their own firm and on a broader global level – as part of their wider risk-assessment and risk-management programme.
Read more: NZ’s $8 million cyber security funding boost
“Cyber-risk encompasses all risk of loss, disruption, or damage to a firm caused by failure in its information technology systems – from both internal and external threats,” FMA said. “The interconnectedness of the financial sector means any part of it might be an entry point for a wider cyber incident.
“[W]e want to ensure financial service providers and consumers are aware of and prepared for cyber-risks, and that providers have proportionate controls to mitigate risks and ensure cyber resilience,” it added.
The survey was derived from the responses of 100 participants including authorised financial advisers, crowdfunding platforms, derivatives issuers, discretionary investment management services, independent trustees (corporate), managed investment scheme managers, peer-to-peer lending, qualifying financial entities and supervisors. FMA noted banks and insurers were included to the extent they hold licences in these sectors.