FMA consults to address FSIs’ tech & cyber resilience shortcomings

Cyber resilience FMA

New Zealand’s chief financial industry regulator, the Financial Markets Authority (FMA) – Te Mana Tātai Hokohoko, has called for industry feedback on the proposed introduction of new minimum standards that would address identified shortcomings in the operational resilience and cybersecurity capability of financial market licensees.

“Operationally resilient businesses are important for the integrity and availability of New Zealand’s financial markets,” the regulator wrote.

“The FMA wants to ensure that market service providers are prepared to respond to business continuity and cyber risks when they emerge. As well as supporting well-functioning financial markets, this helps consumers to have confidence that their information and investments are being properly looked after.”

The proposed new ‘standard condition’ for licensees – a diverse group of businesses that include registered investment scheme providers, derivatives issues as well as peer-to-peer lending and crowdfunding service providers that operate in New Zealand – would mandate the creation and regular updating of business continuity plans “appropriate to the scale and scope of its service”.

This, the FMA said, would ensure licensees’ critical technology systems are not only operationally resilient, but would also better enable entities to prepare for, respond to, and recover from a disruption event.

One of the key proposed changes is to mandate the reporting of incidents (notably, cyber breaches) to the FMA “that materially affect the supply of its service… as soon as possible, and no later than 72 hours after the event”.

“The 72-hour period reflects the reliance on technology by the relevant licence holders and the likelihood of harm to consumers and investors when disruptions occur. It also reflects the significance of technology in maintaining sound and efficient financial markets,” the FMA wrote.

This truncated reporting period, the regulator notes, is also shorter than the 10-working-day notification period requirement for financial advice providers. This, it said, is due to the likely harm to consumers and investors resulting from disruptions to licensee operations.

“It also reflects the significance of technology in maintaining sound and efficient financial markets.”

The proposed changes by the regulator come in response to identified shortcomings in the cyber resilience and operational systems among licensees, “including underinvestment in technology and the use of unsupported or legacy systems”, the FMA said.

A key question for stakeholders is the timeline for implementing the standard condition – whether it should come into effect three months after the date a decision is published or sooner.

Another seeks to determine whether the introduction of the proposed standard condition would add compliance costs to businesses.

The financial services (including insurance) sector accounts for the vast majority of cyber events reported to CERT NZ, the country’s cyber incident reporting agency, representing more than one in four (26.1 per cent) breach reports.

According to a co-authored survey report by security vendor Splunk and IT analyst Enterprise Strategy Group, the majority of Australian or New Zealand organisations take around 14 hours to recover from unplanned downtime tied to a cybersecurity incident. Respondents estimated that the cost of such a downtime averages around $200,000 per hour.

Submissions for the consultation close on 1 September.