FMA urges financial sector to prioritise cybersecurity

The Financial Markets Authority (FMA) has published an information sheet to help financial services firms enhance the resilience of their technology and operational systems and meet any relevant licence obligations.

According to the information sheet, financial services firms are a popular target for cyber criminals, with the sector recording the highest number of reported incidents across all industries in New Zealand for the first quarter of 2022.

The FMA said there are apparent shortcomings in the cyber resilience and operational systems among entities it licenses, including underinvestment in technology and the use of unsupported or legacy systems.

The regulator reminded the financial industry of two obligations that are part of its licencing regime.

1. “to have, at all times, adequate and effective systems, policies, processes and controls that are likely to ensure you will meet your market services licensee obligations in an effective manner.”
2. “IT systems used to deliver the licensed market service must be secure and reliable. Your arrangements ensure they perform efficiently and the associated risks are managed.”

Aside from these, financial advice providers have specific obligations for business continuity and technology systems.

In 2019, the FMA published a thematic review of cyber resilience in FMA-regulated entities, which highlighted the regulator’s expectations around cyber and operational resilience. The regulator said that it expects all market participants to have basic response and recovery plans in place, relevant to their regulated service and appropriate for their individual circumstances.